Merge pull request #88 from PaystackOSS/chore/sanitize-form-fieds

Chore/sanitize form fieds

Author: lukman-paystack

admin/class-paystack-forms-admin.php

@@ -39,7 +39,7 @@ function kkd_pff_paystack_txncheck($name, $txncharge)
         }
         function kkd_pff_paystack_setting_page()
         {
-?>
+            ?>
             <div class="wrap">
                 <h1>Paystack Forms Settings</h1>
 
@@ -112,7 +112,7 @@ function kkd_pff_paystack_setting_page()
 
                 </form>
             </div>
-        <?php
+            <?php
         }
         add_action('init', 'register_kkd_pff_paystack');
         function register_kkd_pff_paystack()
@@ -231,34 +231,34 @@ function kkd_pff_paystack_dashboard_table_data($column, $post_id)
             $table = $wpdb->prefix . KKD_PFF_PAYSTACK_TABLE;
 
             switch ($column) {
-                case 'shortcode':
-                    echo '<span class="shortcode">
+            case 'shortcode':
+                echo '<span class="shortcode">
 					<input type="text" class="large-text code" value="[pff-paystack id=&quot;' . $post_id . '&quot;]"
 					readonly="readonly" onfocus="this.select();"></span>';
 
-                    break;
-                case 'payments':
+                break;
+            case 'payments':
 
-                    $count_query = 'select count(*) from ' . $table . ' WHERE post_id = "' . $post_id . '" AND paid = "1"';
-                    $num = $wpdb->get_var($count_query);
+                $count_query = $wpdb->prepare("SELECT COUNT(*) FROM {$table} WHERE post_id = %d AND paid = '1'", $post_id);
+                $num = $wpdb->get_var($count_query);
 
-                    echo '<u><a href="' . admin_url('admin.php?page=submissions&form=' . $post_id) . '">' . $num . '</a></u>';
-                    break;
-                default:
-                    break;
+                echo '<u><a href="' . admin_url('admin.php?page=submissions&form=' . $post_id) . '">' . $num . '</a></u>';
+                break;
+            default:
+                break;
             }
         }
         add_filter('default_content', 'kkd_pff_paystack_editor_content', 10, 2);
 
         function kkd_pff_paystack_editor_content($content, $post)
         {
             switch ($post->post_type) {
-                case 'paystack_form':
-                    $content = '[text name="Phone Number"]';
-                    break;
-                default:
-                    $content = '';
-                    break;
+            case 'paystack_form':
+                $content = '[text name="Phone Number"]';
+                break;
+            default:
+                $content = '';
+                break;
             }
 
             return $content;
@@ -284,18 +284,18 @@ function kkd_pff_paystack_editor_help_metabox_details($post)
 
             </div>
 
-        <?php
+            <?php
         }
         function kkd_pff_paystack_editor_shortcode_details($post)
         {
-        ?>
+            ?>
             <p class="description">
                 <label for="wpcf7-shortcode">Copy this shortcode and paste it into your post, page, or text widget content:</label>
                 <span class="shortcode wp-ui-highlight">
-                    <input type="text" id="wpcf7-shortcode" onfocus="this.select();" readonly="readonly" class="large-text code" value="[pff-paystack id=&quot;<?php echo $post->ID; ?>&quot;]"></span>
+                    <input type="text" id="wpcf7-shortcode" onfocus="this.select();" readonly="readonly" class="large-text code" value="[pff-paystack id=&quot;<?php echo esc_html($post->ID); ?>&quot;]"></span>
             </p>
 
-        <?php
+            <?php
         }
 
         add_action('add_meta_boxes', 'kkd_pff_paystack_editor_add_extra_metaboxes');
@@ -767,7 +767,7 @@ public function enqueue_scripts()
     /**
      * Add settings action link to the plugins page.
      *
-     * @since    1.0.0
+     * @since 1.0.0
      */
     public function add_action_links($links)
     {
@@ -800,17 +800,17 @@ function kkd_pff_paystack_payment_submissions()
         $data = $exampleListTable->prepare_items(); ?>
         <div id="welcome-panel" class="welcome-panel">
             <div class="welcome-panel-content">
-                <h1 style="margin: 0px;"><?php echo $obj->post_title; ?> Payments </h1>
+            <h1 style="margin: 0px;"><?php echo esc_html($obj->post_title); ?> Payments </h1>
                 <p class="about-description">All payments made for this form</p>
                 <?php if ($data > 0) {
-                ?>
+                    ?>
 
                     <form action="<?php echo admin_url('admin-post.php'); ?>" method="post">
                         <input type="hidden" name="action" value="kkd_pff_export_excel">
-                        <input type="hidden" name="form_id" value="<?php echo $id; ?>">
+                        <input type="hidden" name="form_id" value="<?php echo esc_html($id); ?>">
                         <button type="submit" class="button button-primary button-hero load-customize">Export Data to Excel</button>
                     </form>
-                <?php
+                    <?php
                 } ?>
 
