From 4537ee85c575c20cb77050b5738b1063e0cc4148 Mon Sep 17 00:00:00 2001 From: Guilherme Branco Stracini Date: Thu, 18 Jun 2026 14:25:34 +0100 Subject: [PATCH 1/2] refactor: improve SQL query preparation in get_all_for_export Modify the get_all_for_export function to always use $wpdb->prepare for SQL query preparation, improving consistency and reducing the risk of SQL injection. Previously, the function used a conditional approach where $wpdb->prepare would not be called if no $values were present. This change ensures that query preparation is uniform, which enhances security and maintains best practices in database interaction. --- includes/class-sva-db.php | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/includes/class-sva-db.php b/includes/class-sva-db.php index b16c4ad..435620a 100644 --- a/includes/class-sva-db.php +++ b/includes/class-sva-db.php @@ -393,11 +393,10 @@ public static function get_all_for_export( array $args = array() ): array { $sql = "SELECT * FROM {$table} {$where_sql} ORDER BY {$orderby} {$order}"; // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared - if ( $values ) { - $rows = $wpdb->get_results( $wpdb->prepare( $sql, ...$values ), ARRAY_A ); // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery,WordPress.DB.DirectDatabaseQuery.NoCaching,WordPress.DB.PreparedSQL.NotPrepared,PluginCheck.Security.DirectDB.UnescapedDBParameter - } else { - $rows = $wpdb->get_results( $sql, ARRAY_A ); // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery,WordPress.DB.DirectDatabaseQuery.NoCaching,WordPress.DB.PreparedSQL.NotPrepared,WordPress.DB.PreparedSQL.InterpolatedNotPrepared - } + $prepared = $values + ? $wpdb->prepare( $sql, ...$values ) // phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared + : $wpdb->prepare( $sql ); // phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared + $rows = $wpdb->get_results( $prepared, ARRAY_A ); // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery,WordPress.DB.DirectDatabaseQuery.NoCaching return is_array( $rows ) ? $rows : array(); } From 9f2cecd5b4605b4be54df9032fb1cdcd5dfe94ed Mon Sep 17 00:00:00 2001 From: Guilherme Branco Stracini Date: Thu, 18 Jun 2026 14:32:33 +0100 Subject: [PATCH 2/2] refactor: simplify query preparation logic in get_all_for_export Simplify the query preparation logic in the get_all_for_export function by eliminating the separate assignment of the $prepared variable. This change directly prepares the SQL query in the conditional block where $values are checked, streamlining the code and improving readability. The refactoring ensures that prepared statements are used consistently while maintaining the same functionality. --- includes/class-sva-db.php | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/includes/class-sva-db.php b/includes/class-sva-db.php index 435620a..8360116 100644 --- a/includes/class-sva-db.php +++ b/includes/class-sva-db.php @@ -393,10 +393,11 @@ public static function get_all_for_export( array $args = array() ): array { $sql = "SELECT * FROM {$table} {$where_sql} ORDER BY {$orderby} {$order}"; // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared - $prepared = $values - ? $wpdb->prepare( $sql, ...$values ) // phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared - : $wpdb->prepare( $sql ); // phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared - $rows = $wpdb->get_results( $prepared, ARRAY_A ); // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery,WordPress.DB.DirectDatabaseQuery.NoCaching + if ( $values ) { + $rows = $wpdb->get_results( $wpdb->prepare( $sql, ...$values ), ARRAY_A ); // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery,WordPress.DB.DirectDatabaseQuery.NoCaching,WordPress.DB.PreparedSQL.NotPrepared + } else { + $rows = $wpdb->get_results( $wpdb->prepare( $sql ), ARRAY_A ); // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery,WordPress.DB.DirectDatabaseQuery.NoCaching,WordPress.DB.PreparedSQL.NotPrepared + } return is_array( $rows ) ? $rows : array(); }