Skip to content

Refine DirectDB sniff error messages#1218

Merged
davidperezgar merged 1 commit intotrunkfrom
refine-sniff-error-messages
Mar 15, 2026
Merged

Refine DirectDB sniff error messages#1218
davidperezgar merged 1 commit intotrunkfrom
refine-sniff-error-messages

Conversation

@ernilambar
Copy link
Copy Markdown
Member

@ernilambar ernilambar commented Mar 15, 2026
edited
Loading

Fixes #1217

Summary

Shortens and simplifies PluginCheck.Security.DirectDB (DirectDBSniff) output so messages are easier to scan in CI/IDE.

Changes

  • Omit full query from message: Message format changed from Unescaped parameter %s used in $wpdb->%s(%s)%s to Unescaped parameter %s used in $wpdb->%s()%s. The SQL string is no longer included.
  • Cap extra context: Only the first line of extra context is appended (e.g. $foo assigned unsafely at line 14.). Assignment code snippets are no longer included in unwind_unsafe_assignments().

Testing

  • No test changes required (tests assert line numbers and error code only).

Example code

function example() {
	global $wpdb;
	$foo = $_GET['id'];
	$wpdb->query( "SELECT * FROM " . $wpdb->users . " WHERE id = '" . $foo . "' LIMIT 1" );
}

The sniff reports the unescaped $foo on the query() line. The “before” message included the full first argument and full assignment context; the “after” message does not.

Before

Unescaped parameter $foo used in $wpdb->query("SELECT * FROM " . $wpdb->users . " WHERE id = '" . $foo . "' LIMIT 1")

 $foo assigned unsafely at line 4:
 $foo = $_GET['id'];

If the assignment had used e.g. sanitize_text_field(), a second line of context was added:

Unescaped parameter $foo used in $wpdb->query("SELECT * FROM " . $wpdb->users . " WHERE id = '" . $foo . "' LIMIT 1")

 $foo assigned unsafely at line 4:
 $foo = sanitize_text_field( $_POST['id'] );
Note: sanitize_text_field() is not a safe escaping function.

After (exact message from phpcs)

Unescaped parameter $foo used in $wpdb->query()

 $foo assigned unsafely at line 4.

Only the first line of context is shown, and the assignment code snippet is omitted. The “Note: …” line is no longer shown (it was always part of the extra context block).
@ernilambar ernilambar force-pushed the refine-sniff-error-messages branch from c8312dd to 1fbed40 Compare March 15, 2026 10:15
@ernilambar ernilambar marked this pull request as ready for review March 15, 2026 10:22
@github-actions
Copy link
Copy Markdown

github-actions bot commented Mar 15, 2026
edited
Loading

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message.

Co-authored-by: ernilambar <nilambar@git.wordpress.org>
Co-authored-by: davidperezgar <davidperez@git.wordpress.org>
Co-authored-by: frantorres <frantorres@git.wordpress.org>

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.
@davidperezgar davidperezgar merged commit 457f08b into trunk Mar 15, 2026
28 checks passed
@davidperezgar davidperezgar deleted the refine-sniff-error-messages branch March 15, 2026 15:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

3 participants

@ernilambar @frantorres @davidperezgar