Opened 10 years ago
Last modified 5 years ago
#31083 new enhancement
WP_date_Query does not validate string values of 'before' or 'after'
Reported by: | ChriCo | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 4.1 |
Component: | Query | Keywords: | needs-patch |
Focuses: | Cc: |
Description
Currently the before/after values in WP_Date_Query can be an array or string, which will be parsed by strtotime:
if ( ! is_array( $datetime ) ) { // @todo Timezone issues here possibly return gmdate( 'Y-m-d H:i:s', strtotime( $datetime, $now ) ); }
But we don't validate this string in validate_date_values:
if ( array_key_exists( 'before', $date_query ) && is_array( $date_query['before'] ) ){ $valid = $this->validate_date_values( $date_query['before'] ); }
Example:
$query_args = array( array( 'before' => 'i am a valid date string!?' ) ); $date_query = new \WP_Date_Query( $query_args ); echo $date_query->get_sql; // AND ( ( post_date < '1970-01-01 00:00:00' ) )
Attachments (1)
Change History (2)
#1
@
10 years ago
- Keywords needs-patch added
- Milestone changed from Awaiting Review to Future Release
- Summary changed from WP_date_Query - broken before/after validation to WP_date_Query does not validate string values of 'before' or 'after'
- Type changed from defect (bug) to enhancement
Thanks for the patch. I'm changing the ticket summary because it's not really "broken", it was just skipped for non-array values of 'before' and 'after'. I don't really recall the reasons for this.
Regarding the patch, I'd like to see the logic consolidated. Let's either move the string parsing into validate_date_values()
, or have a separate method for parsing string dates only, which is called when a string value is detected. It also looks like passing the UNIX epoch will result in an invalid notice, which is incorrect - the ! ! strtotime()
check will have to be something more fine-grained. And we can't remove the is_numeric()
check introduced in [31251], or string values for 'hour' will not be properly rejected.
added new method for validating before/after, added time-string validation, unit tests