diff --git a/ACF_City_Selector.php b/ACF_City_Selector.php index f2187bb..7430073 100755 --- a/ACF_City_Selector.php +++ b/ACF_City_Selector.php @@ -3,7 +3,7 @@ Plugin Name: ACF City Selector Plugin URI: https://acf-city-selector.com Description: An extension for ACF which allows you to select a city based on country and province/state. - Version: 1.15.1 + Version: 1.16.0 Tested up to: 6.6.1 Requires PHP: 7.0 Author: Beee @@ -38,7 +38,7 @@ public function __construct() { $this->settings = [ 'db_version' => '1.0', 'url' => plugin_dir_url( __FILE__ ), - 'version' => '1.15.1', + 'version' => '1.16.0', ]; if ( ! class_exists( 'ACFCS_WEBSITE_URL' ) ) { diff --git a/README.md b/README.md index 41828a4..db9f839 100644 --- a/README.md +++ b/README.md @@ -228,6 +228,9 @@ I got the idea for this plugin through [Fabrizio Sabato](https://github.com/fab0 ### Changelog +1.16.0 +* add nonces for forms + 1.15.1 * use wp_filesystem for csv files * sanitize/escape more diff --git a/admin/acf-city-selector-v4.php b/admin/acf-city-selector-v4.php index 69fb659..46f6d5d 100755 --- a/admin/acf-city-selector-v4.php +++ b/admin/acf-city-selector-v4.php @@ -234,7 +234,7 @@ function input_admin_enqueue_scripts() { $all_info = acfcs_get_field_settings(); $js_vars[ 'ajaxurl' ] = admin_url( 'admin-ajax.php' ); $js_vars[ 'default_country' ] = ( isset( $all_info[ 'default_country' ] ) && false != $all_info[ 'default_country' ] ) ? $all_info[ 'default_country' ] : false; - $js_vars[ 'post_id' ] = ( isset( $_GET[ 'post' ] ) ) ? (int) $_GET[ 'post' ] : false; + $js_vars[ 'post_id' ] = 0 < get_the_ID() ? (int) get_the_ID() : false; $js_vars[ 'show_labels' ] = ( isset( $all_info[ 'show_labels' ] ) ) ? $all_info[ 'show_labels' ] : apply_filters( 'acfcs_show_labels', true ); $js_vars[ 'use_select2' ] = ( isset( $all_info[ 'use_select2' ] ) ) ? $all_info[ 'use_select2' ] : false; $js_vars[ 'which_fields' ] = ( isset( $all_info[ 'which_fields' ] ) ) ? $all_info[ 'which_fields' ] : 'all'; diff --git a/admin/acf-city-selector-v5.php b/admin/acf-city-selector-v5.php index 808e7e9..7b6b1c6 100755 --- a/admin/acf-city-selector-v5.php +++ b/admin/acf-city-selector-v5.php @@ -201,15 +201,17 @@ function input_admin_enqueue_scripts() { wp_register_script( 'acfcs-process', "{$plugin_url}assets/js/city-selector.js", array( 'jquery', 'acf-input' ), $plugin_version, false ); wp_enqueue_script( 'acfcs-process' ); - - $all_info = acfcs_get_field_settings(); - $js_vars[ 'ajaxurl' ] = admin_url( 'admin-ajax.php' ); - $js_vars[ 'default_country' ] = ( isset( $all_info[ 'default_country' ] ) && false != $all_info[ 'default_country' ] ) ? $all_info[ 'default_country' ] : false; - $js_vars[ 'post_id' ] = ( isset( $_GET[ 'post' ] ) ) ? (int) $_GET[ 'post' ] : false; - $js_vars[ 'show_labels' ] = ( isset( $all_info[ 'show_labels' ] ) ) ? $all_info[ 'show_labels' ] : apply_filters( 'acfcs_show_labels', true ); - $js_vars[ 'store_meta' ] = ( isset( $all_info[ 'store_meta' ] ) ) ? $all_info[ 'store_meta' ] : false; - $js_vars[ 'use_select2' ] = ( isset( $all_info[ 'use_select2' ] ) ) ? $all_info[ 'use_select2' ] : false; - $js_vars[ 'which_fields' ] = ( isset( $all_info[ 'which_fields' ] ) ) ? $all_info[ 'which_fields' ] : 'all'; + + $all_info = acfcs_get_field_settings(); + $js_vars[ 'ajaxurl' ] = admin_url( 'admin-ajax.php' ); + $js_vars[ 'default_country' ] = ( isset( $all_info[ 