Merge pull request #82 from navnorth/stage

WP-268 Fourth Round Fixes
navnorth · Jun 16, 2022 · a33024e · a33024e
2 parents b2f3a7e + abd9292
commit a33024e
Show file tree

Hide file tree

Showing 3 changed files with 65 additions and 21 deletions.
diff --git a/includes/oer-functions.php b/includes/oer-functions.php
@@ -1045,6 +1045,12 @@ function oer_importResources($default=false) {
 
 	$cnt = 0;
 		try{
+			// Register our path override.
+			add_filter( 'upload_dir', 'oer_override_upload_dir' );
+			$upload_overrides = array( 
+				'test_form' => false,
+				'unique_filename_callback' => 'oer_override_filename');
+
 			if ($default==true) {
 				//default resource filename
 				$filename = "resource_import_sample_data.xls";
@@ -1065,14 +1071,18 @@ function oer_importResources($default=false) {
 						if (!(is_dir(OER_PATH."upload"))){
 							mkdir(OER_PATH."upload",0777);
 						}
+						$_file = wp_handle_upload($_FILES["resource_import"], $upload_overrides);
 						"Upload: " . sanitize_file_name($_FILES["resource_import"]["name"]) . "<br>";
 						"Type: " . sanitize_text_field($_FILES["resource_import"]["type"]) . "<br>";
 						"Size: " . sanitize_text_field(($_FILES["resource_import"]["size"] / 1024)) . " kB<br>";
-						"stored in:" .move_uploaded_file($_FILES["resource_import"]["tmp_name"],OER_PATH."upload/".$filename) ;
+						"stored in:" . $_file['file'];
 					}
-					$excl_obj->read(OER_PATH."upload/".$filename);
+
+					$excl_obj->read($_file['file']);
 				}
 			}
+			// Set upload dir to normal
+			remove_filter( 'upload_dir', 'oer_override_upload_dir' );
 
 			$fnldata = $excl_obj->sheets[0];
 			for ($k =2; $k <= $fnldata['numRows']; $k++)
@@ -1717,6 +1727,24 @@ function oer_custom_array_intersect($firstArray, $secondArray){
   return $intersection;
 }
 
+// Temporarily override upload dir of wp_handle_upload
+function oer_override_upload_dir( $dir ){
+	 return array(
+        'path'   => OER_PATH."upload",
+        'url'    => OER_PATH."upload",
+        'subdir' => '/upload',
+    ) + $dir;
+}
+
+// Override filename for wp_handle_upload
+function oer_override_filename($dir, $name, $ext){
+	$time = time();
+	$date = date($time);
+	$file = pathinfo($name);
+	$new_filename = $file['filename'] . "-" . $date . $ext;
+	return $new_filename;
+} 
+
 //Import Subject Areas
 function oer_importSubjectAreas($default=false) {
 	global $wpdb;
@@ -1739,6 +1767,12 @@ function oer_importSubjectAreas($default=false) {
 
 	global $wpdb;
 
+	// Register our path override.
+	add_filter( 'upload_dir', 'oer_override_upload_dir' );
+	$upload_overrides = array( 
+		'test_form' => false,
+		'unique_filename_callback' => 'oer_override_filename');
+
 	try {
 		if ($default==true) {
 			//default subject area filename
@@ -1757,16 +1791,20 @@ function oer_importSubjectAreas($default=false) {
 				else
 				{
 					//Upload File
-					"Upload: " . sanitize_file_name($_FILES["bulk_import"]["name"]) . "<br>";
+					$_file = wp_handle_upload($_FILES["bulk_import"], $upload_overrides);
+  					"Upload: " . sanitize_file_name($_FILES["bulk_import"]["name"]) . "<br>";
 					"Type: " . sanitize_text_field($_FILES["bulk_import"]["type"]) . "<br>";
 					"Size: " . sanitize_text_field(($_FILES["bulk_import"]["size"] / 1024)) . " kB<br>";
-					"stored in:" .move_uploaded_file($_FILES["bulk_import"]["tmp_name"],OER_PATH."upload/".$filename) ;
+					"stored in:" . esc_url_raw($_file['file']) ; 
 				}
 
