Issues in class-wpinv-customers-table.php (master) - Issues in master - AyeCode/invoicing - Measure and Improve Code Quality continuously with Scrutinizer

Issues (850)

Security Analysis 4 potential vulnerabilities

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Code Injection (1)

Code Injection enables an attacker to execute arbitrary code on the server.

Variable Injection (2)

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Cross-Site Scripting (1)

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

Header Injection

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

includes/admin/class-wpinv-customers-table.php (2 issues)

Labels

Severity

<?php
/**
 * Customers Table Class
 *
 */

// Exit if accessed directly
if ( ! defined( 'ABSPATH' ) ) {
exit;
}

// Load WP_List_Table if not loaded
if ( ! class_exists( 'WP_List_Table' ) ) {
	require_once ABSPATH . 'wp-admin/includes/class-wp-list-table.php';
}

/**
 * WPInv_Customers_Table Class
 *
 * Renders the Gateway Reports table
 *
 * @since 1.0.19
 */
class WPInv_Customers_Table extends WP_List_Table {

	/**
	 * @var int Number of items per page
	 * @since 1.0.19
	 */
	public $per_page = 25;

	/**
	 * @var int Number of items
	 * @since 1.0.19
	 */
	public $total_count = 0;

	public $query;

	/**
	 * Get things started
	 *
	 * @since 1.0.19
	 * @see WP_List_Table::__construct()
	 */
	public function __construct() {

		// Set parent defaults
		parent::__construct(
            array(
				'singular' => 'id',
				'plural'   => 'ids',
				'ajax'     => false,
            )
        );

	}

	/**
	 * Gets the name of the primary column.
	 *
	 * @since 1.0.19
	 * @access protected
	 *
	 * @return string Name of the primary column.
	 */
	protected function get_primary_column_name() {
		return 'customer';
	}

	/**
	 * This function renders most of the columns in the list table.
	 *
	 * @since 1.0.19
	 *
	 * @param GetPaid_Customer $customer
	 * @param string $column_name The name of the column
	 *
	 * @return string Column Name
	 */
	public function column_default( $customer, $column_name ) {
		$value = esc_html( $customer->get( $column_name ) );
		return apply_filters( 'wpinv_customers_table_column' . $column_name, $value, $customer );
	}

	/**
	 * Displays the country column.
	 *
	 * @since 1.0.19
	 *
	 * @param GetPaid_Customer $customer
	 *
	 * @return string Column Name
	 */
	public function column_country( $customer ) {
		$country = wpinv_sanitize_country( $customer->get( 'country' ) );
		if ( $country ) {

			$country = wpinv_country_name( $country );
		}
		return esc_html( $country );
	}

	/**
	 * Displays the state column.
	 *
	 * @since 1.0.19
	 *
	 * @param GetPaid_Customer $customer
	 *
	 * @return string Column Name
	 */
	public function column_state( $customer ) {
		$country = wpinv_sanitize_country( $customer->get( 'country' ) );
		$state   = $customer->get( 'state' );
		if ( $state ) {
			$state = wpinv_state_name( $state, $country );
		}

		return esc_html( $state );
	}

	/**
	 * Displays the signup column.
	 *
	 * @since 1.0.19
	 *
	 * @param GetPaid_Customer $customer
	 *
	 * @return string Column Name
	 */
	public function column_date_created( $customer ) {
		return getpaid_format_date_value( $customer->get( 'date_created' ) );
	}

	/**
	 * Displays the total spent column.
	 *
	 * @since 1.0.19
	 *
	 * @param GetPaid_Customer $customer
	 *
	 * @return string Column Name
	 */
	public function column_purchase_value( $customer ) {
		return wpinv_price( (float) $customer->get( 'purchase_value' ) );
	}

	/**
	 * Displays the total spent column.
	 *
	 * @since 1.0.19
	 *
	 * @param GetPaid_Customer $customer
	 *
	 * @return string Column Name
	 */
	public function column_purchase_count( $customer ) {
		$value = $customer->get( 'purchase_count' );
		$url   = $customer->get( 'user_id' ) ? add_query_arg( array( 'post_type' => 'wpi_invoice', 'author' => $customer->get( 'user_id' ), ), admin_url( 'edit.php' ) ) : '';

		return ( empty( $value ) || empty( $url ) ) ? (int) $value : '<a href="' . esc_url( $url ) . '">' . absint( $value ) . '</a>';

