From 862d69119881caf8be3787891424af4da2695fff Mon Sep 17 00:00:00 2001 From: John Paul Balagolan Date: Fri, 17 Jun 2022 00:14:25 +0800 Subject: [PATCH 1/3] WP-268 replace move_uploaded_file with wp_handle_upload on importing subject areas and resources --- includes/oer-functions.php | 50 ++++++++++++++++++++++++++++++++++---- 1 file changed, 45 insertions(+), 5 deletions(-) diff --git a/includes/oer-functions.php b/includes/oer-functions.php index f8d45ea..4d57f52 100644 --- a/includes/oer-functions.php +++ b/includes/oer-functions.php @@ -1045,6 +1045,12 @@ function oer_importResources($default=false) { $cnt = 0; try{ + // Register our path override. + add_filter( 'upload_dir', 'oer_override_upload_dir' ); + $upload_overrides = array( + 'test_form' => false, + 'unique_filename_callback' => 'oer_override_filename'); + if ($default==true) { //default resource filename $filename = "resource_import_sample_data.xls"; @@ -1065,14 +1071,18 @@ function oer_importResources($default=false) { if (!(is_dir(OER_PATH."upload"))){ mkdir(OER_PATH."upload",0777); } + $_file = wp_handle_upload($_FILES["resource_import"], $upload_overrides); "Upload: " . sanitize_file_name($_FILES["resource_import"]["name"]) . "
"; "Type: " . sanitize_text_field($_FILES["resource_import"]["type"]) . "
"; "Size: " . sanitize_text_field(($_FILES["resource_import"]["size"] / 1024)) . " kB
"; - "stored in:" .move_uploaded_file($_FILES["resource_import"]["tmp_name"],OER_PATH."upload/".$filename) ; + "stored in:" . $_file['file']; } - $excl_obj->read(OER_PATH."upload/".$filename); + + $excl_obj->read($_file['file']); } } + // Set upload dir to normal + remove_filter( 'upload_dir', 'oer_override_upload_dir' ); $fnldata = $excl_obj->sheets[0]; for ($k =2; $k <= $fnldata['numRows']; $k++) @@ -1717,6 +1727,24 @@ function oer_custom_array_intersect($firstArray, $secondArray){ return $intersection; } +// Temporarily override upload dir of wp_handle_upload +function oer_override_upload_dir( $dir ){ + return array( + 'path' => OER_PATH."upload", + 'url' => OER_PATH."upload", + 'subdir' => '/upload', + ) + $dir; +} + +// Override filename for wp_handle_upload +function oer_override_filename($dir, $name, $ext){ + $time = time(); + $date = date($time); + $file = pathinfo($name); + $new_filename = $file['filename'] . "-" . $date . $ext; + return $new_filename; +} + //Import Subject Areas function oer_importSubjectAreas($default=false) { global $wpdb; @@ -1739,6 +1767,12 @@ function oer_importSubjectAreas($default=false) { global $wpdb; + // Register our path override. + add_filter( 'upload_dir', 'oer_override_upload_dir' ); + $upload_overrides = array( + 'test_form' => false, + 'unique_filename_callback' => 'oer_override_filename'); + try { if ($default==true) { //default subject area filename @@ -1757,16 +1791,20 @@ function oer_importSubjectAreas($default=false) { else { //Upload File - "Upload: " . sanitize_file_name($_FILES["bulk_import"]["name"]) . "
"; + $_file = wp_handle_upload($_FILES["bulk_import"], $upload_overrides); + "Upload: " . sanitize_file_name($_FILES["bulk_import"]["name"]) . "
"; "Type: " . sanitize_text_field($_FILES["bulk_import"]["type"]) . "
"; "Size: " . sanitize_text_field(($_FILES["bulk_import"]["size"] / 1024)) . " kB
