Coming Soon Page & Maintenance Mode by SeedProd - Version 6.2.2

Version Description

  • Updated - Sanitization and security hardening in query statements.
Download this release

Release Info

Developer seedprod
Plugin Icon 128x128 Coming Soon Page & Maintenance Mode by SeedProd
Version 6.2.2
Comparing to
See all releases

Code changes from version 6.2.1 to 6.2.2

Files changed (4) hide show
  1. README.txt +5 -1
  2. app/lpage.php +69 -52
  3. app/subscriber.php +0 -57
  4. coming-soon.php +2 -2
README.txt CHANGED
@@ -5,7 +5,7 @@ Tags: maintenance mode, coming soon page, coming soon, under construction, landi
5
  Requires at least: 5.0
6
  Tested up to: 5.7
7
  Requires PHP: 5.6
8
- Stable tag: 6.2.0
9
  Text Domain: coming-soon
10
  License: GPLv2 or later
11
  License URI: http://www.gnu.org/licenses/gpl-2.0.html
@@ -156,6 +156,10 @@ Yes, you cam build custom Product, Checkout and Cart pages with our WooCommerce
156
 
157
 
158
  == Changelog ==
 
 
 
 
159
  = 6.2.1 =
160
 
161
  * Tweak - Clarify External Service is used for license upgrades.
5
  Requires at least: 5.0
6
  Tested up to: 5.7
7
  Requires PHP: 5.6
8
+ Stable tag: 6.2.1
9
  Text Domain: coming-soon
10
  License: GPLv2 or later
11
  License URI: http://www.gnu.org/licenses/gpl-2.0.html
156
 
157
 
158
  == Changelog ==
159
+ = 6.2.2 =
160
+
161
+ * Updated - Sanitization and security hardening in query statements.
162
+
163
  = 6.2.1 =
164
 
165
  * Tweak - Clarify External Service is used for license upgrades.
app/lpage.php CHANGED
@@ -167,62 +167,71 @@ function seedprod_lite_lpage_datatable() {
167
  $filter = null;
168
  }
169
 
170
- // Get records
171
- global $wpdb;
172
- $tablename = $wpdb->prefix . 'posts';
173
- $meta_tablename = $wpdb->prefix . 'postmeta';
174
-
175
- $sql = "SELECT * FROM $tablename p LEFT JOIN $meta_tablename pm ON (pm.post_id = p.ID)";
176
-
177
- $sql .= ' WHERE 1 = 1 AND post_type = "page" AND meta_key = "_seedprod_page"';
178
-
179
  if ( ! empty( $filter ) ) {
180
- if ( esc_sql( $filter ) == 'published' ) {
181
- $sql .= ' AND post_status = "publish" ';
 
182
  }
183
- if ( esc_sql( $filter ) == 'drafts' ) {
184
- $sql .= ' AND post_status = "draft" ';
185
  }
186
- if ( esc_sql( $filter ) == 'scheduled' ) {
187
- $sql .= ' AND post_status = "future" ';
188
  }
189
- if ( esc_sql( $filter ) == 'archived' ) {
190
- $sql .= ' AND post_status = "trash" ';
191
  }
192
  } else {
193
- $sql .= 'AND post_status != "trash"';
 
194
  }
 
195
 
196
  if ( ! empty( $_GET['s'] ) ) {
197
- $sql .= ' AND post_title LIKE "%' . esc_sql( trim( sanitize_text_field( $_GET['s'] ) ) ) . '%"';
198
  }
199
 
 
 
200
  if ( ! empty( $_GET['orderby'] ) ) {
201
- $orderby = $_GET['orderby'];
202
  if ( $orderby == 'date' ) {
203
- $orderby = 'post_modified';
204
  }
 
205
  if ( $orderby == 'name' ) {
206
- $orderby = 'post_title';
207
  }
208
- $sql .= ' ORDER BY ' . esc_sql( $orderby );
209
 
210
- if ( sanitize_text_field( $_GET['order'] ) === 'desc' ) {
211
- $order = 'DESC';
 
