Merge pull request #55 from sectsect/phpstan2

chore(phpstan): upgrade PHPStan to v2.0

admin/class-recursivetable.php

@@ -214,7 +214,7 @@ private static function array_to_html_table_recursive( array $arr ): string {
 
 	global $wpdb;
 	$table         = GOOGLE_SS2DB_TABLE_NAME;
-	$paged         = isset( $_GET['paged'] ) ? ( (int) $_GET['paged'] ) : 1;
+	$paged         = filter_input( INPUT_GET, 'paged', FILTER_VALIDATE_INT ) ? filter_input( INPUT_GET, 'paged', FILTER_VALIDATE_INT ) : 1;
 	$limit         = 24;
 	$offset        = ( $paged - 1 ) * $limit;
 	$countsql      = 'SELECT * FROM ' . GOOGLE_SS2DB_TABLE_NAME . ' ORDER BY date DESC';

composer.json

@@ -11,23 +11,24 @@
   ],
   "type": "wordpress-plugin",
   "require": {
-    "php": ">=5.5",
+    "php": ">=8.0",
     "google/apiclient": "^2.16"
   },
   "require-dev": {
     "phpunit/phpunit": "^7.5 || ^9.5",
     "yoast/phpunit-polyfills": "^2.0",
     "squizlabs/php_codesniffer": "^3.7",
     "wp-coding-standards/wpcs": "^3.0",
-    "phpstan/phpstan": "^1.10",
-    "szepeviktor/phpstan-wordpress": "^1.3",
-    "phpstan/extension-installer": "^1.3"
+    "phpstan/phpstan": "^2.0",
+    "szepeviktor/phpstan-wordpress": "2.x-dev",
+    "phpstan/extension-installer": "^1.3",
+    "phpstan/phpstan-deprecation-rules": "^2.0"
   },
   "license": "GPL-3.0+",
   "authors": [
     {
-      "name": "SECT WEB INTERACTIVE",
-      "homepage": "https://www.ilovesect.com/"
+      "name": "sect",
+      "homepage": "https://github.com/sectsect"
     }
   ],
   "config": {

functions/functions.php

@@ -50,7 +50,7 @@ function google_ss2db_options_pagination( int $paged = 1, int $pages = 1, int $r
 			echo '<li class="prevnext"><a href="' . get_pagenum_link( $paged - 1 ) . '">&lsaquo;</a></li>';
 		}
 		for ( $i = 1; $i <= $pages; $i++ ) {
-			if ( 1 !== $pages && ( ! ( $i >= $paged + $range + 1 || $i <= $paged - $range - 1 ) || $pages <= $showitems ) ) {
+			if ( ! ( $i >= $paged + $range + 1 || $i <= $paged - $range - 1 ) || $pages <= $showitems ) {
 				echo ( $paged === $i ) ? '<li class="current"><span>' . $i . '</span></li>' : '<li><a href="' . get_pagenum_link( $i ) . '">' . $i . '</a></li>';
 			}
 		}
@@ -196,8 +196,8 @@ function google_ss2db_get_value_google_spreadsheet( string $worksheet_id, string
 /**
  * Saves data from a Google Spreadsheet to the database.
  *
- * @param array<string> $post_data POST data containing spreadsheet information.
- * @return array<string> Contains details of the operation including the database row ID, date, worksheet identifiers, and operation result.
+ * @param array<string, mixed> $post_data POST data containing spreadsheet information.
+ * @return array<string, mixed> Contains details of the operation including the database row ID, date, worksheet identifiers, and operation result.
  */
 function google_ss2db_save_spreadsheet( array $post_data ): array {
 	global $wpdb;

includes/admin.php

@@ -46,7 +46,8 @@ function google_ss2db_menu(): void {
 function google_ss2db_admin_styles(): void {
 	$plugin_data    = google_ss2db_get_plugin_data();
 	$plugin_version = $plugin_data['Version'];
-	wp_enqueue_style( 'admin-options', plugin_dir_url( __DIR__ ) . 'assets/css/admin-options.css?v=' . $plugin_version, array() );
+	$version        = is_string( $plugin_version ) ? $plugin_version : '1.0.0';
+	wp_enqueue_style( 'admin-options', plugin_dir_url( __DIR__ ) . 'assets/css/admin-options.css', array(), $version );
 }
 