'default_country' ] ) && false != $all_info[ 'default_country' ] ) ? $all_info[ 'default_country' ] : false; + $js_vars[ 'post_id' ] = 0 < get_the_ID() ? (int) get_the_ID() : false; + $js_vars[ 'acfcs_state_nonce' ] = wp_create_nonce( 'acfcs-state-nonce' ); + $js_vars[ 'acfcs_city_nonce' ] = wp_create_nonce( 'acfcs-city-nonce' ); + $js_vars[ 'show_labels' ] = ( isset( $all_info[ 'show_labels' ] ) ) ? $all_info[ 'show_labels' ] : apply_filters( 'acfcs_show_labels', true ); + $js_vars[ 'store_meta' ] = ( isset( $all_info[ 'store_meta' ] ) ) ? $all_info[ 'store_meta' ] : false; + $js_vars[ 'use_select2' ] = ( isset( $all_info[ 'use_select2' ] ) ) ? $all_info[ 'use_select2' ] : false; + $js_vars[ 'which_fields' ] = ( isset( $all_info[ 'which_fields' ] ) ) ? $all_info[ 'which_fields' ] : 'all'; wp_localize_script( 'acfcs-process', 'city_selector_vars', $js_vars ); } diff --git a/admin/acfcs-dashboard.php b/admin/acfcs-dashboard.php index ba26969..367e718 100755 --- a/admin/acfcs-dashboard.php +++ b/admin/acfcs-dashboard.php @@ -7,7 +7,16 @@ function acfcs_dashboard() { if ( ! current_user_can( apply_filters( 'acfcs_user_cap', 'manage_options' ) ) ) { wp_die( esc_html__( 'You do not have sufficient permissions to access this page.', 'acf-city-selector' ) ); } - + + $submitted_raw_data = false; + if ( isset( $_POST[ 'acfcs_import_raw_nonce' ] ) ) { + if ( ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST[ 'acfcs_import_raw_nonce' ] ) ), 'acfcs-import-raw-nonce' ) ) { + ACF_City_Selector::acfcs_errors()->add( 'error_no_nonce_match', esc_html__( 'Something went wrong, please try again.', 'acf-city-selector' ) ); + } else { + $submitted_raw_data = ( isset( $_POST[ 'raw_csv_import' ] ) ) ? sanitize_textarea_field( wp_unslash( $_POST[ 'raw_csv_import' ] ) ) : false; + } + } + ACF_City_Selector::acfcs_show_admin_notices(); $show_raw_import = true; @@ -38,7 +47,6 @@ function acfcs_dashboard() { -
%s', esc_html__( 'Import CSV data (from clipboard)', 'acf-city-selector' ) ); ?>

diff --git a/admin/acfcs-preview-form.php b/admin/acfcs-preview-form.php index ef5c8c2..319dc8b 100755 --- a/admin/acfcs-preview-form.php +++ b/admin/acfcs-preview-form.php @@ -8,6 +8,7 @@

+
%s', esc_attr__( 'File', 'acf-city-selector' ) ); ?> diff --git a/admin/acfcs-preview.php b/admin/acfcs-preview.php index 3976bad..7d905f0 100755 --- a/admin/acfcs-preview.php +++ b/admin/acfcs-preview.php @@ -7,7 +7,22 @@ function acfcs_preview_page() { if ( ! current_user_can( apply_filters( 'acfcs_user_cap', 'manage_options' ) ) ) { wp_die( esc_html__( 'Sorry, you do not have sufficient permissions to access this page.', 'acf-city-selector' ) ); } - + + $file_name = false; + $limit = 100; + $delimiter = ';'; + + if ( isset( $_POST[ 'acfcs_preview_nonce' ] ) ) { + if ( ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST[ 'acfcs_preview_nonce' ] ) ), 'acfcs-preview-nonce' ) ) { + ACF_City_Selector::acfcs_errors()->add( 'error_nonce_no_match', esc_html__( 'Something went wrong, please try again.', 'acf-city-selector' ) ); + return; + } else { + $file_name = ( isset( $_POST[ 'acfcs_file_name' ] ) ) ? sanitize_text_field( wp_unslash( $_POST[ 'acfcs_file_name' ] ) ) : false; + $max_lines = ( isset( $_POST[ 'acfcs_max_lines' ] ) ) ? (int) $_POST[ 'acfcs_max_lines' ] : $limit; + $delimiter = ( isset( $_POST[ 'acfcs_delimiter' ] ) ) ? sanitize_text_field( wp_unslash( $_POST[ 'acfcs_delimiter' ] ) ) : apply_filters( 'acfcs_delimiter', $delimiter ); + } + } + ACF_City_Selector::acfcs_show_admin_notices(); ?