	}

	/**
	 * Displays the customers name
	 *
	 * @param  GetPaid_Customer $customer customer.
	 * @return string
	 */
	public function column_customer( $customer ) {

		$first_name = $customer->get( 'first_name' );
		$last_name  = $customer->get( 'last_name' );
		$email      = $customer->get( 'email' );
		$avatar     = get_avatar( $customer->get( 'user_id' ) ? $customer->get( 'user_id' ) : $email, 32 );

		// Customer view URL.
		$view_url    = $customer->get( 'user_id' ) ? esc_url( add_query_arg( 'user_id', $customer->get( 'user_id' ), admin_url( 'user-edit.php' ) ) ) : false;
		$row_actions = $view_url ? $this->row_actions(
			array(
				'view' => '<a href="' . $view_url . '#getpaid-fieldset-billing">' . __( 'Edit Details', 'invoicing' ) . '</a>',
			)
		) : '';

		// Customer's name.
		$name   = esc_html( trim( "$first_name $last_name" ) );

		if ( ! empty( $name ) ) {
			$name = "<div style='overflow: hidden;height: 18px;'>$name</div>";
		}

		$email = "<div class='row-title'><a href='mailto:$email'>$email</a></div>";

		return "<div style='display: flex;'><div>$avatar</div><div style='margin-left: 10px;'>$name<strong>$email</strong>$row_actions</div></div>";

	}

	/**
	 * Retrieve the current page number
	 *
	 * @since 1.0.19
	 * @return int Current page number
	 */
	public function get_paged() {
		return isset( $_GET['paged'] ) ? absint( $_GET['paged'] ) : 1;
	}

	/**
	 * Returns bulk actions.
	 *
	 * @since 1.0.19
	 * @return void
	 */
	public function bulk_actions( $which = '' ) {
		return array();

	}

	/**
	 *  Prepares the display query
	 */
	public function prepare_query() {

		// Prepare query args.
		$query = array(
			'number' => $this->per_page,
			'paged'  => $this->get_paged(),
		);

		foreach ( array( 'orderby', 'order', 's' ) as $field ) {
			if ( isset( $_GET[ $field ] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended
				$query[ $field ] = wpinv_clean( rawurlencode_deep( $_GET[ $field ] ) ); // phpcs:ignore WordPress.Security.NonceVerification.Recommended
			}
		}

		foreach ( GetPaid_Customer_Data_Store::get_database_fields() as $field => $type ) {

			if ( isset( $_GET[ $field ] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended
				$query[ $field ] = wpinv_clean( rawurlencode_deep( $_GET[ $field ] ) ); // phpcs:ignore WordPress.Security.NonceVerification.Recommended
			}

			// Min max.
			if ( '%f' === $type || '%d' === $type ) {

				if ( isset( $_GET[ $field . '_min' ] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended
					$query[ $field . '_min' ] = floatval( $_GET[ $field . '_min' ] ); // phpcs:ignore WordPress.Security.NonceVerification.Recommended
				}

				if ( isset( $_GET[ $field . '_max' ] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended
					$query[ $field . '_max' ] = floatval( $_GET[ $field . '_max' ] ); // phpcs:ignore WordPress.Security.NonceVerification.Recommended
				}
			}
		}

		// Prepare class properties.
		$this->query       = getpaid_get_customers( $query, 'query' );
		$this->total_count = $this->query->get_total();
		$this->items       = $this->query->get_results();
	}

	/**
	 * Setup the final data for the table
	 *
	 */
	public function prepare_items() {

		$columns  = $this->get_columns();
		$hidden   = array();
		$sortable = $this->get_sortable_columns();
		$this->prepare_query();

		$this->_column_headers = array( $columns, $hidden, $sortable );

		$this->set_pagination_args(
			array(
				'total_items' => $this->total_count,
				'per_page'    => $this->per_page,
				'total_pages' => ceil( $this->total_count / $this->per_page ),
			)
		);
	}