 				//Read Excel Data
-				$excl_obj->read(OER_PATH."upload/".$filename);
+				//$excl_obj->read(OER_PATH."upload/".$filename);
+				$excl_obj->read($_file['file']);
 			}
 		}
+		// Set upload dir to normal
+		remove_filter( 'upload_dir', 'oer_override_upload_dir' );
 
 			$fnldata = $excl_obj->sheets;
 			$length = count($fnldata);
@@ -1852,6 +1890,8 @@ function oer_importSubjectAreas($default=false) {
 	return $response;
 }
 
+
+
 //Import Default Grade Levels
 function oer_importDefaultGradeLevels(){
 	$_arr = array(
@@ -2612,7 +2652,7 @@ function oer_get_substandards($standard_id, $core=true){
 
 	$substandards = array();
 
-	$query = "SELECT * FROM {$wpdb->prefix}oer_sub_standards where parent_id='%s'";
+	$query = "SELECT * FROM {$wpdb->prefix}oer_sub_standards where parent_id = %s";
 
 	$substandards = $wpdb->get_results($wpdb->prepare($query, $std_id));
 
@@ -2629,7 +2669,7 @@ function oer_get_standard_notations($standard_id){
 
 	$notations = array();
 
-	$query = "SELECT * FROM {$wpdb->prefix}oer_standard_notation where parent_id='%s'";
+	$query = "SELECT * FROM {$wpdb->prefix}oer_standard_notation where parent_id = %s";
 
 	$result = $wpdb->get_results($wpdb->prepare($query, $std_id));
 
@@ -2648,7 +2688,7 @@ function oer_get_substandard_by_notation($notation) {
 
 	$std = null;
 
-	$query = "SELECT * FROM {$wpdb->prefix}oer_standard_notation WHERE standard_notation = '%s'";
+	$query = "SELECT * FROM {$wpdb->prefix}oer_standard_notation WHERE standard_notation = %s";
 
 	$substandards = $wpdb->get_results($wpdb->prepare($query, $notation));
 
@@ -2667,7 +2707,7 @@ function oer_get_standard_by_notation($notation){
 
 	$std = null;
 
-	$query = "SELECT * FROM {$wpdb->prefix}oer_standard_notation WHERE standard_notation = '%s'";
+	$query = "SELECT * FROM {$wpdb->prefix}oer_standard_notation WHERE standard_notation = %s";
 
 	$standard_notation = $wpdb->get_results($wpdb->prepare($query, $notation));
 
@@ -2696,7 +2736,7 @@ function get_substandards_by_notation($notation){
 
 	$std = null;
 
-	$query = "SELECT * FROM {$wpdb->prefix}oer_standard_notation WHERE standard_notation = '%s'";
+	$query = "SELECT * FROM {$wpdb->prefix}oer_standard_notation WHERE standard_notation = %s";
 
 	$standard_notation = $wpdb->get_results($wpdb->prepare($query, $notation));
 
@@ -2758,7 +2798,7 @@ function oer_get_child_notations($notation_id){
 
 	$notation = "standard_notation-".$notation_id;
 
-	$query = "SELECT * FROM {$wpdb->prefix}oer_standard_notation WHERE parent_id = '%s'";
+	$query = "SELECT * FROM {$wpdb->prefix}oer_standard_notation WHERE parent_id = %s";
 
 	$standard_notations = $wpdb->get_results($wpdb->prepare($query, $notation));
 
@@ -2857,14 +2897,14 @@ function oer_get_corestandard_by_standard($parent_id){
 	$standard = null;
 	$parent = explode("-",$parent_id);
 	if ($parent[0]=="sub_standards") {
-		$query = "SELECT * FROM {$wpdb->prefix}oer_sub_standards WHERE id = '%s'";
+		$query = "SELECT * FROM {$wpdb->prefix}oer_sub_standards WHERE id = %s";
 		$substandards = $wpdb->get_results($wpdb->prepare($query, $parent[1]));
 
