diff --git a/admin/class-coupon-admin.php b/admin/class-coupon-admin.php index 6dfbcb0..7817529 100644 --- a/admin/class-coupon-admin.php +++ b/admin/class-coupon-admin.php @@ -117,13 +117,13 @@ public function options_admin() public function create_coupon() { check_ajax_referer($this->plugin_prefix . $this->plugin_name . '_create_nonce'); - if (!$_POST['action'] || $_POST['action'] !== 'oms_coupon_create' || !current_user_can('administrator')) { + if (get_request_parameter('action') !== 'oms_coupon_create' || !current_user_can('administrator')) { header('Status: 403 Forbidden', true, 403); wp_die(); } $user_id = get_current_user_id(); - $code = sanitize_key($_POST['code']); + $code = sanitize_key(get_request_parameter('code')); global $wpdb; $findOne = $wpdb->get_row($wpdb->prepare( @@ -137,14 +137,19 @@ public function create_coupon() ], 400); } - $type = in_array($_POST['type'], ['percentage', 'numeric']) ? $_POST['type'] : 'percentage'; - $value = !empty($_POST['value']) ? intval($_POST['value']) : null; - $limit = !empty($_POST['limit']) ? intval($_POST['limit']) : null; - $activated_at = !empty($_POST['activated_at']) ? tz_strtodate($_POST['activated_at']) : null; - $expired_at = !empty($_POST['expired_at']) ? tz_strtodate($_POST['expired_at']) : null; + $type = get_request_parameter('type', 'percentage'); + $type = in_array($type, ['percentage', 'numeric'], true) ? $type : 'percentage'; + $value = get_request_parameter('value'); + $value = !$value ? null : intval($value); + $limit = get_request_parameter('limit'); + $limit = !$limit ? null : intval($limit); + $activated_at = get_request_parameter('activated_at'); + $activated_date = !$activated_at ? null : tz_strtodate($activated_at); + $expired_at = get_request_parameter('expired_at'); + $expired_date = !$expired_at ? null : tz_strtodate($expired_at); if ( !is_null($activated_at) && !is_null($expired_at) - && tz_strtodate($_POST['activated_at'], true) > tz_strtodate($_POST['expired_at'], true) + && tz_strtodate($activated_at, true) > tz_strtodate($expired_at, true) ) { wp_send_json([ 'status' => 'error', @@ -157,8 +162,8 @@ public function create_coupon() 'type' => $type, 'value' => $value, 'limit' => $limit, - 'activated_at' => $activated_at, - 'expired_at' => $expired_at, + 'activated_at' => $activated_date, + 'expired_at' => $expired_date, 'created_by' => $user_id, ]; $wpdb->insert( diff --git a/admin/partials/coupon-admin-table.php b/admin/partials/coupon-admin-table.php index 046767a..97fd84d 100644 --- a/admin/partials/coupon-admin-table.php +++ b/admin/partials/coupon-admin-table.php @@ -187,7 +187,7 @@ protected function column_cb($item) */ protected function column_code($item) { - $page = wp_unslash($_REQUEST['page']); + $page = get_request_parameter('page', 1); // Build hide row action. $hide_query_args = [ @@ -297,9 +297,13 @@ protected function get_bulk_actions() protected function process_bulk_action() { global $wpdb; - if (isset($_GET[$this->_args['singular']])) { - $coupon_params = wp_unslash($_GET[$this->_args['singular']]); - $ids = is_array($coupon_params) ? implode(',', $coupon_params) : $coupon_params; + + if (isset($_REQUEST[$this->_args['singular']])) { + $coupon_params = get_request_parameter($this->_args['singular']); + $ids = is_array($coupon_params) + ? implode(',', array_map('intval', $coupon_params)) + : intval($coupon_params); + switch ($this->current_action()) { case 'hide': $wpdb->query($wpdb->prepare( @@ -382,16 +386,18 @@ public function prepare_items() $this->process_bulk_action(); // If no sort, default to ID. - $orderby = !empty($_REQUEST['orderby']) && in_array($_REQUEST['orderby'], $sortable, true) ? $_REQUEST['orderby'] : 'ID'; - $order = !empty($_REQUEST['order']) && 'ASC' === strtoupper($_REQUEST['order']) ? 