                 <br><br>
@@ -820,7 +820,7 @@ function kkd_pff_paystack_payment_submissions()
             <div id="icon-users" class="icon32"></div>
             <?php $exampleListTable->display(); ?>
         </div>
-    <?php
+        <?php
     }
 }
 add_action('admin_post_kkd_pff_export_excel', 'Kkd_pff_export_excel');
@@ -843,7 +843,9 @@ function Kkd_pff_export_excel()
     }
     $table = $wpdb->prefix . KKD_PFF_PAYSTACK_TABLE;
     $data = array();
-    $alldbdata = $wpdb->get_results("SELECT * FROM $table WHERE (post_id = '" . $post_id . "' AND paid = '1')  ORDER BY `id` ASC");
+    $table = sanitize_text_field($table);
+
+    $alldbdata = $wpdb->get_results($wpdb->prepare("SELECT * FROM {$table} WHERE post_id = %d AND paid = '1' ORDER BY `id` ASC", $post_id));
     $i = 0;
 
     if (count($alldbdata) > 0) {
@@ -927,7 +929,7 @@ public function list_table_page()
             <div id="icon-users" class="icon32"></div>
             <?php $exampleListTable->display(); ?>
         </div>
-<?php
+        <?php
     }
 }
 
@@ -970,8 +972,7 @@ public function prepare_items()
 
         $table = $wpdb->prefix . KKD_PFF_PAYSTACK_TABLE;
         $data = array();
-        $alldbdata = $wpdb->get_results("SELECT * FROM $table WHERE (post_id = '" . $post_id . "' AND paid = '1')");
-
+        $alldbdata = $wpdb->get_results($wpdb->prepare("SELECT * FROM {$table} WHERE post_id = %d AND paid = '1'", $post_id));
         foreach ($alldbdata as $key => $dbdata) {
             $newkey = $key + 1;
             if ($dbdata->txn_code_2 != "") {
@@ -1055,15 +1056,15 @@ private function table_data($data)
     public function column_default($item, $column_name)
     {
         switch ($column_name) {
-            case 'id':
-            case 'email':
-            case 'amount':
-            case 'txn_code':
-            case 'metadata':
-            case 'date':
-                return $item[$column_name];
-            default:
-                return print_r($item, true);
+        case 'id':
+        case 'email':
+        case 'amount':
+        case 'txn_code':
+        case 'metadata':
+        case 'date':
+            return $item[$column_name];
+        default:
+            return print_r($item, true);
         }
     }
 

includes/class-paystack-forms-activator.php

@@ -3,15 +3,15 @@
 class Kkd_Pff_Paystack_Activator
 {
 
-	public static function activate()
-	{
-		global $wpdb;
-		$version = get_option('kkd_db_version', '1.0');
-		$table_name = $wpdb->prefix . KKD_PFF_PAYSTACK_TABLE;
+    public static function activate()
+    {
+        global $wpdb;
+        $version = get_option('kkd_db_version', '1.0');
+        $table_name = $wpdb->prefix . KKD_PFF_PAYSTACK_TABLE;
+        $table_name = sanitize_text_field($table_name);
+        $charset_collate = $wpdb->get_charset_collate();
 
-		$charset_collate = $wpdb->get_charset_collate();
-
-		$sql = "CREATE TABLE IF NOT EXISTS `" . $table_name . "` (
+        $sql = "CREATE TABLE IF NOT EXISTS `" . $table_name . "` (
 			id int(11) NOT NULL AUTO_INCREMENT,
 			post_id int(11) NOT NULL,
 		  	user_id int(11) NOT NULL,
@@ -30,11 +30,11 @@ public static function activate()
 		  	UNIQUE KEY id (id),PRIMARY KEY  (id)
 		) $charset_collate;";
 
-		include_once ABSPATH . 'wp-admin/includes/upgrade.php';
-		dbDelta($sql);
+        include_once ABSPATH . 'wp-admin/includes/upgrade.php';
+        dbDelta($sql);
 
-		if (version_compare($version, '2.0') < 0) {
-			$sql = "CREATE TABLE IF NOT EXISTS `" . $table_name . "` (
+        if (version_compare($version, '2.0') < 0) {
+            $sql = "CREATE TABLE IF NOT EXISTS `" . $table_name . "` (
 				id int(11) NOT NULL AUTO_INCREMENT,
 				post_id int(11) NOT NULL,
 				user_id int(11) NOT NULL,
@@ -53,34 +53,36 @@ public static function activate()
 				UNIQUE KEY id (id),PRIMARY KEY  (id)
 			) $charset_collate;";
 
-			dbDelta($sql);
+            dbDelta($sql);
 
-			update_option('kkd_db_version', '2.0');
-		}
+            update_option('kkd_db_version', '2.0');
+        }
 
