Merge pull request #5 from tarecord/release/2.0.2

Release/2.0.2

location-addon-for-gravity-forms.php

@@ -13,7 +13,7 @@
  * Plugin Name:       Location Add-on For Gravity Forms
  * Plugin URI:        https://www.tannerrecord.com/location-add-on-for-gravity-forms
  * Description:       An Add-on for Gravity Forms that displays the posts & pages on which a form has been used.
- * Version:           2.0.1
+ * Version:           2.0.2
  * Requires at least: 5.6
  * Requires PHP:      7.1
  * Author:            Tanner Record

readme.txt

@@ -1,7 +1,7 @@
 === Location Add-on For Gravity Forms ===
-Requires at least: 5.2 or Later
-Tested up to: 5.6.2
-Stable tag: 2.0.1
+Requires at least: 5.6 or Later
+Tested up to: 5.7
+Stable tag: 2.0.2
 Requires PHP: 7.1
 Contributors: tarecord
 License: GPLv2 or later
@@ -37,7 +37,7 @@ Yes, in addition to searching the page/post content, the plugin will also search
 
 = How can I contribute? =
 
-Help me improve this plugin on GitHub by submitting a pull request or adding an issue (<a href="https://github.com/tarecord/gravity-forms-locator/">https://github.com/tarecord/gravity-forms-locator/</a>).
+Help me improve this plugin on GitHub by submitting a pull request or adding an issue (<a href="https://github.com/tarecord/location-add-on-for-gravity-forms">https://github.com/tarecord/location-add-on-for-gravity-forms</a>).
 
 == Screenshots ==
 

src/FormLocationsTable.php

@@ -39,23 +39,30 @@ public function get_locations() {
 
 		global $wpdb;
 
-		if ( ! empty( filter_input( INPUT_GET, 'form_id' ) ) ) {
-			$form_id = sanitize_text_field( wp_unslash( filter_input( INPUT_GET, 'form_id' ) ) );
-			$sql     = "SELECT * FROM {$wpdb->prefix}lagf_form_page WHERE form_id = {$form_id}";
-		} else {
-			$sql = "SELECT * FROM {$wpdb->prefix}lagf_form_page";
-		}
+		$form_id = absint( filter_input( INPUT_GET, 'form_id', FILTER_VALIDATE_INT ) );
+		$orderby = filter_input( INPUT_GET, 'orderby', FILTER_SANITIZE_STRING );
+		$order   = strtoupper( filter_input( INPUT_GET, 'order', FILTER_SANITIZE_STRING ) ?? 'asc' );
 
-		if ( ! empty( filter_input( INPUT_GET, 'orderby' ) ) ) {
+		$sql  = "SELECT * FROM {$wpdb->prefix}lagf_form_page";
+		$args = [];
 
-			$orderby = sanitize_text_field( wp_unslash( filter_input( INPUT_GET, 'orderby' ) ) );
-			$order   = sanitize_text_field( wp_unslash( filter_input( INPUT_GET, 'order' ) ) );
+		if ( ! empty( $form_id ) ) {
 
-			$sql .= ' ORDER BY ' . esc_sql( $orderby );
-			$sql .= ! empty( filter_input( INPUT_GET, 'order' ) ) ? ' ' . esc_sql( $order ) : ' ASC';
+			$sql   .= ' WHERE form_id = %d';
+			$args[] = $form_id;
 		}
 
-		$result = $wpdb->get_results( $sql, 'ARRAY_A' ); // phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared
+		if ( ! empty( $orderby ) && ! empty( $order ) ) {
+
+			$sql   .= ' ORDER BY %s %s';
+			$args[] = $orderby;
+			$args[] = $order;
+		}
+
+		$result = $wpdb->get_results(
+			$wpdb->prepare( $sql, $args ), // phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared
+			'ARRAY_A'
+		);
 
 		return $result;
 	}