Escape all values before querying

kofimokome · Feb 11, 2025 · a235f67 · a235f67
1 parent e2f9ac8
commit a235f67
Show file tree

Hide file tree

Showing 2 changed files with 49 additions and 5 deletions.
diff --git a/KMBuilder.php b/KMBuilder.php
@@ -182,8 +182,7 @@ public function get( array $fields = [] ) {
 				$query .= $additions;
 				$data  = $this->getResults( $query );
 			}
-//			echo( $query );
-			// reset query variables;
+ 			// reset query variables;
 			$this->where        = '';
 			$this->orderBys     = [];
 			$this->groupBys     = [];
@@ -203,10 +202,11 @@ public function get( array $fields = [] ) {
 		public function where( string $field, string $comparison, $value, $add_table_name = true ): KMBuilder {
 			$table_name = $add_table_name ? $this->table_name . '.' : '';
 			if ( strlen( $this->where ) == 0 ) {
-
+				$value = $this->escapeValue( $value );
 				if ( ! is_numeric( $value ) ) {
 					$value = "'" . $value . "'";
 				}
+
 				$this->where = " WHERE " . $table_name . $field . " " . $comparison . " " . $value;
 
 				return $this;
@@ -221,14 +221,46 @@ public function where( string $field, string $comparison, $value, $add_table_nam
 		 */
 		public function andWhere( string $field, string $comparison, $value ): KMBuilder {
 			$table_name = $this->table_name;
+			$value      = $this->escapeValue( $value );
+
 			if ( ! is_numeric( $value ) ) {
 				$value = "'" . $value . "'";
 			}
+
 			$this->where .= " AND " . $table_name . '.' . $field . " " . $comparison . " " . $value;
 
+
 			return $this;
 		}
 
+		/**
+		 * @author kofimokome
+		 * @since 1.6.3.3
+		 */
+		private function escapeValue( $value ): string {
+			// Check if the value starts with %
+			$starts_with_percent = strpos( $value, '%' ) === 0;
+			// Check if the value ends with %
+			$ends_with_percent = strrpos( $value, '%' ) === ( strlen( $value ) - 1 );
+
+			// Remove % from the start and end of the value
+			$trimmed_value = trim( $value, '%' );
+
+			// Escape the trimmed value
+			$escaped_value = esc_sql( $trimmed_value );
+
+			// Add % back to the start and/or end if they were originally present
+			if ( $starts_with_percent ) {
+				$escaped_value = '%' . $escaped_value;
+			}
+			if ( $ends_with_percent ) {
+				$escaped_value .= '%';
+			}
+
+			return $escaped_value;
+		}
+
+
 		/**
 		 * @author kofimokome
 		 * @since 1.0.0
@@ -300,11 +332,14 @@ public function groupBy( string $field ): KMBuilder {
 		 */
 		public function orWhere( string $field, string $comparison, $value ): KMBuilder {
 			$table_name = $this->table_name;
+			$value      = $this->escapeValue( $value );
 			if ( ! is_numeric( $value ) ) {
 				$value = "'" . $value . "'";
 			}
+
 			$this->where .= " OR " . $table_name . '.' . $field . " " . $comparison . " " . $value;
 
+
 			return $this;
 		}
 
@@ -313,9 +348,12 @@ public function orWhere( string $field, string $comparison, $value ): KMBuilder
 		 * @since 1.0.0
 		 */
 		public function whereJoin( string $field, string $comparison, $value, $table ): KMBuilder {
+			$value = $this->escapeValue( $value );
+
 			if ( ! is_numeric( $value ) ) {
 				$value = "'" . $value . "'";
 			}
+
 			$this->where = " WHERE " . $table . '.' . $field . " " . $comparison . " " . $value;
 
 			return $this;
@@ -326,9 +364,12 @@ public function whereJoin( string $field, string $comparison, $value, $table ):
 		 * @since 1.0.0
 		 */
 		public function andWhereJoin( string $field, string $comparison, $value, $table ): KMBuilder {
+			$value = $this->escapeValue( $value );
+
 			if ( ! is_numeric( $value ) ) {
 				$value = "'" . $value . "'";
 			}
+
 			$this->where .= " AND " . $table . '.' . $field . " " . $comparison . " " . $value;
 
 			return $this;
@@ -339,11 +380,14 @@ public function andWhereJoin( string $field, string $comparison, $value, $table
 		 * @since 1.0.0
 		 */
 		public function orWhereJoin( string $field, string $comparison, $value, $table ): KMBuilder {
+			$value = $this->escapeValue( $value );
 			if ( ! is_numeric( $value ) ) {
 				$value = "'" . $value . "'";
 			}
+
 			$this->where .= " OR " . $table . '.' . $field . " " . $comparison . " " . $value;
 
+
 			return $this;
 		}
 
@@ -450,7 +494,7 @@ public function save(): bool {
 					$fields['created_at'] = gmdate( "Y-m-d H:i" );
 					$fields['updated_at'] = gmdate( "Y-m-d H:i" );
 				}
-				$fields['id'] = NULL;
+				$fields['id'] = null;
 				$result       = $wpdb->insert( $table_name, $fields );
 			} else { // we are updating
 				if ( $this->model->hasTimeStamps() ) {

diff --git a/WPTools.php b/WPTools.php
@@ -48,7 +48,7 @@ public static function getInstance( string $context ): WPTools {
 			$plugin          = explode( '/', $plugin_basename )[0];
 
 			if ( ! isset( self::$instances[ $plugin ] ) ) {
-				throw new Exception( 'WordPressTools instance not found' );
+				throw new Exception( 'WPTools instance not found' );
 			}
 
 			return self::$instances[ $plugin ];