	/**
	 * Sortable table columns.
	 *
	 * @return array
	 */
	public function get_sortable_columns() {
		$sortable = array(
			'customer' => array( 'first_name', true ),
		);

		foreach ( GetPaid_Customer_Data_Store::get_database_fields() as $field => $type ) {
			$sortable[ $field ] = array( $field, true );
		}

		return apply_filters( 'manage_getpaid_customers_sortable_table_columns', $sortable );
	}

	/**
	 * Table columns
	 *
	 * @return array
	 */
	public function get_columns() {
		$columns = array(
			'customer' => __( 'Customer', 'invoicing' ),
		);

		// Add address fields.
		foreach ( getpaid_user_address_fields() as $key => $value ) {

			// Skip id, user_id and email.
			if ( ! in_array( $key, array( 'id', 'user_id', 'email', 'purchase_value', 'purchase_count', 'date_created', 'date_modified', 'uuid', 'first_name', 'last_name' ), true ) ) {
				$columns[ $key ] = $value;
			}
		}

		$columns['purchase_value'] = __( 'Total Spend', 'invoicing' );
		$columns['purchase_count'] = __( 'Invoices', 'invoicing' );
		$columns['date_created']   = __( 'Date created', 'invoicing' );

		return apply_filters( 'manage_getpaid_customers_table_columns', $columns );
	}
}


1			<?php
2			/**
3			* Customers Table Class
4			*
5			*/
6
7			// Exit if accessed directly
8			if ( ! defined( 'ABSPATH' ) ) {
9			exit;
10			}
11
12			// Load WP_List_Table if not loaded
13			if ( ! class_exists( 'WP_List_Table' ) ) {
14			require_once ABSPATH . 'wp-admin/includes/class-wp-list-table.php';
15			}
16
17			/**
18			* WPInv_Customers_Table Class
19			*
20			* Renders the Gateway Reports table
21			*
22			* @since 1.0.19
23			*/
24			class WPInv_Customers_Table extends WP_List_Table {
25
26			/**
27			* @var int Number of items per page
28			* @since 1.0.19
29			*/
30			public $per_page = 25;
31
32			/**
33			* @var int Number of items
34			* @since 1.0.19
35			*/
36			public $total_count = 0;
37
38			public $query;
39
40			/**
41			* Get things started
42			*
43			* @since 1.0.19
44			* @see WP_List_Table::__construct()
45			*/
46			public function __construct() {
47
48			// Set parent defaults
49			parent::__construct(
50			array(
51			'singular' => 'id',
52			'plural' => 'ids',
53			'ajax' => false,
54			)
55			);
56
57			}
58
59			/**
60			* Gets the name of the primary column.
61			*
62			* @since 1.0.19
63			* @access protected
64			*
65			* @return string Name of the primary column.
66			*/
67			protected function get_primary_column_name() {
68			return 'customer';
69			}
70
71			/**
72			* This function renders most of the columns in the list table.
73			*
74			* @since 1.0.19
75			*
76			* @param GetPaid_Customer $customer
77			* @param string $column_name The name of the column
78			*
79			* @return string Column Name
80			*/
81			public function column_default( $customer, $column_name ) {
82			$value = esc_html( $customer->get( $column_name ) );
83			return apply_filters( 'wpinv_customers_table_column' . $column_name, $value, $customer );
84			}
85
86			/**
87			* Displays the country column.
88			*
89			* @since 1.0.19
90			*
91			* @param GetPaid_Customer $customer
92			*
93			* @return string Column Name
94			*/
95			public function column_country( $customer ) {
96			$country = wpinv_sanitize_country( $customer->get( 'country' ) );
97			if ( $country ) {
			0 ignored issues – show Bug Best Practice introduced 2020-07-20 11:42 UTC by Report Bug Copy Issue Report Show Similar Issues like this The expression `$country` of type `array` is implicitly converted to a boolean; are you sure this is intended? If so, consider using `! empty($expr)` instead to make it clear that you intend to check for an array without elements. This check marks implicit conversions of arrays to boolean values in a comparison. While in PHP an empty array is considered to be equal (but not identical) to false, this is not always apparent. Consider making the comparison explicit by using `empty(..)` or `! empty(...)` instead. Loading history...
