search

wp-cli / db-command

Performs basic database operations using credentials stored in wp-config.php.
MIT License
71 stars 59 forks source link

Implement CS checking based on the `WP_CLI_CS` ruleset #141

Closed wojsmol closed 5 years ago

wojsmol commented 5 years ago

Add a PHPCS ruleset using the new WP_CLI_CS standard.

Fixes https://github.com/wp-cli/db-command/issues/139

Related wp-cli/wp-cli#5179

schlessera commented 5 years ago 
mt_rand() is discouraged. Use the far less predictable wp_rand() instead.

=> replace mt_rand() with wp_rand()

Simple placeholders should not be quoted in the query string in $wpdb->prepare(). Found: '%s'.

=> remove quotes around placeholders: '%s' => %s

Global constants defined by a theme/plugin should start with the theme/plugin prefix. Found: "KB_IN_BYTES, ..., ..., ...".

=> wrap in whitelist:

// phpcs:disable WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedConstantFound
if ( ! defined( 'KB_IN_BYTES' ) ) {
    define( 'KB_IN_BYTES', 1024 );
}
if ( ! defined( 'MB_IN_BYTES' ) ) {
    define( 'MB_IN_BYTES', 1024 * KB_IN_BYTES );
}
if ( ! defined( 'GB_IN_BYTES' ) ) {
    define( 'GB_IN_BYTES', 1024 * MB_IN_BYTES );
}
if ( ! defined( 'TB_IN_BYTES' ) ) {
    define( 'TB_IN_BYTES', 1024 * GB_IN_BYTES );
}
// phpcs:enable

(to be continued...)

schlessera commented 5 years ago 
Silencing errors is strongly discouraged. Use proper error checking instead. Found: @preg_match( $search_regex,...

=> Unsure why we have this there, let's leave it for now. Precede with whitelist comment:

// phpcs:ignore WordPress.PHP.NoSilencedErrors.Discouraged -- Unsure why this is needed, leaving in for now.
Use placeholders and $wpdb->prepare(); found interpolated variable ...

=> Lines 1182, 1184, 1429 - I verified these are escaped, whitelist with a preceding comment:

// phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared -- Escaped through esc_sql_ident/esc_like.

=> Line 1429 - a slightly different comment explanation:

// phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared -- Asserted to be a valid table name through wp_get_table_names.
Object property "$Xxx" is not in valid snake_case format, try "$xxx"

=> We can't change these, wrap block in whitelist:

// phpcs:disable WordPress.NamingConventions.ValidVariableName.UsedPropertyNotSnakeCase -- Property names come from database.
if ( 'PRI' === $col->Key ) {
    $primary_keys[] = $col->Field;
}
if ( self::is_text_col( $col->Type ) ) {
    $text_columns[] = $col->Field;
}
$all_columns[] = $col->Field;
// phpcs:enable