> @@ -16,12 +31,8 @@ function acfcs_preview_page() { add( 'error_no_nonce_match', esc_html__( 'Something went wrong, please try again.', 'acf-city-selector' ) ); + return; + } else { + $search_criteria_state = ( ! empty( $_POST[ 'acfcs_state' ] ) ) ? sanitize_text_field( wp_unslash( $_POST[ 'acfcs_state' ] ) ) : false; + $search_criteria_country = ( ! empty( $_POST[ 'acfcs_country' ] ) ) ? sanitize_text_field( wp_unslash( $_POST[ 'acfcs_country' ] ) ) : false; + $searched_orderby = ( ! empty( $_POST[ 'acfcs_orderby' ] ) ) ? sanitize_text_field( wp_unslash( $_POST[ 'acfcs_orderby' ] ) ) : false; + $searched_term = ( ! empty( $_POST[ 'acfcs_search' ] ) ) ? sanitize_text_field( wp_unslash( $_POST[ 'acfcs_search' ] ) ) : false; + $selected_limit = ( ! empty( $_POST[ 'acfcs_limit' ] ) ) ? (int) $_POST[ 'acfcs_limit' ] : $limit; + } + } + // if there is at least 1 country if ( ! empty( $all_countries ) ) { foreach ( $all_countries as $country_code => $country_name ) { @@ -62,6 +77,7 @@ function acfcs_search() { +
diff --git a/admin/process-file-form.php b/admin/process-file-form.php index b4c9403..41f851e 100755 --- a/admin/process-file-form.php +++ b/admin/process-file-form.php @@ -2,6 +2,16 @@ if ( ! defined( 'ABSPATH' ) ) { exit; } + + $selected_file_name = false; + if ( isset( $_POST[ 'acfcs_select_file_nonce' ] ) ) { + if ( ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST[ 'acfcs_select_file_nonce' ] ) ), 'acfcs-select-file-nonce' ) ) { + ACF_City_Selector::acfcs_errors()->add( 'error_nonce_no_match', esc_html__( 'Something went wrong, please try again.', 'acf-city-selector' ) ); + return; + } else { + $selected_file_name = isset( $_POST[ 'acfcs_file_name' ] ) ? sanitize_text_field( wp_unslash( $_POST[ 'acfcs_file_name' ] ) ) : false; + } + } ?> @@ -14,7 +24,7 @@ %s', esc_attr__( 'Select a file', 'acf-city-selector' ) ); ?> - + %s', esc_attr( $file_name ), esc_attr( $selected ), esc_attr( $file_name ) ); ?> diff --git a/assets/js/city-selector.js b/assets/js/city-selector.js index a188e7a..79dfc5a 100644 --- a/assets/js/city-selector.js +++ b/assets/js/city-selector.js @@ -45,7 +45,6 @@ countries.on('change', function () { const response_cities = [] const response_states = [] - var $this = $(this); var country_code = $this.val(); var country_field_id = $this.attr('id'); @@ -61,11 +60,17 @@ $show_labels = $(this).data('show-labels'); $which_fields = $(this).data('which-fields'); } + var state_nonce = city_selector_vars[ 'acfcs_state_nonce' ]; + var city_nonce = city_selector_vars[ 'acfcs_city_nonce' ]; var show_labels = $show_labels; var which_fields = $which_fields; + if ( '' === country_code ) { + changed_city.empty(); + } + if ( $.inArray(which_fields, [ 'country_state', 'all' ] ) !== -1 ) { - const d = acfcs_get_states(country_code, show_labels, post_id); + const d = acfcs_get_states(country_code, show_labels, post_id, state_nonce); response_states.push(d); Promise.all(response_states).then(function(jsonResults) { @@ -85,7 +90,7 @@ }); } else if ( $.inArray(which_fields, [ 'country_city' ] ) !