98			$country = wpinv_country_name( $country );
99			}
100			return esc_html( $country );
101			}
102
103			/**
104			* Displays the state column.
105			*
106			* @since 1.0.19
107			*
108			* @param GetPaid_Customer $customer
109			*
110			* @return string Column Name
111			*/
112			public function column_state( $customer ) {
113			$country = wpinv_sanitize_country( $customer->get( 'country' ) );
114			$state = $customer->get( 'state' );
115			if ( $state ) {
116			$state = wpinv_state_name( $state, $country );
117			}
118
119			return esc_html( $state );
120			}
121
122			/**
123			* Displays the signup column.
124			*
125			* @since 1.0.19
126			*
127			* @param GetPaid_Customer $customer
128			*
129			* @return string Column Name
130			*/
131			public function column_date_created( $customer ) {
132			return getpaid_format_date_value( $customer->get( 'date_created' ) );
133			}
134
135			/**
136			* Displays the total spent column.
137			*
138			* @since 1.0.19
139			*
140			* @param GetPaid_Customer $customer
141			*
142			* @return string Column Name
143			*/
144			public function column_purchase_value( $customer ) {
145			return wpinv_price( (float) $customer->get( 'purchase_value' ) );
146			}
147
148			/**
149			* Displays the total spent column.
150			*
151			* @since 1.0.19
152			*
153			* @param GetPaid_Customer $customer
154			*
155			* @return string Column Name
156			*/
157			public function column_purchase_count( $customer ) {
158			$value = $customer->get( 'purchase_count' );
159			$url = $customer->get( 'user_id' ) ? add_query_arg( array( 'post_type' => 'wpi_invoice', 'author' => $customer->get( 'user_id' ), ), admin_url( 'edit.php' ) ) : '';
160
161			return ( empty( $value ) \|\| empty( $url ) ) ? (int) $value : '<a href="' . esc_url( $url ) . '">' . absint( $value ) . '</a>';
162
163			}
164
165			/**
166			* Displays the customers name
167			*
168			* @param GetPaid_Customer $customer customer.
169			* @return string
170			*/
171			public function column_customer( $customer ) {
172
173			$first_name = $customer->get( 'first_name' );
174			$last_name = $customer->get( 'last_name' );
175			$email = $customer->get( 'email' );
176			$avatar = get_avatar( $customer->get( 'user_id' ) ? $customer->get( 'user_id' ) : $email, 32 );
177
178			// Customer view URL.
179			$view_url = $customer->get( 'user_id' ) ? esc_url( add_query_arg( 'user_id', $customer->get( 'user_id' ), admin_url( 'user-edit.php' ) ) ) : false;
180			$row_actions = $view_url ? $this->row_actions(
181			array(
182			'view' => '<a href="' . $view_url . '#getpaid-fieldset-billing">' . __( 'Edit Details', 'invoicing' ) . '</a>',
183			)
184			) : '';
185
186			// Customer's name.
187			$name = esc_html( trim( "$first_name $last_name" ) );
188
189			if ( ! empty( $name ) ) {
190			$name = "<div style='overflow: hidden;height: 18px;'>$name</div>";
191			}
192
193			$email = "<div class='row-title'><a href='mailto:$email'>$email</a></div>";
194
195			return "<div style='display: flex;'><div>$avatar</div><div style='margin-left: 10px;'>$name<strong>$email</strong>$row_actions</div></div>";
196
197			}
198
199			/**
200			* Retrieve the current page number
201			*
202			* @since 1.0.19
203			* @return int Current page number
204			*/
205			public function get_paged() {
206			return isset( $_GET['paged'] ) ? absint( $_GET['paged'] ) : 1;
207			}
208
209			/**
210			* Returns bulk actions.
211			*
212			* @since 1.0.19
213			* @return void
214			*/
215			public function bulk_actions( $which = '' ) {
216			return array();
			0 ignored issues – show Bug Best Practice introduced 2020-07-10 19:01 UTC by Report Bug Copy Issue Report Show Similar Issues like this The expression `return array()` returns the type `array` which is incompatible with the documented return type `void`. Loading history...