 /**
@@ -56,7 +57,8 @@ function google_ss2db_admin_styles(): void {
 function google_ss2db_admin_scripts(): void {
 	$plugin_data    = google_ss2db_get_plugin_data();
 	$plugin_version = $plugin_data['Version'];
-	wp_enqueue_script( 'google-ss2db-script', plugin_dir_url( __DIR__ ) . 'assets/js/admin-options.js?v=' . $plugin_version, array( 'jquery' ), null, true );
+	$version        = is_string( $plugin_version ) ? $plugin_version : '1.0.0';
+	wp_enqueue_script( 'google-ss2db-script', plugin_dir_url( __DIR__ ) . 'assets/js/admin-options.js', array( 'jquery' ), $version, true );
 	wp_localize_script(
 		'google-ss2db-script',
 		'google_ss2db_data',

includes/class-google-spreadsheet-to-db-activator.php

@@ -44,6 +44,7 @@ public static function activate(): void {
 				value LONGTEXT NOT NULL,
 				PRIMARY KEY  (id)
 			) $charset_collate;";
+			// @phpstan-ignore-next-line
 			require_once ABSPATH . 'wp-admin/includes/upgrade.php';
 			dbDelta( $sql );
 			update_option( 'google_ss2db_version', $google_ss2db_db_version );

includes/delete.php

@@ -29,23 +29,27 @@
  * @subpackage Google_Spreadsheet_to_DB/includes
  */
 
-require '../../../../wp-load.php';
+require_once dirname( __DIR__, 4 ) . '/wp-load.php';
 
-if ( ! isset( $_POST['nonce'] ) || ! wp_verify_nonce( $_POST['nonce'], 'google_ss2db' ) || 'POST' !== $_SERVER['REQUEST_METHOD'] || ! isset( $_POST['id'] ) ) {
+// Secure input handling with filter_input().
+$nonce          = filter_input( INPUT_POST, 'nonce', FILTER_SANITIZE_FULL_SPECIAL_CHARS );
+$request_method = filter_input( INPUT_SERVER, 'REQUEST_METHOD', FILTER_SANITIZE_FULL_SPECIAL_CHARS );
+$id             = filter_input( INPUT_POST, 'id', FILTER_VALIDATE_INT );
+
+if ( ! $nonce || ! wp_verify_nonce( $nonce, 'google_ss2db' ) || 'POST' !== $request_method || ! $id ) {
 	wp_die( 'Our Site is protected!!' );
 }
 
-$theid = wp_unslash( $_POST['id'] );
 $array = array(
-	'id' => $theid,
+	'id' => $id,
 );
 
 global $wpdb;
 $res = $wpdb->delete( GOOGLE_SS2DB_TABLE_NAME, $array );
 
 $return = array(
 	'res' => $res,
-	'id'  => wp_unslash( $_POST['id'] ),
+	'id'  => $id,
 );
 
 echo json_encode( $return );

includes/save.php

@@ -26,17 +26,22 @@
  * @subpackage Google_Spreadsheet_to_DB/includes
  */
 
-require '../../../../wp-load.php';
+require_once dirname( __DIR__, 4 ) . '/wp-load.php';
 
-if ( ! isset( $_POST['nonce'] ) || ! wp_verify_nonce( $_POST['nonce'], 'google_ss2db' ) || 'POST' !== $_SERVER['REQUEST_METHOD'] ) {
+// Sanitize and validate POST data using filter_input().
+$nonce        = filter_input( INPUT_POST, 'nonce', FILTER_SANITIZE_FULL_SPECIAL_CHARS );
+$http_referer = filter_input( INPUT_POST, '_wp_http_referer', FILTER_SANITIZE_FULL_SPECIAL_CHARS );
+
+if ( ! $nonce || ! wp_verify_nonce( $nonce, 'google_ss2db' ) || 'POST' !== $_SERVER['REQUEST_METHOD'] ) {
 	wp_die( 'Our Site is protected!!' );
 }
 
-$data = google_ss2db_save_spreadsheet( $_POST );
-$data = apply_filters( 'google_ss2db_after_save', $data );
+$sanitized_post_data = array_map( fn( $value ) => is_string( $value ) ? sanitize_text_field( $value ) : $value, $_POST );
+$data                = google_ss2db_save_spreadsheet( $sanitized_post_data );
+$data                = apply_filters( 'google_ss2db_after_save', $data );
 
 $bool    = (bool) $data['result'];
-$referer = wp_unslash( $_POST['_wp_http_referer'] );
+$referer = wp_unslash( $http_referer );
 $referer = str_replace( '&settings-updated=true', '', $referer );
 $referer = $referer . '&ss2dbupdated=' . $bool;
 wp_redirect( $referer );

phpstan.neon.dist

@@ -7,3 +7,5 @@ parameters:
     - includes/
   bootstrapFiles:
     - vendor/autoload.php
+includes:
+  - phar://phpstan.phar/conf/bleedingEdge.neon