[Update] Documentation for sniff WordPress.PHP.DiscouragedPHPFunctions #2584
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,95 @@ | ||
| <?xml version="1.0"?> | ||
| <documentation xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | ||
| xsi:noNamespaceSchemaLocation="https://phpcsstandards.github.io/PHPCSDevTools/phpcsdocs.xsd" | ||
| title="Discouraged PHP Functions" | ||
| > | ||
| <standard> | ||
| <![CDATA[ | ||
| Use JSON instead of serialized data, which has known vulnerability problems with object injection. | ||
| ]]> | ||
| </standard> | ||
| <code_comparison> | ||
| <code title="Valid: Using JSON to encode data."> | ||
| <![CDATA[ | ||
| $serialized = <em>wp_json_encode</em>( $my_array ); | ||
| $unserialized = <em>json_decode</em>( $my_array ); | ||
| ]]> | ||
| </code> | ||
| <code title="Invalid: Using serialized data strings."> | ||
| <![CDATA[ | ||
| $serialized = <em>serialize</em>( $my_array ); | ||
| $unserialized = <em>unserialize</em>( $my_array ); | ||
| ]]> | ||
| </code> | ||
| </code_comparison> | ||
| <standard> | ||
| <![CDATA[ | ||
| URLs should now be encoded using rawurlencode(). | ||
| ]]> | ||
| </standard> | ||
| <code_comparison> | ||
| <code title="Valid: Encoding a url using rawurlencode()."> | ||
| <![CDATA[ | ||
| <em>rawurlencode</em>( get_site_url() ); | ||
| ]]> | ||
| </code> | ||
| <code title="Invalid: Encoding a url using urlencode()."> | ||
| <![CDATA[ | ||
| <em>urlencode</em>( get_site_url() ); | ||
| ]]> | ||
| </code> | ||
| </code_comparison> | ||
| <standard> | ||
| <![CDATA[ | ||
| Avoid using functions which change configuration values at runtime. Invalid runtime configuration functions include `error_reporting()`, `ini_restore()`, `apache_setenv()`, `putenv()`, `set_include_path()`, `restore_include_path()`, `magic_quotes_runtime()`, `set_magic_quotes_runtime()`, and `dl()`. | ||
| ]]> | ||
| </standard> | ||
| <code_comparison> | ||
| <code title="Valid: Not changing configuration at runtime."> | ||
| <![CDATA[ | ||
| // Configuration not changed at runtime. | ||
| ]]> | ||
| </code> | ||
| <code title="Invalid: Changing configuration at runtime."> | ||
| <![CDATA[ | ||
| <em>apache_setenv( $variable, $value );</em> | ||
| ]]> | ||
| </code> | ||
| </code_comparison> | ||
| <standard> | ||
| <![CDATA[ | ||
| Avoid PHP system calls as they are often disabled by server admins. Disallowed system call functions include `exec()`, `passthru()`, `proc_open()`, `shell_exec()`, `system()`, and `popen()`. | ||
| ]]> | ||
| </standard> | ||
| <code_comparison> | ||
| <code title="Valid: Not using PHP system calls."> | ||
| <![CDATA[ | ||
| // Avoiding using PHP system calls. | ||
| ]]> | ||
| </code> | ||
| <code title="Invalid: Using PHP system calls."> | ||
| <![CDATA[ | ||
| <em>exec( $my_command );</em> | ||
| ]]> | ||
| </code> | ||
| </code_comparison> | ||
| <standard> | ||
| <![CDATA[ | ||
| Functions often used for obfuscating code are strongly discouraged. Make sure the function is used for benign reasons. | ||
| ]]> | ||
| </standard> | ||
| <code_comparison> | ||
| <code title="Valid: Using functions for benign reasons."> | ||
| <![CDATA[ | ||
| // It is up to the developer to determine if the function is used for benign purposes or if they want to keep it. | ||
| ]]> | ||
| </code> | ||
| <code title="Invalid: Using functions to obfuscate code."> | ||
| <![CDATA[ | ||
| <em>eval( </em>base64_decode( $code_str )<em> )</em>; | ||
| <em>convert_uudecode( $uuencoded )</code>em>; | ||
|
Collaborator
There was a problem hiding this comment. Besides the point that I raised above about the placement of the |
||
| <em>str_rot13( $rot13_encoded )</em>; | ||
|
Collaborator
There was a problem hiding this comment. I migth be missing something but the name of this variable is a bit misleading to me as the function does not expect a ROT13 version of a string as it first parameter. Instead it will return a ROT13 version of a string. |
||
| ]]> | ||
| </code> | ||
| </code_comparison> | ||
| </documentation> | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe
eval()is not flagged by the sniff so it should not be highlighted. More broadly, I'm not sure if it needs to be included as the sniff will trigger anyway forbase64_decode()regardless of whethereval()is used.