== -1 ) { - const d = acfcs_get_cities(country_code, show_labels, post_id); + const d = acfcs_get_cities(country_code, show_labels, post_id, city_nonce); response_cities.push(d); Promise.all(response_cities).then(function(jsonResults) { @@ -122,6 +127,7 @@ $show_labels = $(this).data('show-labels'); $which_fields = $(this).data('which-fields'); } + var city_nonce = city_selector_vars[ 'acfcs_city_nonce' ]; var show_labels = $show_labels; var which_fields = $which_fields; @@ -132,7 +138,7 @@ var state_field_id = $this.attr('id'); var city_field_id = state_field_id.replace('stateCode', 'cityName'); var changed_city = $('select[id="' + city_field_id + '"]'); - const d = acfcs_get_cities(state_code, show_labels, post_id); + const d = acfcs_get_cities(state_code, show_labels, post_id, city_nonce); response_cities.push(d); Promise.all(response_cities).then(function(jsonResults) { @@ -166,10 +172,12 @@ * @param showLabels * @param postID * @param callback + * @param nonce * @returns {Promise} */ - function acfcs_get_states(countryCode, showLabels, postID, callback) { + function acfcs_get_states(countryCode, showLabels, postID, nonce, callback) { const state_data = { + acfcs_state_nonce: nonce, action: 'get_states_call', country_code: countryCode, post_id: postID, @@ -189,11 +197,13 @@ * @param stateCode * @param showLabels * @param postID + * @param nonce * @param callback * @returns {Promise} */ - function acfcs_get_cities(stateCode, showLabels, postID, callback) { + function acfcs_get_cities(stateCode, showLabels, postID, nonce, callback) { const city_data = { + acfcs_city_nonce: nonce, action: 'get_cities_call', post_id: postID, show_labels: showLabels, diff --git a/inc/acfcs-ajax.php b/inc/acfcs-ajax.php index 6bfe477..7599e54 100644 --- a/inc/acfcs-ajax.php +++ b/inc/acfcs-ajax.php @@ -10,46 +10,48 @@ * @return JSON Object */ function acfcs_get_states_call() { - if ( isset( $_POST[ 'country_code' ] ) ) { - $field = false; - $items = array(); - $post_id = ( isset( $_POST[ 'post_id' ] ) ) ? (int) $_POST[ 'post_id' ] : false; - - if ( is_string( $_POST[ 'country_code' ] ) ) { - $country_code = sanitize_text_field( wp_unslash( $_POST[ 'country_code' ] ) ); - } - - if ( false != $post_id ) { - $fields = get_field_objects( $post_id ); - if ( is_array( $fields ) && ! empty( $fields ) ) { - $field = acfcs_get_field_settings( $fields ); + if ( isset( $_POST[ 'acfcs_state_nonce' ] ) && wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST[ 'acfcs_state_nonce' ] ) ), 'acfcs-state-nonce' ) ) { + if ( isset( $_POST[ 'country_code' ] ) ) { + $field = false; + $items = array(); + $post_id = ( isset( $_POST[ 'post_id' ] ) ) ? (int) $_POST[ 'post_id' ] : false; + + if ( is_string( $_POST[ 'country_code' ] ) ) { + $country_code = sanitize_text_field( wp_unslash( $_POST[ 'country_code' ] ) ); } - } - - if ( ! isset( $field[ 'show_labels' ] ) && isset( $_POST[ 'show_labels' ] ) ) { - $field[ 'show_labels' ] = ( '1' == sanitize_text_field( wp_unslash( $_POST[ 'show_labels' ] ) ) ) ? true : false; - } - - if ( isset( $country_code ) ) { - $states_transient = acfcs_get_states( $country_code, true, $field ); - } - - if ( isset( $states_transient ) && ! empty( $states_transient ) ) { - foreach ( $states_transient as $key => $label ) { - if ( $label != 'N/A' ) { - $items[] = [ - 'state_name' => $label, - 'country_state' => $key, - ]; - } else { - $items[] = [ - 'state_name' => $country_code, - 'country_state' => $key, - ]; + + if ( false != $post_id ) { + $fields = get_field_objects( $post_id ); + if ( is_array( $fields ) && ! empty( $fields ) ) { + $field = acfcs_get_field_settings( $fields ); + } + } + + if ( ! isset( $field[ 'show_labels' ] ) && isset( $_POST[ 'show_labels' ] ) ) { + $field[ 'show_labels' ] = ( '1' == sanitize_text_field( wp_unslash( $_POST[ 'show_labels' ] ) ) ) ? true : false; + } + + if ( isset( $country_code ) ) { + $states_transient = acfcs_get_states( $country_code, true, $field ); + } + + if ( isset( $states_transient ) && ! empty( $states_transient ) ) { + foreach ( $states_transient as $key => $label ) { + if ( $label != 'N/A' ) { + $items[] = [ + 'state_name' => $label, + 'country_state' => $key, + ]; + } else { + $items[] = [ + 'state_name' => $country_code, + 'country_state' => $key, + ]; + } } + echo wp_json_encode( $items ); + wp_die(); } - echo wp_json_encode( $items ); - wp_die(); } } } @@ -63,65 +65,66 @@ function acfcs_get_states_call() { * @return JSON Object */ function acfcs_get_cities_call() { - - if ( isset( $_POST[ 'state_code' ] ) ) { - $country_code = false; - $field = false; - $items = array(); - $post_id = ( isset( $_POST[ 'post_id' ] ) ) ? (int) $_POST[ 'post_id' ] : false; - $posted_state_code = sanitize_text_field( wp_unslash( $_POST[ 'state_code' ] ) ); - $state_code = false; - - if ( false != $post_id ) { - $fields = get_field_objects( $post_id ); - if ( ! empty( $fields ) ) { - $field = acfcs_get_field_settings( $fields ); + if ( isset( $_POST[ 'acfcs_city_nonce' ] ) && wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST[ 'acfcs_city_nonce' ] ) ), 'acfcs-city-nonce' ) ) { + if ( isset( $_POST[ 'state_code' ] ) ) { + $country_code = false; + $field = false; + $items = array(); + $post_id = ( isset( $_POST[ 'post_id' ] ) ) ? (int) $_POST[ 'post_id' ] : false; + $posted_state_code = sanitize_text_field( wp_unslash( $_POST[ 'state_code' ] ) ); + $state_code = false; + + if ( false != $post_id ) { + $fields = get_field_objects( $post_id ); + if ( ! empty( $fields ) ) { + $field = acfcs_get_field_settings( $fields ); + } } - } - - if ( ! isset( $field[ 'show_labels' ] ) && isset( $_POST[ 'show_labels' ] ) ) { - $show_labels = sanitize_text_field( wp_unslash( $_POST[ 'show_labels' ] ) ); - if ( '1' == $show_labels ) { - $field[ 'show_labels' ] = true; - } elseif ( '0' == $show_labels ) { - $field[ 'show_labels' ] = false; + + if ( ! isset( $field[ 'show_labels' ] ) && isset( $_POST[ 'show_labels' ] ) ) { + $show_labels = sanitize_text_field( wp_unslash( $_POST[ 'show_labels' ] ) ); + if ( '1' == $show_labels ) { + $field[ 'show_labels' ] = true; + } elseif ( '0' == $show_labels ) { + $field[ 'show_labels' ] = false; + } } - } - - if ( 6 <= strlen( $posted_state_code ) ) { - $codes = explode( '-', $posted_state_code ); - $country_code = $codes[ 0 ]; - $state_code = $codes[ 1 ]; - } elseif ( strpos( $posted_state_code, 'FR-' ) !== false ) { - $country_code = substr( $posted_state_code, 0, 2 ); - $state_code = substr( $posted_state_code, 3 ); - } elseif ( 2 == strlen( $posted_state_code ) ) { - // if 2 == strlen( $posted_state_code ) then it's probably a country code - // this is probably never reached, but just in case... - $country_code = $posted_state_code; - $state_code = false; - } elseif ( ! empty( $posted_state_code ) ) { - $codes = explode( '-', $posted_state_code ); - $country_code = $codes[ 0 ]; - $state_code = $codes[ 1 ]; - } else { - // fallback if all else fails - if ( isset( $field[ 'default_country' ] ) && ! empty( $field[ 'default_country' ] ) ) { - $country_code = $field[ 'default_country' ]; + + if ( 6 <= strlen( $posted_state_code ) ) { + $codes = explode( '-', $posted_state_code ); + $country_code = $codes[ 0 ]; + $state_code = $codes[ 1 ]; + } elseif ( strpos( $posted_state_code, 'FR-' ) !