 		foreach($substandards as $substandard){
 			$standard = oer_get_corestandard_by_standard($substandard->parent_id);
 		}
 	} else {
-		$query = "SELECT * FROM {$wpdb->prefix}oer_core_standards WHERE id = '%s'";
+		$query = "SELECT * FROM {$wpdb->prefix}oer_core_standards WHERE id = %s";
 		$standards = $wpdb->get_results($wpdb->prepare($query, $parent[1]));
 		foreach($standards as $std){
 			$standard = $std;

diff --git a/open-educational-resources.php b/open-educational-resources.php
@@ -3,7 +3,7 @@
  Plugin Name:        WP OER
  Plugin URI:         https://www.wp-oer.com
  Description:        Open Educational Resource management and curation, metadata publishing, and alignment to Common Core State Standards.
- Version:            0.9.0
+ Version:            0.9.1
  Requires at least:  4.4
  Requires PHP:       7.0
  Author:             Navigation North
@@ -38,7 +38,7 @@
 // Plugin Name and Version
 define( 'OER_PLUGIN_NAME', 'WP OER Plugin' );
 define( 'OER_ADMIN_PLUGIN_NAME', 'WP OER Plugin');
-define( 'OER_VERSION', '0.9.0' );
+define( 'OER_VERSION', '0.9.1' );
 define( 'OER_SITE_PATH', ABSPATH );
 
 include_once(OER_PATH.'includes/oer-functions.php');
@@ -2155,12 +2155,12 @@ function oer_custom_query($search, $wp_query){
 		$search .= "{$searchand} (";
 
 		//Search in title
-		$search .= $wpdb->prepare("($wpdb->posts.post_title LIKE '%s')", $term);
+		$search .= $wpdb->prepare("($wpdb->posts.post_title LIKE %s)", $term);
                 $OR = ' OR ';
 
 		//Search in content
 		$search .= $OR;
-                $search .= $wpdb->prepare("($wpdb->posts.post_content LIKE '%s')", $term);
+                $search .= $wpdb->prepare("($wpdb->posts.post_content LIKE %s)", $term);
                 $OR = ' OR ';
 
 		//Search by meta keys
@@ -2189,7 +2189,7 @@ function oer_custom_query($search, $wp_query){
 		$meta_key_OR = '';
 		foreach ($meta_keys as $key_slug) {
                         $search .= $OR;
-                        $search .= $wpdb->prepare("$meta_key_OR (pm.meta_key = '%s' AND pm.meta_value LIKE '%s')", $key_slug, $term);
+                        $search .= $wpdb->prepare("$meta_key_OR (pm.meta_key = %s AND pm.meta_value LIKE %s)", $key_slug, $term);
                         $OR = '';
                         $meta_key_OR = ' OR ';
                 }
@@ -2201,7 +2201,7 @@ function oer_custom_query($search, $wp_query){
 		$tax_OR = '';
 		foreach($taxonomies as $tax) {
 			$search .= $OR;
-                        $search .= $wpdb->prepare("$tax_OR (tt.taxonomy = '%s' AND t.name LIKE '%s')", $tax, $term);
+                        $search .= $wpdb->prepare("$tax_OR (tt.taxonomy = %s AND t.name LIKE %s)", $tax, $term);
                         $OR = '';
                         $tax_OR = ' OR ';
 		}

diff --git a/readme.txt b/readme.txt
@@ -4,7 +4,7 @@ Tags: OER, Open Educational Resources, Education, Teaching, Learning
 Requires at least: 4.4
 Tested up to: 6.0
 Requires PHP: 7.0
-Stable tag: 0.9.0
+Stable tag: 0.9.1
 License: GPLv3
 License URI: https://www.gnu.org/licenses/gpl-3.0.html
 
@@ -41,8 +41,12 @@ No frequently asked questions.
 3. Display educational resources on your WordPress website!
 
 == Changelog ==
+= 0.9.1 =
+* Replaced move_uploaded_file with wp_handle_upload function when importing subject areas and resources
+* Removed quote around string placeholders used in $wpdb->prepare statements
+
 = 0.9.0 =
-* Implement further sanitizing of input and escaping of displayed data 
+* Implemented further sanitizing of input and escaping of displayed data 
 
 = 0.8.9 =
 * Upgrade Bootstrap library to 5.1.3