AyeCode /
invoicing
| Conditions | 35 |
| Paths | > 20000 |
| Total Lines | 240 |
| Lines | 171 |
| Ratio | 71.25 % |
| Changes | 0 | ||
Small methods make your code easier to understand, in particular if combined with a good name. Besides, if your method is small, finding a good name is usually much easier.
For example, if you find yourself adding comments to a method's body, this is usually a good sign to extract the commented part to a new method, and use the comment as a starting point when coming up with a good name for this new method.
Commonly applied refactorings include:
If many parameters/temporary variables are present:
| 1 | <?php |
||
| 85 | public function get_subscriptions( $args = array() ) { |
||
| 86 | global $wpdb; |
||
| 87 | |||
| 88 | $defaults = array( |
||
| 89 | 'number' => get_option( 'posts_per_page' ), |
||
| 90 | 'offset' => 0, |
||
| 91 | 'search' => '', |
||
| 92 | 'customer_id' => 0, |
||
| 93 | 'orderby' => 'id', |
||
| 94 | 'order' => 'DESC' |
||
| 95 | ); |
||
| 96 | |||
| 97 | $args = wp_parse_args( $args, $defaults ); |
||
|
|
|||
| 98 | |||
| 99 | if( $args['number'] < 1 ) { |
||
| 100 | $args['number'] = 999999999999; |
||
| 101 | } |
||
| 102 | |||
| 103 | $where = ' WHERE 1=1 '; |
||
| 104 | |||
| 105 | // specific customers |
||
| 106 | if( ! empty( $args['id'] ) ) { |
||
| 107 | |||
| 108 | if( is_array( $args['id'] ) ) { |
||
| 109 | $ids = implode( ',', array_map('intval', $args['id'] ) ); |
||
| 110 | } else { |
||
| 111 | $ids = intval( $args['id'] ); |
||
| 112 | } |
||
| 113 | |||
| 114 | $where .= " AND `id` IN( {$ids} ) "; |
||
| 115 | |||
| 116 | } |
||
| 117 | |||
| 118 | // Specific products |
||
| 119 | if( ! empty( $args['product_id'] ) ) { |
||
| 120 | |||
| 121 | if( is_array( $args['product_id'] ) ) { |
||
| 122 | $product_ids = implode( ',', array_map('intval', $args['product_id'] ) ); |
||
| 123 | } else { |
||
| 124 | $product_ids = intval( $args['product_id'] ); |
||
| 125 | } |
||
| 126 | |||
| 127 | $where .= " AND `product_id` IN( {$product_ids} ) "; |
||
| 128 | |||
| 129 | } |
||
| 130 | |||
| 131 | // Specific parent payments |
||
| 132 | if( ! empty( $args['parent_payment_id'] ) ) { |
||
| 133 | |||
| 134 | if( is_array( $args['parent_payment_id'] ) ) { |
||
| 135 | $parent_payment_ids = implode( ',', array_map('intval', $args['parent_payment_id'] ) ); |
||
| 136 | } else { |
||
| 137 | $parent_payment_ids = intval( $args['parent_payment_id'] ); |
||
| 138 | } |
||
| 139 | |||
| 140 | $where .= " AND `parent_payment_id` IN( {$parent_payment_ids} ) "; |
||
| 141 | |||
| 142 | } |
||
| 143 | |||
| 144 | // Specific transaction IDs |
||
| 145 | if( ! empty( $args['transaction_id'] ) ) { |
||
| 146 | |||
| 147 | if( is_array( $args['transaction_id'] ) ) { |
||
| 148 | $transaction_ids = implode( "','", array_map('sanitize_text_field', $args['transaction_id'] ) ); |
||
| 149 | } else { |
||
| 150 | $transaction_ids = sanitize_text_field( $args['transaction_id'] ); |
||
| 151 | } |
||
| 152 | |||
| 153 | $where .= " AND `transaction_id` IN ( '{$transaction_ids}' ) "; |
||
| 154 | |||
| 155 | } |
||
| 156 | |||
| 157 | // Subscriptoins for specific customers |
||
| 158 | if( ! empty( $args['customer_id'] ) ) { |
||
| 159 | |||
| 160 | if( is_array( $args['customer_id'] ) ) { |
||
| 161 | $customer_ids = implode( ',', array_map('intval', $args['customer_id'] ) ); |
||
| 162 | } else { |
||
| 163 | $customer_ids = intval( $args['customer_id'] ); |
||
| 164 | } |
||
| 165 | |||
| 166 | $where .= " AND `customer_id` IN( {$customer_ids} ) "; |
||
| 167 | |||
| 168 | } |
||
| 169 | |||
| 170 | // Subscriptions for specific profile IDs |
||
| 171 | if( ! empty( $args['profile_id'] ) ) { |
||
| 172 | |||
| 173 | if( is_array( $args['profile_id'] ) ) { |