'ASC' : 'DESC'; + $orderby = get_request_parameter('orderby', 'ID'); + if (!in_array($orderby, array_keys($sortable), true)) { + $orderby = 'ID'; + } + $order = 'ASC' === strtoupper(get_request_parameter('order')) ? 'ASC' : 'DESC'; $orderby_sql = 'c.' . sanitize_sql_orderby("{$orderby} {$order}"); /* * GET THE DATA! */ $data = $wpdb->get_results($wpdb->prepare( - " - SELECT + "SELECT c.ID, c.code, c.type, c.value, c.limit, c.activated_at, c.expired_at, GROUP_CONCAT(u.display_name SEPARATOR ', ') AS used_by, COUNT(u.ID) AS number_of_uses FROM {$wpdb->prefix}oms_coupons AS c @@ -399,10 +405,8 @@ public function prepare_items() LEFT JOIN {$wpdb->prefix}users AS u ON cu.user_id = u.ID WHERE c.active = 1 GROUP BY c.ID, c.code, c.type, c.value, c.limit, c.activated_at, c.expired_at - ORDER BY %s - LIMIT %d OFFSET %d - ", - $orderby_sql, + ORDER BY {$orderby_sql} + LIMIT %1\$d OFFSET %2\$d", $per_page, $offset_page, ), ARRAY_A); diff --git a/public/class-coupon-public.php b/public/class-coupon-public.php index af2f8b2..f7d9c94 100644 --- a/public/class-coupon-public.php +++ b/public/class-coupon-public.php @@ -140,15 +140,13 @@ public function oms_shortcode_func($atts = [], $content = null, $tag = '') global $wpdb; $findOne = $wpdb->get_row($wpdb->prepare( - " - SELECT + "SELECT c.ID, c.code, c.type, c.value, c.limit, c.activated_at, c.expired_at, COUNT(cu.user_id) AS number_of_uses, GROUP_CONCAT(cu.user_id SEPARATOR ',') AS used_by_id FROM {$wpdb->prefix}oms_coupons AS c LEFT JOIN {$wpdb->prefix}oms_coupons_user AS cu ON cu.oms_coupon_id = c.ID WHERE c.ID = %d AND c.active = 1 - GROUP BY c.ID, c.code, c.type, c.value, c.limit, c.activated_at, c.expired_at - ", + GROUP BY c.ID, c.code, c.type, c.value, c.limit, c.activated_at, c.expired_at", $coupon_id, ), OBJECT); @@ -218,13 +216,17 @@ public function options_user() public function save_coupon() { check_ajax_referer($this->plugin_prefix . $this->plugin_name . '_save_nonce'); - if (!$_POST['action'] || $_POST['action'] !== 'oms_coupon_save') { + if (get_request_parameter('action') !== 'oms_coupon_save') { header('Status: 403 Forbidden', true, 403); wp_die(); } $user_id = get_current_user_id(); - $coupon_id = intval($_POST['id']); + $coupon_id = intval(get_request_parameter('id')); + if (!$coupon_id) { + header('Status: 400 Bad Request', true, 400); + wp_die(); + } $now = tz_strtodate('now'); global $wpdb; diff --git a/public/partials/coupon-public-table.php b/public/partials/coupon-public-table.php index 5bf6b71..9c17df6 100644 --- a/public/partials/coupon-public-table.php +++ b/public/partials/coupon-public-table.php @@ -188,7 +188,7 @@ protected function column_cb($item) protected function column_code($item) { $user_id = get_current_user_id(); - $page = wp_unslash($_REQUEST['page']); + $page = get_request_parameter('page', 1); if ($item['user_id'] == $user_id) { // Build hide row action. @@ -287,13 +287,16 @@ protected function process_bulk_action() global $wpdb; $user_id = get_current_user_id(); - if (isset($_GET[$this->_args['singular']])) { - $coupon_params = wp_unslash($_GET[$this->_args['singular']]); - $ids = is_array($coupon_params) ? implode(',', $coupon_params) : $coupon_params; + if (isset($_REQUEST[$this->_args['singular']])) { + $coupon_params = get_request_parameter($this->_args['singular']); + $ids = is_array($coupon_params) + ? implode(',', array_map('intval', $coupon_params)) + : intval($coupon_params); if ($this->current_action() === 'hide') { $wpdb->query($wpdb->prepare( - "UPDATE {$wpdb->prefix}oms_coupons_user SET active = 0 WHERE oms_coupon_id IN(%s) AND user_id = %d", + "UPDATE {$wpdb->prefix}oms_coupons_user SET active = 0 + WHERE oms_coupon_id IN(%s) AND user_id = %d", $ids, $user_id, )); @@ -301,7 +304,8 @@ protected function process_bulk_action() if ($this->current_action() === 'delete' && current_user_can('administrator')) { $wpdb->query($wpdb->prepare( - "DELETE FROM {$wpdb->prefix}oms_coupons_user WHERE oms_coupon_id IN(%s)", + "DELETE FROM {$wpdb->prefix}oms_coupons_user + WHERE oms_coupon_id IN(%s)", $ids, )); } @@ -342,7 +346,9 @@ public function prepare_items() */ $total_items = $wpdb->get_var( "SELECT COUNT(*) FROM {$wpdb->prefix}oms_coupons_user WHERE active = 1" - . current_user_can('administrator') ? '' : $wpdb->prepare(" AND user_id = %d", $user_id) + . current_user_can('administrator') + ? '' + : $wpdb->prepare(" AND user_id = %d", $user_id) ); /* @@ -371,46 +377,43 @@ public function prepare_items() $this->process_bulk_action(); // If no sort, default to user_id. - $orderby = !empty($_REQUEST['orderby']) && in_array($_REQUEST['orderby'], $sortable, true) ? $_REQUEST['orderby'] : 'user_id'; - $orderby = ($orderby === 'saved_at' || $orderby === 'user_id' + $orderby = get_request_parameter('orderby', 'user_id'); + if (!in_array($orderby, array_keys($sortable), true)) { + $orderby = 'user_id'; + } + $alias = ($orderby === 'saved_at' || $orderby === 'user_id' ? 'cu.' : ($orderby === 'display_name' ? 'u.' : 'c.') - ) . $orderby; - $order = !empty($_REQUEST['order']) && 'DESC' === strtoupper($_REQUEST['order']) ? 'DESC' : 'ASC'; - $orderby_sql = sanitize_sql_orderby("{$orderby} {$order}"); + ); + $order = 'DESC' === strtoupper(get_request_parameter('order')) ? 'DESC' : 'ASC'; + $orderby_sql = $alias . sanitize_sql_orderby("{$orderby} {$order}"); /* * GET THE DATA! */ if (current_user_can('administrator')) { $data = $wpdb->get_results($wpdb->prepare( - " - SELECT + "SELECT c.ID, c.code, c.type, c.value, c.expired_at, cu.saved_at, cu.user_id, u.display_name FROM {$wpdb->prefix}oms_coupons AS c LEFT JOIN {$wpdb->prefix}oms_coupons_user AS cu ON cu.oms_coupon_id = c.ID LEFT JOIN {$wpdb->prefix}users AS u ON cu.user_id = u.ID WHERE cu.active = 1 - ORDER BY %s - LIMIT %d OFFSET %d - ", - $orderby_sql, + ORDER BY {$orderby_sql} + LIMIT %1\$d OFFSET %2\$d", $per_page, $offset_page, ), ARRAY_A); } else { $data = $wpdb->get_results($wpdb->prepare( - " - SELECT + "SELECT c.ID, c.code, c.type, c.value, c.expired_at, cu.saved_at, cu.user_id FROM {$wpdb->prefix}oms_coupons AS c LEFT JOIN {$wpdb->prefix}oms_coupons_user AS cu ON cu.oms_coupon_id = c.ID - WHERE cu.active = 1 AND user_id = %d - ORDER BY %s - LIMIT %d OFFSET %d - ", + WHERE cu.active = 1 AND user_id = %1\$d + ORDER BY {$orderby_sql} + LIMIT %2\$d OFFSET %3\$d", $user_id, - $orderby_sql, $per_page, $offset_page, ), ARRAY_A);