== false ) { + $country_code = substr( $posted_state_code, 0, 2 ); + $state_code = substr( $posted_state_code, 3 ); + } elseif ( 2 == strlen( $posted_state_code ) ) { + // if 2 == strlen( $posted_state_code ) then it's probably a country code + // this is probably never reached, but just in case... + $country_code = $posted_state_code; + $state_code = false; + } elseif ( ! empty( $posted_state_code ) ) { + $codes = explode( '-', $posted_state_code ); + $country_code = $codes[ 0 ]; + $state_code = $codes[ 1 ]; + } else { + // fallback if all else fails + if ( isset( $field[ 'default_country' ] ) && ! empty( $field[ 'default_country' ] ) ) { + $country_code = $field[ 'default_country' ]; + } } - } - - $cities_transient = acfcs_get_cities( $country_code, $state_code, $field ); - - if ( ! empty( $cities_transient ) ) { - foreach ( $cities_transient as $city ) { - $items[] = [ - 'id' => $city, - 'city_name' => $city, - ]; + + $cities_transient = acfcs_get_cities( $country_code, $state_code, $field ); + + if ( ! empty( $cities_transient ) ) { + foreach ( $cities_transient as $city ) { + $items[] = [ + 'id' => $city, + 'city_name' => $city, + ]; + } + echo wp_json_encode( $items ); + wp_die(); } - echo wp_json_encode( $items ); - wp_die(); } } } diff --git a/inc/acfcs-functions.php b/inc/acfcs-functions.php index ec95baf..efd9cc5 100755 --- a/inc/acfcs-functions.php +++ b/inc/acfcs-functions.php @@ -816,44 +816,52 @@ function acfcs_get_states_optgroup() { * @return array|object|stdClass[]|null */ function acfcs_get_searched_cities() { - global $wpdb; - $cities = []; - $orderby = false; - $table = $wpdb->prefix . 'cities'; - $search_criteria_state = ( isset( $_POST[ 'acfcs_state' ] ) ) ? sanitize_text_field( wp_unslash( $_POST[ 'acfcs_state' ] ) ) : false; - $search_criteria_country = ( isset( $_POST[ 'acfcs_country' ] ) ) ? sanitize_text_field( wp_unslash( $_POST[ 'acfcs_country' ] ) ) : false; - $searched_orderby = ( ! empty( $_POST[ 'acfcs_orderby' ] ) ) ? sanitize_text_field( wp_unslash( $_POST[ 'acfcs_orderby' ] ) ) : false; - $searched_term = ( ! empty( $_POST[ 'acfcs_search' ] ) ) ? sanitize_text_field( wp_unslash( $_POST[ 'acfcs_search' ] ) ) : false; - $selected_limit = ( ! empty( $_POST[ 'acfcs_limit' ] ) ) ? (int) $_POST[ 'acfcs_limit' ] : 100; - $parameters = [ $table ]; - $where = ''; + $cities = []; - if ( false != $search_criteria_state ) { - $state_code = strtoupper( substr( $search_criteria_state, 3, 3 ) ); - $parameters[] = $state_code; - $country_code = strtoupper( substr( $search_criteria_state, 0, 2 ) ); - $parameters[] = $country_code; - $where .= "WHERE state_code = %s AND country_code = %s"; - - } elseif ( false != $search_criteria_country ) { - $where .