WPDBTrait::is_wpdb_method_call(): bug fix - check names case-insensit…

…ively In PHP class and function names are treated largely case-insensitively (for ascii names), so the method should compare names case-insensitively too. Includes unit tests via the `PreparedSQL` sniff.
WordPress · Dec 17, 2022 · 50e97d4 · 50e97d4
1 parent 8fc7d45
commit 50e97d4
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 3 deletions.
diff --git a/WordPress/Helpers/WPDBTrait.php b/WordPress/Helpers/WPDBTrait.php
@@ -45,7 +45,8 @@ trait WPDBTrait {
 	 *
 	 * @param \PHP_CodeSniffer\Files\File $phpcsFile      The file being scanned.
 	 * @param int                         $stackPtr       The index of the $wpdb variable.
-	 * @param array                       $target_methods Array of methods. Key(s) should be method name.
+	 * @param array                       $target_methods Array of methods. Key(s) should be method name
+	 *                                                    in lowercase.
 	 *
 	 * @return bool Whether this is a $wpdb method call.
 	 */
@@ -55,7 +56,7 @@ protected function is_wpdb_method_call( File $phpcsFile, $stackPtr, $target_meth
 
 		// Check for wpdb.
 		if ( ( \T_VARIABLE === $tokens[ $stackPtr ]['code'] && '$wpdb' !== $tokens[ $stackPtr ]['content'] )
-			|| ( \T_STRING === $tokens[ $stackPtr ]['code'] && 'wpdb' !== $tokens[ $stackPtr ]['content'] )
+			|| ( \T_STRING === $tokens[ $stackPtr ]['code'] && 'wpdb' !== strtolower( $tokens[ $stackPtr ]['content'] ) )
 		) {
 			return false;
 		}
@@ -95,7 +96,7 @@ protected function is_wpdb_method_call( File $phpcsFile, $stackPtr, $target_meth
 		}
 
 		// Check that this is one of the methods that we are interested in.
-		if ( ! isset( $target_methods[ $tokens[ $methodPtr ]['content'] ] ) ) {
+		if ( ! isset( $target_methods[ strtolower( $tokens[ $methodPtr ]['content'] ) ] ) ) {
 			return false;
 		}
 

diff --git a/WordPress/Tests/DB/PreparedSQLUnitTest.inc b/WordPress/Tests/DB/PreparedSQLUnitTest.inc
@@ -117,5 +117,8 @@ $wpdb
 $wpdb?->query( "SELECT * FROM $wpdb->posts WHERE post_title LIKE '" . (int) $foo . "';" ); // OK.
 $wpdb?->query( "SELECT * FROM $wpdb->posts WHERE post_title LIKE '" . foo() . "';" ); // Bad.
 
+WPDB::prepare( "SELECT * FROM $wpdb->posts WHERE post_title LIKE '" . foo() . "';" ); // Bad.
+$wpdb->Query( "SELECT * FROM $wpdb->posts WHERE post_title LIKE '" . foo() . "';" ); // Bad.
+
 // Don't throw an error during live coding.
 wpdb::prepare( "SELECT * FROM $wpdb->posts
diff --git a/WordPress/Tests/DB/PreparedSQLUnitTest.php b/WordPress/Tests/DB/PreparedSQLUnitTest.php
@@ -55,6 +55,8 @@ public function getErrorList() {
 			112 => 1,
 			115 => 1,
 			118 => 1,
+			120 => 1,
+			121 => 1,
 		);
 	}