Automattic\WooCommerce\Blueprint\Importers

ImportRunSql::processpublicWC 1.0

Process the SQL execution step.

Validates and executes the SQL query while ensuring:

  1. Only allowed query types are executed
  2. No modifications to admin users or roles
  3. No unauthorized changes to user capabilities

Method of the class: ImportRunSql{}

No Hooks.

Returns

StepProcessorResult. The result of the SQL execution.

Usage

$ImportRunSql = new ImportRunSql();
$ImportRunSql->process( $schema ): StepProcessorResult;
$schema(object) (required)
The schema containing the SQL query to execute.

ImportRunSql::process() code WC 9.9.5

woocommerce/packages/blueprint/src/Importers/ImportRunSql.php 
public function process( $schema ): StepProcessorResult {
	global $wpdb;
	$result = StepProcessorResult::success( RunSql::get_step_name() );

	$sql = trim( $schema->sql->contents );

	// Check if the query type is allowed.
	if ( ! $this->is_allowed_query_type( $sql ) ) {
		$result->add_error(
			sprintf(
				'Only %s queries are allowed.',
				implode( ', ', self::ALLOWED_QUERY_TYPES )
			)
		);
		return $result;
	}

	// Check for SQL comments that might be hiding malicious code.
	if ( $this->contains_suspicious_comments( $sql ) ) {
		$result->add_error( 'SQL query contains suspicious comment patterns.' );
		return $result;
	}

	// Detect SQL injection patterns.
	if ( $this->contains_sql_injection_patterns( $sql ) ) {
		$result->add_error( 'SQL query contains potential injection patterns.' );
		return $result;
	}

	// Check if the query affects protected tables.
	if ( $this->affects_protected_tables( $sql ) ) {
		$result->add_error( 'Modifications to admin users or roles are not allowed.' );
		return $result;
	}

	// Check if the query affects user capabilities in wp_options.
	if ( $this->affects_user_capabilities( $sql ) ) {
		$result->add_error( 'Modifications to user roles or capabilities are not allowed.' );
		return $result;
	}

	$wpdb->suppress_errors( true );
	$wpdb->query( 'START TRANSACTION' );

	try {
		$query_result = $wpdb->query( $sql ); // phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared

		$last_error = $wpdb->last_error;
		if ( $last_error ) {
			$wpdb->query( 'ROLLBACK' );
			$result->add_error( 'Error executing SQL: ' . $last_error );
		} else {
			$wpdb->query( 'COMMIT' );
			$result->add_debug( "Executed SQL ({$schema->sql->name}): Affected {$query_result} rows" );
		}
	} catch ( \Throwable $e ) {
		$wpdb->query( 'ROLLBACK' );
		$result->add_error( "Exception executing SQL: {$e->getMessage()}" );
	}

	return $result;
}