"; - "stored in:" .move_uploaded_file($_FILES["bulk_import"]["tmp_name"],OER_PATH."upload/".$filename) ; + "stored in:" . esc_url_raw($_file['file']) ; } //Read Excel Data - $excl_obj->read(OER_PATH."upload/".$filename); + //$excl_obj->read(OER_PATH."upload/".$filename); + $excl_obj->read($_file['file']); } } + // Set upload dir to normal + remove_filter( 'upload_dir', 'oer_override_upload_dir' ); $fnldata = $excl_obj->sheets; $length = count($fnldata); @@ -1852,6 +1890,8 @@ function oer_importSubjectAreas($default=false) { return $response; } + + //Import Default Grade Levels function oer_importDefaultGradeLevels(){ $_arr = array( From 1bf98d69836edfdd5c476d34c8d3c339ce526cfe Mon Sep 17 00:00:00 2001 From: John Paul Balagolan Date: Fri, 17 Jun 2022 00:42:59 +0800 Subject: [PATCH 2/3] WP-268 remove quote around string placeholders in $wpdb->prepare statements --- includes/oer-functions.php | 16 ++++++++-------- open-educational-resources.php | 8 ++++---- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/includes/oer-functions.php b/includes/oer-functions.php index 4d57f52..6487403 100644 --- a/includes/oer-functions.php +++ b/includes/oer-functions.php @@ -2652,7 +2652,7 @@ function oer_get_substandards($standard_id, $core=true){ $substandards = array(); - $query = "SELECT * FROM {$wpdb->prefix}oer_sub_standards where parent_id='%s'"; + $query = "SELECT * FROM {$wpdb->prefix}oer_sub_standards where parent_id = %s"; $substandards = $wpdb->get_results($wpdb->prepare($query, $std_id)); @@ -2669,7 +2669,7 @@ function oer_get_standard_notations($standard_id){ $notations = array(); - $query = "SELECT * FROM {$wpdb->prefix}oer_standard_notation where parent_id='%s'"; + $query = "SELECT * FROM {$wpdb->prefix}oer_standard_notation where parent_id = %s"; $result = $wpdb->get_results($wpdb->prepare($query, $std_id)); @@ -2688,7 +2688,7 @@ function oer_get_substandard_by_notation($notation) { $std = null; - $query = "SELECT * FROM {$wpdb->prefix}oer_standard_notation WHERE standard_notation = '%s'"; + $query = "SELECT * FROM {$wpdb->prefix}oer_standard_notation WHERE standard_notation = %s"; $substandards = $wpdb->get_results($wpdb->prepare($query, $notation)); @@ -2707,7 +2707,7 @@ function oer_get_standard_by_notation($notation){ $std = null; - $query = "SELECT * FROM {$wpdb->prefix}oer_standard_notation WHERE standard_notation = '%s'"; + $query = "SELECT * FROM {$wpdb->prefix}oer_standard_notation WHERE standard_notation = %s"; $standard_notation = $wpdb->get_results($wpdb->prepare($query, $notation)); @@ -2736,7 +2736,7 @@ function get_substandards_by_notation($notation){ $std = null; - $query = "SELECT * FROM {$wpdb->prefix}oer_standard_notation WHERE standard_notation = '%s'"; + $query = "SELECT * FROM {$wpdb->prefix}oer_standard_notation WHERE standard_notation = %s"; $standard_notation = $wpdb->get_results($wpdb->prepare($query, $notation)); @@ -2798,7 +2798,7 @@ function oer_get_child_notations($notation_id){ $notation = "standard_notation-".$notation_id; - $query = "SELECT * FROM {$wpdb->prefix}oer_standard_notation WHERE parent_id = '%s'"; + $query = "SELECT * FROM {$wpdb->prefix}oer_standard_notation WHERE parent_id = %s"; $standard_notations = $wpdb->get_results($wpdb->prepare($query, $notation)); @@ -2897,14 +2897,14 @@ function oer_get_corestandard_by_standard($parent_id){ $standard = null; $parent = explode("-",$parent_id); if ($parent[0]=="sub_standards") { - $query = "SELECT * FROM {$wpdb->prefix}oer_sub_standards WHERE id = '%s'"; + $query = "SELECT * FROM {$wpdb->prefix}oer_sub_standards WHERE id = %s"; $substandards = $wpdb->get_results($wpdb->prepare($query, $parent[1])); foreach($substandards as $substandard){ $standard = oer_get_corestandard_by_standard($substandard->parent_id); } } else { - $query = "SELECT * FROM {$wpdb->prefix}oer_core_standards WHERE id = '%s'"; + $query = "SELECT * FROM {$wpdb->prefix}oer_core_standards WHERE id = %s"; $standards = $wpdb->get_results($wpdb->prepare($query, $parent[1])); foreach($standards as $std){ $standard = $std; diff --git a/open-educational-resources.php b/open-educational-resources.php index 6e4e32a..8e05e54 100644 --- a/open-educational-resources.php +++ b/open-educational-resources.php @@ -2155,12 +2155,12 @@ function oer_custom_query($search, $wp_query){ $search .= "{$searchand} ("; //Search in title - $search .= $wpdb->prepare("($wpdb->posts.post_title LIKE '%s')", $term); + $search .= $wpdb->prepare("($wpdb->posts.post_title LIKE %s)", $term); $OR = ' OR '; //Search in content $search .= $OR; - $search .= $wpdb->prepare("($wpdb->posts.post_content LIKE '%s')", $term); + $search .= $wpdb->prepare("($wpdb->posts.post_content LIKE %s)", $term); $OR = ' OR '; //Search by meta keys @@ -2189,7 +2189,7 @@ function oer_custom_query($search, $wp_query){ $meta_key_OR = ''; foreach ($meta_keys as $key_slug) { $search .= $OR; - $search .= $wpdb->prepare("$meta_key_OR (pm.meta_key = '%s' AND pm.meta_value LIKE '%s')", $key_slug, $term); + $search .= $wpdb->prepare("$meta_key_OR (pm.meta_key = %s AND pm.meta_value LIKE %s)", $key_slug, $term); $OR = ''; $meta_key_OR = ' OR '; } @@ -2201,7 +2201,7 @@ function oer_custom_query($search, $wp_query){ $tax_OR = ''; foreach($taxonomies as $tax) { $search .= $OR; - $search .= $wpdb->prepare("$tax_OR (tt.taxonomy = '%s' AND t.name LIKE '%s')", $tax, $term); + $search .= $wpdb->prepare("$tax_OR (tt.taxonomy = %s AND t.name LIKE %s)", $tax, $term); $OR = ''; $tax_OR = ' OR '; } From 02c0f553a46983d3e5f0ca6c3986a3a229090706 Mon Sep 17 00:00:00 2001 From: John Paul Balagolan Date: Fri, 17 Jun 2022 00:46:55 +0800 Subject: [PATCH 3/3] WP-268 bump plugin version to 0.9.1 --- open-educational-resources.php | 4 ++-- readme.txt | 8 ++++++-- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/open-educational-resources.php b/open-educational-resources.php index 8e05e54..4a12166 100644 --- a/open-educational-resources.php +++ b/open-educational-resources.php @@ -3,7 +3,7 @@ Plugin Name: WP OER Plugin URI: https://www.wp-oer.com Description: Open Educational Resource management and curation, metadata publishing, and alignment to Common Core State Standards. - Version: 0.9.0 + Version: 0.9.1 Requires at least: 4.4 Requires PHP: 7.0 Author: Navigation North @@ -38,7 +38,7 @@ // Plugin Name and Version define( 'OER_PLUGIN_NAME', 'WP OER Plugin' ); define( 'OER_ADMIN_PLUGIN_NAME', 'WP OER Plugin'); -define( 'OER_VERSION', '0.9.0' ); +define( 'OER_VERSION', '0.9.1' ); define( 'OER_SITE_PATH', ABSPATH ); include_once(OER_PATH.'includes/oer-functions.php'); diff --git a/readme.txt b/readme.txt index 6c1e97c..b7a663f 100644 --- a/readme.txt +++ b/readme.txt @@ -4,7 +4,7 @@ Tags: OER, Open Educational Resources, Education, Teaching, Learning Requires at least: 4.4 Tested up to: 6.0 Requires PHP: 7.0 -Stable tag: 0.9.0 +Stable tag: 0.9.1 License: GPLv3 License URI: https://www.gnu.org/licenses/gpl-3.0.html @@ -41,8 +41,12 @@ No frequently asked questions. 3. Display educational resources on your WordPress website! == Changelog == += 0.9.1 = +* Replaced move_uploaded_file with wp_handle_upload function when importing subject areas and resources +* Removed quote around string placeholders used in $wpdb->prepare statements + = 0.9.0 = -* Implement further sanitizing of input and escaping of displayed data +* Implemented further sanitizing of input and escaping of displayed data = 0.8.9 = * Upgrade Bootstrap library to 5.1.3