= "WHERE country_code = %s"; - $parameters[] = $search_criteria_country; - } + if ( isset( $_POST[ 'acfcs_search_form_nonce' ] ) ) { + if ( ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST[ 'acfcs_search_form_nonce' ] ) ), 'acfcs-search-form-nonce' ) ) { + ACF_City_Selector::acfcs_errors()->add( 'error_no_nonce_match', esc_html__( 'Something went wrong, please try again.', 'acf-city-selector' ) ); + return; + } else { + global $wpdb; + $orderby = false; + $table = $wpdb->prefix . 'cities'; + $search_criteria_state = ( isset( $_POST[ 'acfcs_state' ] ) ) ? sanitize_text_field( wp_unslash( $_POST[ 'acfcs_state' ] ) ) : false; + $search_criteria_country = ( isset( $_POST[ 'acfcs_country' ] ) ) ? sanitize_text_field( wp_unslash( $_POST[ 'acfcs_country' ] ) ) : false; + $searched_orderby = ( ! empty( $_POST[ 'acfcs_orderby' ] ) ) ? sanitize_text_field( wp_unslash( $_POST[ 'acfcs_orderby' ] ) ) : false; + $searched_term = ( ! empty( $_POST[ 'acfcs_search' ] ) ) ? sanitize_text_field( wp_unslash( $_POST[ 'acfcs_search' ] ) ) : false; + $selected_limit = ( ! empty( $_POST[ 'acfcs_limit' ] ) ) ? (int) $_POST[ 'acfcs_limit' ] : 100; + $parameters = [ $table ]; + $where = ''; + + if ( false != $search_criteria_state ) { + $state_code = strtoupper( substr( $search_criteria_state, 3, 3 ) ); + $parameters[] = $state_code; + $country_code = strtoupper( substr( $search_criteria_state, 0, 2 ) ); + $parameters[] = $country_code; + $where .= "WHERE state_code = %s AND country_code = %s"; - if ( false != $searched_term && ( $search_criteria_country || $search_criteria_state ) ) { - $where .= ' AND city_name LIKE "%s%"'; - $parameters[] = '%' . $searched_term . '%'; - } - - if ( 'state' == $searched_orderby ) { - $where .= ' ORDER BY state_name ASC, city_name ASC'; - } else { - $where .= ' ORDER BY city_name ASC, state_name ASC'; - } + } elseif ( false != $search_criteria_country ) { + $where .= "WHERE country_code = %s"; + $parameters[] = $search_criteria_country; + } + + if ( false != $searched_term && ( $search_criteria_country || $search_criteria_state ) ) { + $where .= ' AND city_name LIKE "%s%"'; + $parameters[] = '%' . $searched_term . '%'; + } - $where .= ' LIMIT %d'; - $parameters[] = $selected_limit; - $cities = $wpdb->get_results( $wpdb->prepare( "SELECT * FROM %i $where", $parameters ) ); + if ( 'state' == $searched_orderby ) { + $where .= ' ORDER BY state_name ASC, city_name ASC'; + } else { + $where .= ' ORDER BY city_name ASC, state_name ASC'; + } + + $where .= ' LIMIT %d'; + $parameters[] = $selected_limit; + $cities = $wpdb->get_results( $wpdb->prepare( "SELECT * FROM %i $where", $parameters ) ); + } + } return $cities; } diff --git a/readme.txt b/readme.txt index c02c6ca..7d5f502 100755 --- a/readme.txt +++ b/readme.txt @@ -4,7 +4,7 @@ Contributors: beee Requires at least: 3.6.0 Requires PHP: 7.0 Tested up to: 6.6.1 -Stable tag: 1.15.1 +Stable tag: 1.16.0 License: GPLv2 or later License URI: http://www.gnu.org/licenses/gpl-2.0.html @@ -41,6 +41,9 @@ A. Please read the FAQ @ [https://acf-city-selector.com/documentation/](https:// == Changelog == += 1.16.0 = +* add nonces for forms + = 1.15.1 = * use wp_filesystem for csv files * sanitize/escape more diff --git a/uninstall.php b/uninstall.php index 89b2586..b243f7e 100644 --- a/uninstall.php +++ b/uninstall.php @@ -6,5 +6,5 @@ if ( false != get_option( 'acfcs_delete_cities_table' ) ) { global $wpdb; - $wpdb->query("DROP TABLE IF EXISTS {$wpdb->prefix}cities"); + $wpdb->query($wpdb->prepare( "DROP TABLE IF EXISTS %i", $wpdb->prefix . 'cities' ) ); }