||
| 174 | $profile_ids = implode( "','", array_map('sanitize_text_field', $args['profile_id'] ) ); |
||
| 175 | } else { |
||
| 176 | $profile_ids = sanitize_text_field( $args['profile_id'] ); |
||
| 177 | } |
||
| 178 | |||
| 179 | $where .= " AND `profile_id` IN( '{$profile_ids}' ) "; |
||
| 180 | |||
| 181 | } |
||
| 182 | |||
| 183 | // Subscriptions for specific statuses |
||
| 184 | if( ! empty( $args['status'] ) ) { |
||
| 185 | |||
| 186 | if( is_array( $args['status'] ) ) { |
||
| 187 | $statuses = implode( "','", array_map( 'sanitize_text_field', $args['status'] ) ); |
||
| 188 | } else { |
||
| 189 | $statuses = sanitize_text_field( $args['status'] ); |
||
| 190 | } |
||
| 191 | |||
| 192 | $where .= " AND `status` IN( '{$statuses}' ) "; |
||
| 193 | |||
| 194 | } |
||
| 195 | |||
| 196 | // Subscriptions created for a specific date or in a date range |
||
| 197 | if( ! empty( $args['date'] ) ) { |
||
| 198 | |||
| 199 | if( is_array( $args['date'] ) ) { |
||
| 200 | |||
| 201 | if( ! empty( $args['date']['start'] ) ) { |
||
| 202 | |||
| 203 | $start = date( 'Y-m-d H:i:s', strtotime( $args['date']['start'] ) ); |
||
| 204 | |||
| 205 | $where .= " AND `created` >= '{$start}'"; |
||
| 206 | |||
| 207 | } |
||
| 208 | |||
| 209 | if( ! empty( $args['date']['end'] ) ) { |
||
| 210 | |||
| 211 | $end = date( 'Y-m-d H:i:s', strtotime( $args['date']['end'] ) ); |
||
| 212 | |||
| 213 | $where .= " AND `created` <= '{$end}'"; |
||
| 214 | |||
| 215 | } |
||
| 216 | |||
| 217 | } else { |
||
| 218 | |||
| 219 | $year = date( 'Y', strtotime( $args['date'] ) ); |
||
| 220 | $month = date( 'm', strtotime( $args['date'] ) ); |
||
| 221 | $day = date( 'd', strtotime( $args['date'] ) ); |
||
| 222 | |||
| 223 | $where .= " AND $year = YEAR ( created ) AND $month = MONTH ( created ) AND $day = DAY ( created )"; |
||
| 224 | } |
||
| 225 | |||
| 226 | } |
||
| 227 | |||
| 228 | // Subscriptions with a specific expiration date or in an expiration date range |
||
| 229 | if( ! empty( $args['expiration'] ) ) { |
||
| 230 | |||
| 231 | if( is_array( $args['expiration'] ) ) { |
||
| 232 | |||
| 233 | if( ! empty( $args['expiration']['start'] ) ) { |
||
| 234 | |||
| 235 | $start = date( 'Y-m-d H:i:s', strtotime( $args['expiration']['start'] ) ); |
||
| 236 | |||
| 237 | $where .= " AND `expiration` >= '{$start}'"; |
||
| 238 | |||
| 239 | } |
||
| 240 | |||
| 241 | if( ! empty( $args['expiration']['end'] ) ) { |
||
| 242 | |||
| 243 | $end = date( 'Y-m-d H:i:s', strtotime( $args['expiration']['end'] ) ); |
||
| 244 | |||
| 245 | $where .= " AND `expiration` <= '{$end}'"; |
||
| 246 | |||
| 247 | } |
||
| 248 | |||
| 249 | } else { |
||
| 250 | |||
| 251 | $year = date( 'Y', strtotime( $args['expiration'] ) ); |
||
| 252 | $month = date( 'm', strtotime( $args['expiration'] ) ); |
||
| 253 | $day = date( 'd', strtotime( $args['expiration'] ) ); |
||
| 254 | |||
| 255 | $where .= " AND $year = YEAR ( expiration ) AND $month = MONTH ( expiration ) AND $day = DAY ( expiration )"; |
||
| 256 | } |
||
| 257 | |||
| 258 | } |
||
| 259 | |||
| 260 | if ( ! empty( $args['search'] ) ) { |
||
| 261 | |||
| 262 | if( false !== strpos( 'id:', $args['search'] ) ) { |
||
| 263 | |||
| 264 | $args['search'] = trim( str_replace( 'id:', '', $args['search'] ) ); |
||
| 265 | $where .= " AND `id` = '" . esc_sql( $args['search'] ) . "'"; |
||
| 266 | |||
| 267 | } else if( false !== strpos( $args['search'], 'txn:' ) ) { |
||
| 268 | |||
| 269 | $args['search'] = trim( str_replace( 'txn:', '', $args['search'] ) ); |
||
| 270 | $where .= " AND `transaction_id` = '" . esc_sql( $args['search'] ) . "'"; |
||
| 271 | |||
| 272 | } else if( false !== strpos( $args['search'], 'profile_id:' ) ) { |
||
