Skip to content

Refine DirectDB sniff error messages#1218

Merged
davidperezgar merged 1 commit intotrunkfrom
refine-sniff-error-messages
Mar 15, 2026
Merged

Refine DirectDB sniff error messages#1218
davidperezgar merged 1 commit intotrunkfrom
refine-sniff-error-messages

Conversation

@ernilambar
Copy link
Copy Markdown
Member

@ernilambar ernilambar commented Mar 15, 2026
edited
Loading

Fixes #1217

Summary

Shortens and simplifies PluginCheck.Security.DirectDB (DirectDBSniff) output so messages are easier to scan in CI/IDE.

Changes

  • Omit full query from message: Message format changed from Unescaped parameter %s used in $wpdb->%s(%s)%s to Unescaped parameter %s used in $wpdb->%s()%s. The SQL string is no longer included.
  • Cap extra context: Only the first line of extra context is appended (e.g. $foo assigned unsafely at line 14.). Assignment code snippets are no longer included in unwind_unsafe_assignments().

Testing

  • No test changes required (tests assert line numbers and error code only).

Example code

function example() {
	global $wpdb;
	$foo = $_GET['id'];
	$wpdb->query( "SELECT * FROM " . $wpdb->users . " WHERE id = '" . $foo . "' LIMIT 1" );
}

The sniff reports the unescaped $foo on the query() line. The “before” message included the full first argument and full assignment context; the “after” message does not.

Before

Unescaped parameter $foo used in $wpdb->query("SELECT * FROM " . $wpdb->users . " WHERE id = '" . $foo . "' LIMIT 1")

 $foo assigned unsafely at line 4:
 $foo = $_GET['id'];

If the assignment had used e.g. sanitize_text_field(), a second line of context was added:

Unescaped parameter $foo used in $wpdb->query("SELECT * FROM " . $wpdb->users . " WHERE id = '" . $foo . "' LIMIT 1")

 $foo assigned unsafely at line 4:
 $foo = sanitize_text_field( $_POST['id'] );
Note: sanitize_text_field() is not a safe escaping function.

After (exact message from phpcs)

Unescaped parameter $foo used in $wpdb->query()

 $foo assigned unsafely at line 4.

Only the first line of context is shown, and the assignment code snippet is omitted. The “Note: …” line is no longer shown (it was always part of the extra context block).

@ernilambar ernilambar force-pushed the refine-sniff-error-messages branch from c8312dd to 1fbed40 Compare March 15, 2026 10:15
@ernilambar ernilambar marked this pull request as ready for review March 15, 2026 10:22
@github-actions
Copy link
Copy Markdown

github-actions bot commented Mar 15, 2026
edited
Loading

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message.

Co-authored-by: ernilambar <nilambar@git.wordpress.org>
Co-authored-by: davidperezgar <davidperez@git.wordpress.org>
Co-authored-by: frantorres <frantorres@git.wordpress.org>

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

@davidperezgar davidperezgar merged commit 457f08b into trunk Mar 15, 2026
28 checks passed
@davidperezgar davidperezgar deleted the refine-sniff-error-messages branch March 15, 2026 15:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@frantorres frantorres frantorres approved these changes

@davidperezgar davidperezgar davidperezgar approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Make DirectDB sniff output less noisy

3 participants

@ernilambar @frantorres @davidperezgar