 
-		$row = $wpdb->get_results(
-			"SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS
-			WHERE table_name = '" . $table_name . "' AND column_name = 'plan'"
-		);
-		if (empty($row)) {
-			$wpdb->query("ALTER TABLE `" . $table_name . "` ADD `plan` VARCHAR(255) NOT NULL AFTER `paid`;");
-		}
+        $query = $wpdb->prepare(
+            "SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name = %s AND column_name = 'plan'",
+            $table_name
+        );
+        
+        $row = $wpdb->get_results($query);
+        if (empty($row)) {
+            $wpdb->query("ALTER TABLE `" . $table_name . "` ADD `plan` VARCHAR(255) NOT NULL AFTER `paid`;");
+        }
 
-		$row1 = $wpdb->get_results(
-			"SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS
+        $row1 = $wpdb->get_results(
+            "SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS
 			WHERE table_name = '" . $table_name . "' AND column_name = 'txn_code_2'"
-		);
-		if (empty($row1)) {
-			$wpdb->query("ALTER TABLE `" . $table_name . "` ADD `txn_code_2` VARCHAR(255) DEFAULT '' NULL AFTER `txn_code`;");
-		}
+        );
+        if (empty($row1)) {
+            $wpdb->query("ALTER TABLE `" . $table_name . "` ADD `txn_code_2` VARCHAR(255) DEFAULT '' NULL AFTER `txn_code`;");
+        }
 
-		$row1 = $wpdb->get_results(
-			"SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS
+        $row1 = $wpdb->get_results(
+            "SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS
 			WHERE table_name = '" . $table_name . "' AND column_name = 'paid_at'"
-		);
-		if (empty($row1)) {
-			$wpdb->query("ALTER TABLE `" . $table_name . "` ADD `paid_at` timestamp  AFTER `created_at`;");
-		}
-	}
+        );
+        if (empty($row1)) {
+            $wpdb->query("ALTER TABLE `" . $table_name . "` ADD `paid_at` timestamp  AFTER `created_at`;");
+        }
+    }
 }

includes/paystack-invoice.php

@@ -40,7 +40,7 @@ function kkd_format_metadata($data)
 
     global $wpdb;
     $table = $wpdb->prefix.KKD_PFF_PAYSTACK_TABLE;
-    $record = $wpdb->get_results("SELECT * FROM $table WHERE (txn_code = '".$code."')");
+    $record = $wpdb->get_results($wpdb->prepare("SELECT * FROM %s WHERE txn_code = %s", $table, $code));
 
 if (array_key_exists("0", $record)) {
     get_header();
@@ -57,7 +57,7 @@ function kkd_format_metadata($data)
             <article class="post-4 page type-page status-publish hentry" id="post-4">
                 <form action="<?php echo admin_url('admin-ajax.php'); ?>" method="post"   enctype="multipart/form-data"  class="j-forms retry-form" id="pf-form" novalidate="">
                 <input type="hidden" name="action" value="kkd_pff_paystack_retry_action">
-                <input type="hidden" name="code" value="<?php echo $code; ?>" />
+                <input type="hidden" name="code" value="<?php echo esc_html($code);; ?>" />
     <div class="content">
 
      <div class="divider-text gap-top-20 gap-bottom-45">
@@ -67,17 +67,17 @@ function kkd_format_metadata($data)
      <div class="j-row">
       <div class="span12 unit">
        <label class="label inline">Email:</label>
-       <strong><a href="mailto:<?php echo $dbdata->email; ?>"><?php echo $dbdata->email; ?></a></strong>
+       <strong><a href="mailto:<?php echo esc_html($dbdata->email); ?>"><?php echo esc_html($dbdata->email); ?></a></strong>
       </div>
       <div class="span12 unit">
        <label class="label inline">Amount:</label>
-       <strong><?php echo $currency.number_format($dbdata->amount); ?></strong>
+       <strong><?php echo esc_html($currency.number_format($dbdata->amount)); ?></strong>
       </div>
-        <?php echo kkd_format_metadata($dbdata->metadata); ?>
+        <?php echo  esc_html(kkd_format_metadata($dbdata->metadata)); ?>
 
       <div class="span12 unit">
        <label class="label inline">Date:</label>
-       <strong><?php echo $dbdata->created_at; ?></strong>
+       <strong><?php echo esc_html($dbdata->created_at); ?></strong>
       </div>
         <?php if($dbdata->paid == 1) {?>
                             <div class="span12 unit">
@@ -103,8 +103,8 @@ function kkd_format_metadata($data)
         </div>
     </main>
 </div>
-<?php
-get_footer();
+    <?php
+    get_footer();
 }else{
     die('Invoice code invalid');
 }

paystack-forms.php

@@ -186,7 +186,7 @@ function insertSelectCountries() {
 
 //
 </script>
-<?php
+        <?php
     }
 }
 // add_action( 'init', 'kkd_pff_paystack_invoice_url_rewrite' );