212
  } else {
213
- $order = 'ASC';
214
  }
215
- $sql .= ' ' . $order;
216
- } else {
217
- $sql .= ' ORDER BY id DESC';
218
- }
219
 
220
- $sql .= " LIMIT $per_page";
221
  if ( empty( $_POST['s'] ) ) {
222
- $sql .= ' OFFSET ' . ( $current_page - 1 ) * $per_page;
 
 
 
 
 
 
 
 
 
 
 
 
 
223
  }
224
 
225
- $results = $wpdb->get_results( $sql );
 
226
 
227
  $login_page_id = get_option( 'seedprod_login_page_id' );
228
  $data = array();
@@ -283,37 +292,45 @@ function seedprod_lite_lpage_datatable() {
283
 
284
 
285
  function seedprod_lite_lpage_get_data_total( $filter = null ) {
286
- global $wpdb;
287
-
288
- $tablename = $wpdb->prefix . 'posts';
289
- $meta_tablename = $wpdb->prefix . 'postmeta';
290
-
291
- $sql = "SELECT count(*) FROM $tablename p LEFT JOIN $meta_tablename pm ON (pm.post_id = p.ID)";
292
-
293
- $sql .= ' WHERE 1 = 1 AND post_type = "page" AND meta_key = "_seedprod_page"';
294
 
295
  if ( ! empty( $filter ) ) {
296
- if ( esc_sql( $filter ) == 'published' ) {
297
- $sql .= ' AND post_status = "publish" ';
 
298
  }
299
- if ( esc_sql( $filter ) == 'drafts' ) {
300
- $sql .= ' AND post_status = "draft" ';
301
  }
302
- if ( esc_sql( $filter ) == 'scheduled' ) {
303
- $sql .= ' AND post_status = "future" ';
304
  }
305
- if ( esc_sql( $filter ) == 'archived' ) {
306
- $sql .= ' AND post_status = "trash" ';
307
  }
308
  } else {
309
- $sql .= ' AND post_status != "trash"';
 
310
  }
 
311
 
312
  if ( ! empty( $_GET['s'] ) ) {
313
- $sql .= ' AND post_name LIKE "%' . esc_sql( sanitize_text_field( $_GET['s'] ) ) . '%"';
314
  }
315
 
316
- $results = $wpdb->get_var( $sql );
 
 
 
 
 
 
 
 
 
 
 
 
 
317
  return $results;
318
  }
319
 
167
  $filter = null;
168
  }
169
 
 
 
 
 
 
 
 
 
 
170
  if ( ! empty( $filter ) ) {
171
+ $post_status_compare = "=";
172
+ if ( $filter == 'published' ) {
173
+ $post_status ="publish";
174
  }
175
+ if ( $filter == 'drafts' ) {
176
+ $post_status ="draft" ;
177
  }
178
+ if ( $filter == 'scheduled' ) {
179
+ $post_status ="future";
180
  }
181
+ if ( $filter == 'archived' ) {
182
+ $post_status ="trash" ;
183
  }
184
  } else {
185
+ $post_status_compare = "!=";
186
+ $post_status = "trash";
187
  }
188
+ $post_status_statement = ' post_status ' . $post_status_compare . ' %s ';
189
 
190
  if ( ! empty( $_GET['s'] ) ) {
191
+ $search_term = '%'.trim( sanitize_text_field( $_GET['s'] ) ).'%';
192
  }
193
 
194
+ $order_by = 'id';
195
+ $order_by_direction = 'DESC';
196
  if ( ! empty( $_GET['orderby'] ) ) {
197
+ $orderby = sanitize_text_field($_GET['orderby']);
198
  if ( $orderby == 'date' ) {
199
+ $order_by = 'post_modified';
200
  }
201
+
202
  if ( $orderby == 'name' ) {
203
+ $order_by = 'post_title';
204
  }
 
205
 
206
+ $direction = sanitize_text_field( $_GET['order']);
207
+ if ( $direction === 'desc' ) {
208
+ $order_by_direction = 'DESC';
209
  } else {
210
+ $order_by_direction = 'ASC';
211
  }
212
+ }
213
+ $order_by_statement = 'ORDER BY '.$order_by.' '.$order_by_direction;
 
 
214
 
215
+ $offset = 0;
216
  if ( empty( $_POST['s'] ) ) {
217
+ $offset = ( $current_page - 1 ) * $per_page;
218
+ }
219
+
220
+ // Get records
221
+ global $wpdb;
222
+ $tablename = $wpdb->prefix . 'posts';
223
+ $meta_tablename = $wpdb->prefix . 'postmeta';
224
+
225
+ if(empty( $_GET['s'] )){
226
+ $sql = 'SELECT * FROM '.$tablename.' p LEFT JOIN '.$meta_tablename.' pm ON (pm.post_id = p.ID) WHERE post_type = "page" AND meta_key = "_seedprod_page" AND ' .$post_status_statement.' '.$order_by_statement.' LIMIT %d OFFSET %d';
227
+ $safe_sql = $wpdb->prepare( $sql, $post_status, $per_page, $offset);
228
+ }else{
229
+ $sql = 'SELECT * FROM '.$tablename.' p LEFT JOIN '.$meta_tablename.' pm ON (pm.post_id = p.ID) WHERE post_type = "page" AND meta_key = "_seedprod_page" AND ' .$post_status_statement.' AND post_title LIKE %s '.$order_by_statement.' LIMIT %d OFFSET %d';
230
+ $safe_sql = $wpdb->prepare( $sql, $post_status, $search_term, $per_page, $offset);
231
  }
232
 
233
+
234
+ $results = $wpdb->get_results( $safe_sql );
235
 
236
  $login_page_id = get_option( 'seedprod_login_page_id' );
237
  $data = array();
292
 
293
 
294
  function seedprod_lite_lpage_get_data_total( $filter = null ) {
 
 
 
 
 
 
 
 
295
 
296
  if ( ! empty( $filter ) ) {
297
+ $post_status_compare = "=";
298
+ if ( $filter == 'published' ) {
299
+ $post_status ="publish";
300
  }
301
+ if ( $filter == 'drafts' ) {
302
+ $post_status ="draft" ;
303
  }
304
+ if ( $filter == 'scheduled' ) {
305
+ $post_status ="future";
306
  }
307
+ if ( $filter == 'archived' ) {
308
+ $post_status ="trash" ;
309
  }
310
  } else {
311
+ $post_status_compare = "!=";
312
+ $post_status = "trash";
313
  }
314
+ $post_status_statement = ' post_status ' . $post_status_compare . ' %s ';
315
 
316
  if ( ! empty( $_GET['s'] ) ) {
317
+ $search_term = '%'.trim( sanitize_text_field( $_GET['s'] ) ).'%';
318
  }
319
 
320
+ global $wpdb;
321
+
322
+ $tablename = $wpdb->prefix . 'posts';
323
+ $meta_tablename = $wpdb->prefix . 'postmeta';
324
+
325
+ if(empty( $_GET['s'] )){
326
+ $sql = 'SELECT count(*) FROM '.$tablename.' p LEFT JOIN '.$meta_tablename.' pm ON (pm.post_id = p.ID) WHERE post_type = "page" AND meta_key = "_seedprod_page" AND ' .$post_status_statement;
327
+ $safe_sql = $wpdb->prepare( $sql, $post_status);
328
+ }else{
329
+ $sql = 'SELECT * FROM '.$tablename.' p LEFT JOIN '.$meta_tablename.' pm ON (pm.post_id = p.ID) WHERE post_type = "page" AND meta_key = "_seedprod_page" AND ' .$post_status_statement.' AND post_title LIKE %s ';
330
+ $safe_sql = $wpdb->prepare( $sql, $post_status, $search_term);
331
+ }
332
+
333
+ $results = $wpdb->get_var( $safe_sql );
334
  return $results;
335
  }
336
 
app/subscriber.php CHANGED
@@ -89,60 +89,3 @@ function seedprod_lite_subscribers_datatable() {
89
  }
90
  }
91
 
92
- function seedprod_lite_subscribers_get_data_total( $filter = null ) {
93
- global $wpdb;
94
-
95
- $tablename = $wpdb->prefix . 'csp3_subscribers';
96
-
97
- $sql = "SELECT count(id) FROM $tablename";
98
-
99
- if ( ! empty( $_GET['id'] ) ) {
100
- $sql .= ' WHERE page_uuid = ' . esc_sql( $_GET['id'] );
101
- } else {
102
- $sql .= ' WHERE 1 =1 ';
103
- }
104
-
105
- if ( ! empty( $_GET['s'] ) ) {
106
- $sql .= ' AND email LIKE "%' . esc_sql( trim( sanitize_text_field( $_GET['s'] ) ) ) . '%"';
107
- }
108
-
109
- $results = $wpdb->get_var( $sql );
110
- return $results;
111
- }
112
-
113
- function seedprod_lite_subscribers_get_views( $filter = null ) {
114
- $views = array();
115
- $current = ( ! empty( $filter ) ? $filter : 'all' );
116
-
117
- global $wpdb;
118
- $tablename = $wpdb->prefix . 'csp3_subscribers';
119
-
120
- //All link
121
- $sql = "SELECT count(id) FROM $tablename";
122
-
123
- if ( ! empty( $_GET['id'] ) ) {
124
- $sql .= ' WHERE lpage_id = ' . esc_sql( $_GET['id'] );
125
- } else {
126
- $sql .= ' WHERE 1 =1 ';
127
- }
128
-
129
- $results = $wpdb->get_var( $sql );
130
- $class = ( $current == 'all' ? ' class="current"' : '' );
131
- $all_url = remove_query_arg( 'filter' );
132
- $views['all'] = $results;
133
-
134
- return $views;
135
- }
136
-
137
-
138
- /*
139
- * Update Subscriber
140
- */
141
- function seedprod_lite_update_subscriber_count() {
142
- if ( check_ajax_referer( 'seedprod_lite_update_subscriber_count' ) ) {
143
- update_option( 'seedprod_subscriber_count', 1 );
144
- }
145
-
146
- }
147
-
148
-
89
  }
90
  }
91
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
coming-soon.php CHANGED
@@ -3,7 +3,7 @@
3
  Plugin Name: Coming Soon Page, Maintenance Mode & Landing Pages by SeedProd
4
  Plugin URI: https://www.seedprod.com
5
  Description: The #1 Coming Soon Page, Under Construction & Maintenance Mode plugin for WordPress.
6
- Version: 6.2.1
7
  Author: SeedProd
8
  Author URI: https://www.seedprod.com
9
  TextDomain: coming-soon
@@ -16,7 +16,7 @@ License: GPLv2 or later
16
  */
17
  define( 'SEEDPROD_BUILD', 'lite' );
18
  define( 'SEEDPROD_SLUG', 'coming-soon/coming-soon.php' );
19
- define( 'SEEDPROD_VERSION', '6.2.1' );
20
  define( 'SEEDPROD_PLUGIN_PATH', plugin_dir_path( __FILE__ ) );
21
  // Example output: /Applications/MAMP/htdocs/wordpress/wp-content/plugins/seedprod/
22
  define( 'SEEDPROD_PLUGIN_URL', plugin_dir_url( __FILE__ ) );
3
  Plugin Name: Coming Soon Page, Maintenance Mode & Landing Pages by SeedProd
4
  Plugin URI: https://www.seedprod.com
5
  Description: The #1 Coming Soon Page, Under Construction & Maintenance Mode plugin for WordPress.
6
+ Version: 6.2.2
7
  Author: SeedProd
8
  Author URI: https://www.seedprod.com
9
  TextDomain: coming-soon
16
  */
17
  define( 'SEEDPROD_BUILD', 'lite' );
18
  define( 'SEEDPROD_SLUG', 'coming-soon/coming-soon.php' );
19
+ define( 'SEEDPROD_VERSION', '6.2.2' );
20
  define( 'SEEDPROD_PLUGIN_PATH', plugin_dir_path( __FILE__ ) );
21
  // Example output: /Applications/MAMP/htdocs/wordpress/wp-content/plugins/seedprod/
22
  define( 'SEEDPROD_PLUGIN_URL', plugin_dir_url( __FILE__ ) );