Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

adds documentation for sniff WordPress.PHP.DiscouragedPHPFunctions #2494

Open
wants to merge 1 commit into
base: develop
Choose a base branch
from
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
108 changes: 108 additions & 0 deletions WordPress/Docs/PHP/DiscouragedPHPFunctionsStandard.xml
Original file line number Diff line number Diff line change
@@ -0,0 +1,108 @@
<?xml version="1.0"?>
<documentation xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="https://phpcsstandards.github.io/PHPCSDevTools/phpcsdocs.xsd"
title="Discouraged PHP Functions"
>
<standard>
<![CDATA[
Use JSON instead of serialized data, which has known vulnerability problems with object injection.
]]>
</standard>
<code_comparison>
<code title="Valid: Using JSON for serialized data.">
<![CDATA[
$serialized = json_encode( $array );
$serialized = wp_json_encode( $array );
$unserialized = json_decode( $array );
]]>
</code>
<code title="Invalid: Using serialized data strings.">
<![CDATA[
$serialized = serialize( $array );
$unserialized = unserialize( $array );
]]>
</code>
</code_comparison>
<standard>
<![CDATA[
URLs should now be encoded using rawurlencode(). Only legacy applications should use urlencode().
]]>
</standard>
<code_comparison>
<code title="Valid: Encoding a url using rawurlencode().">
<![CDATA[
rawurlencode( get_site_url() );
]]>
</code>
<code title="Invalid: Encoding a url using urlencode().">
<![CDATA[
urlencode( get_site_url() );
]]>
</code>
</code_comparison>
<standard>
<![CDATA[
Avoid using functions which change configuration values at runtime.
]]>
</standard>
<code_comparison>
<code title="Valid: Not changing configuration at runtime.">
<![CDATA[
// Configuration not changed at runtime.
]]>
</code>
<code title="Invalid: Changing configuration at runtime">
<![CDATA[
error_reporting( 0 );
ini_restore( $option );
apache_setenv( $variable, $value );
putenv( $assignment );
set_include_path( $include_path );
restore_include_path();
magic_quotes_runtime( $new_setting );
set_magic_quotes_runtime( $new_setting );
dl( $extension_filename );
]]>
</code>
</code_comparison>
<standard>
<![CDATA[
Do not use PHP system calls. They are often disabled by server admins.
]]>
</standard>
<code_comparison>
<code title="Valid: Not using PHP system calls.">
<![CDATA[
// Avoiding using PHP system calls.
]]>
</code>
<code title="Invalid: Using PHP system calls.">
<![CDATA[
exec( $command );
passthru( $command );
proc_open( 'php', $desc, $pipes, $cwd, $env );
shell_exec( $command );
system( $command );
popen( $command, $mode );
]]>
</code>
</code_comparison>
<standard>
<![CDATA[
Functions often used for obfuscating code are strongly discouraged. Make sure the function is used for benign reasons.
]]>
</standard>
<code_comparison>
<code title="Valid: Using functions for benign reasons.">
<![CDATA[
base64_encode($username);
base64_decode( $expected_md5 );
]]>
</code>
<code title="Invalid: Using functions to obfuscate code.">
<![CDATA[
eval( base64_decode( $code_str ) );
]]>
</code>
</code_comparison>
</documentation>
Loading