217			}
218
219			/**
220			* Prepares the display query
221			*/
222			public function prepare_query() {
223
224			// Prepare query args.
225			$query = array(
226			'number' => $this->per_page,
227			'paged' => $this->get_paged(),
228			);
229
230			foreach ( array( 'orderby', 'order', 's' ) as $field ) {
231			if ( isset( $_GET[ $field ] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended
232			$query[ $field ] = wpinv_clean( rawurlencode_deep( $_GET[ $field ] ) ); // phpcs:ignore WordPress.Security.NonceVerification.Recommended
233			}
234			}
235
236			foreach ( GetPaid_Customer_Data_Store::get_database_fields() as $field => $type ) {
237
238			if ( isset( $_GET[ $field ] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended
239			$query[ $field ] = wpinv_clean( rawurlencode_deep( $_GET[ $field ] ) ); // phpcs:ignore WordPress.Security.NonceVerification.Recommended
240			}
241
242			// Min max.
243			if ( '%f' === $type \|\| '%d' === $type ) {
244
245			if ( isset( $_GET[ $field . '_min' ] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended
246			$query[ $field . '_min' ] = floatval( $_GET[ $field . '_min' ] ); // phpcs:ignore WordPress.Security.NonceVerification.Recommended
247			}
248
249			if ( isset( $_GET[ $field . '_max' ] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended
250			$query[ $field . '_max' ] = floatval( $_GET[ $field . '_max' ] ); // phpcs:ignore WordPress.Security.NonceVerification.Recommended
251			}
252			}
253			}
254
255			// Prepare class properties.
256			$this->query = getpaid_get_customers( $query, 'query' );
257			$this->total_count = $this->query->get_total();
258			$this->items = $this->query->get_results();
259			}
260
261			/**
262			* Setup the final data for the table
263			*
264			*/
265			public function prepare_items() {
266
267			$columns = $this->get_columns();
268			$hidden = array();
269			$sortable = $this->get_sortable_columns();
270			$this->prepare_query();
271
272			$this->_column_headers = array( $columns, $hidden, $sortable );
273
274			$this->set_pagination_args(
275			array(
276			'total_items' => $this->total_count,
277			'per_page' => $this->per_page,
278			'total_pages' => ceil( $this->total_count / $this->per_page ),
279			)
280			);
281			}
282
283			/**
284			* Sortable table columns.
285			*
286			* @return array
287			*/
288			public function get_sortable_columns() {
289			$sortable = array(
290			'customer' => array( 'first_name', true ),
291			);
292
293			foreach ( GetPaid_Customer_Data_Store::get_database_fields() as $field => $type ) {
294			$sortable[ $field ] = array( $field, true );
295			}
296
297			return apply_filters( 'manage_getpaid_customers_sortable_table_columns', $sortable );
298			}
299
300			/**
301			* Table columns
302			*
303			* @return array
304			*/
305			public function get_columns() {
306			$columns = array(
307			'customer' => __( 'Customer', 'invoicing' ),
308			);
309
310			// Add address fields.
311			foreach ( getpaid_user_address_fields() as $key => $value ) {
312
313			// Skip id, user_id and email.
314			if ( ! in_array( $key, array( 'id', 'user_id', 'email', 'purchase_value', 'purchase_count', 'date_created', 'date_modified', 'uuid', 'first_name', 'last_name' ), true ) ) {
315			$columns[ $key ] = $value;
316			}
317			}
318
319			$columns['purchase_value'] = __( 'Total Spend', 'invoicing' );
320			$columns['purchase_count'] = __( 'Invoices', 'invoicing' );
321			$columns['date_created'] = __( 'Date created', 'invoicing' );
322
323			return apply_filters( 'manage_getpaid_customers_table_columns', $columns );
324			}
325			}
326

AyeCode / invoicing

Issues (850)

Security Analysis 4 potential vulnerabilities

includes/admin/class-wpinv-customers-table.php (2 issues)

Labels

Severity

Introduced By

Duplication Side-by-Side

Filter issues like