| 273 | |||
| 274 | $args['search'] = trim( str_replace( 'profile_id:', '', $args['search'] ) ); |
||
| 275 | $where .= " AND `profile_id` = '" . esc_sql( $args['search'] ) . "'"; |
||
| 276 | |||
| 277 | } else if( false !== strpos( $args['search'], 'product_id:' ) ) { |
||
| 278 | |||
| 279 | $args['search'] = trim( str_replace( 'product_id:', '', $args['search'] ) ); |
||
| 280 | $where .= " AND `product_id` = '" . esc_sql( $args['search'] ) . "'"; |
||
| 281 | |||
| 282 | } else if( false !== strpos( $args['search'], 'customer_id:' ) ) { |
||
| 283 | |||
| 284 | $args['search'] = trim( str_replace( 'customer_id:', '', $args['search'] ) ); |
||
| 285 | $where .= " AND `customer_id` = '" . esc_sql( $args['search'] ) . "'"; |
||
| 286 | |||
| 287 | } else { |
||
| 288 | |||
| 289 | $where .= " AND ( `parent_payment_id` LIKE '%%" . esc_sql( $args['search'] ) . "%%' OR `profile_id` LIKE '%%" . esc_sql( $args['search'] ) . "%%' OR `transaction_id` LIKE '%%" . esc_sql( $args['search'] ) . "%%' OR `product_id` LIKE '%%" . esc_sql( $args['search'] ) . "%%' OR `id` = '" . esc_sql( $args['search'] ) . "' )"; |
||
| 290 | |||
| 291 | } |
||
| 292 | |||
| 293 | } |
||
| 294 | |||
| 295 | $args['orderby'] = ! array_key_exists( $args['orderby'], $this->get_columns() ) ? 'id' : $args['orderby']; |
||
| 296 | |||
| 297 | if( 'amount' == $args['orderby'] ) { |
||
| 298 | $args['orderby'] = 'amount+0'; |
||
| 299 | } |
||
| 300 | |||
| 301 | $cache_key = md5( 'wpinv_subscriptions_' . serialize( $args ) ); |
||
| 302 | |||
| 303 | $subscriptions = wp_cache_get( $cache_key, 'subscriptions' ); |
||
| 304 | |||
| 305 | $args['orderby'] = esc_sql( $args['orderby'] ); |
||
| 306 | $args['order'] = esc_sql( $args['order'] ); |
||
| 307 | |||
| 308 | if( $subscriptions === false ) { |
||
| 309 | $subscriptions = $wpdb->get_results( $wpdb->prepare( "SELECT * FROM $this->table_name $where ORDER BY {$args['orderby']} {$args['order']} LIMIT %d,%d;", absint( $args['offset'] ), absint( $args['number'] ) ), OBJECT ); |
||
| 310 | |||
| 311 | if( ! empty( $subscriptions ) ) { |
||
| 312 | |||
| 313 | foreach( $subscriptions as $key => $subscription ) { |
||
| 314 | $subscriptions[ $key ] = new WPInv_Subscription( $subscription ); |
||
| 315 | } |
||
| 316 | |||
| 317 | wp_cache_set( $cache_key, $subscriptions, 'subscriptions', 3600 ); |
||
| 318 | |||
| 319 | } |
||
| 320 | |||
| 321 | } |
||
| 322 | |||
| 323 | return $subscriptions; |
||
| 324 | } |
||
| 325 | |||
| 586 | } |
Loading history...
$argscan contain request data and is used in variable name context(s) leading to a potential security vulnerability.1 path for user data to reach this point
$_GET,andIssetNode ? $_GET['status'] : 'any'is assigned to$statusin includes/admin/class-wpinv-subscriptions-list-table.php on line 339
$statusis assigned to$argsin includes/admin/class-wpinv-subscriptions-list-table.php on line 355
in includes/admin/class-wpinv-subscriptions-list-table.php on line 358
$argsin includes/class-wpinv-subscriptions-db.php on line 85
Used in variable context
wp_parse_args()is calledin includes/class-wpinv-subscriptions-db.php on line 97
$argsin wordpress/wp-includes/functions.php on line 4294
wp_parse_str()is calledin wordpress/wp-includes/functions.php on line 4300
$stringin wordpress/wp-includes/formatting.php on line 4865
parse_str()is calledin wordpress/wp-includes/formatting.php on line 4866
General Strategies to prevent injection
In general, it is advisable to prevent any user-data to reach this point. This can be done by white-listing certain values:
if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) { throw new \InvalidArgumentException('This input is not allowed.'); }For numeric data, we recommend to explicitly cast the data: