Changeset 60906 for trunk/src/wp-includes/post.php

Timestamp:

10/06/2025 08:11:21 PM (2 months ago)

Author:

westonruter

Message:

Posts, Post Types: Short-circuit wp_post_delete() when $post_id arg is not above zero after casting to int.

The casting to int ensures that the action callbacks for post deletion can safely use the int type hint for the $post_id argument, as otherwise a fatal error occurs when an integer string is passed. This function also originally had casting of the argument to an integer, going back to at least WP 1.5.0, since it was passed directly into an SQL query. The casting was removed in [6180] with the introduction of prepared SQL statements.

The wp_delete_post() function had $post_id = 0 defined as its argument, also going back at least to WP 1.5.0, perhaps as a way to indicate the type of the argument as being an integer before there was PHPDoc. Unlike with functions like get_post() which have $post = null as the default argument to fall back to getting the global post, no such fallback logic was added to wp_delete_post(), meaning that passing no argument would always result in a DB query to locate the post with an ID of 0, which will never happen. So this introduces a _doing_it_wrong() in case 0 is passed, and yet the default value of 0 is not removed from the function signature to not introduce a fatal error in case any existing code is not supplying the $post_id parameter (however unlikely this may be).

Unit tests have been fleshed out for wp_delete_post() to add coverage for what was previously missing.

Props SirLouen, kkmuffme, fakhriaz, sajjad67, siliconforks, peterwilsoncc, westonruter.
Fixes #63975.

File:

• trunk/src/wp-includes/post.php (modified) (3 diffs)

trunk/src/wp-includes/post.php

@@ -3744 +3744 @@
  * @see wp_trash_post()
  *
- * @param int  $post_id      Optional. Post ID. Default 0.
+ * @param int  $post_id      Post ID. (The default of 0 is for historical reasons; providing it is incorrect.)
  * @param bool $force_delete Optional. Whether to bypass Trash and force deletion.
  *                           Default false.
@@ -3751 +3751 @@
 function wp_delete_post( $post_id = 0, $force_delete = false ) {
     global $wpdb;
+
+    $post_id = (int) $post_id;
+    if ( $post_id <= 0 ) {
+        _doing_it_wrong( __FUNCTION__, __( 'The post ID must be greater than 0.' ), '6.9.0' );
+        return false;
+    }
 
     $post = $wpdb->get_row( $wpdb->prepare( "SELECT * FROM $wpdb->posts WHERE ID = %d", $post_id ) );
@@ -3776 +3782 @@
      * @since 4.4.0
      *
-     * @param WP_Post|false|null $delete       Whether to go forward with deletion.
+     * @param WP_Post|false|null $check        Whether to go forward with deletion. Anything other than null will short-circuit deletion.
      * @param WP_Post            $post         Post object.
      * @param bool               $force_delete Whether to bypass the Trash.