QuizandSurveyMaster · zubairraeen · Mar 12, 2024 · Mar 12, 2024 · Mar 12, 2024
diff --git a/php/admin/functions.php b/php/admin/functions.php
@@ -540,7 +540,7 @@ function qsm_generate_question_option( $key, $single_option ) {
 						foreach ( $single_option['options'] as $key => $value ) {
 							?>
 							<label>
-								<input name="<?php echo esc_attr( $parent_key ); ?>[]" type="checkbox" value="<?php echo esc_attr( $key ); ?>" <?php echo in_array( $key, $default ) ? 'checked' : ''; ?> />
+								<input name="<?php echo esc_attr( $parent_key ); ?>[]" type="checkbox" value="<?php echo esc_attr( $key ); ?>" <?php echo in_array( $key, $default, true ) ? 'checked' : ''; ?> />
 								<?php echo esc_attr( $value ); ?>
 							</label>
 							<br />
@@ -703,7 +703,7 @@ class="qsm-wizard-step-text"><?php esc_html_e( 'Quiz Settings', 'quiz-master-nex
 									'help'        => __( 'Select the system for grading the quiz.', 'quiz-master-next' ),
 								),
 								'enable_contact_form'    => array(
-									'option_name' => __( 'Enable Contact Form', 'quiz-master-next' ),
+									'option_name' => __( 'Display a contact form before quiz', 'quiz-master-next' ),
 									'value'       => 0,
 									'type'        => 'radio',
 									'options'     => array(
@@ -716,7 +716,6 @@ class="qsm-wizard-step-text"><?php esc_html_e( 'Quiz Settings', 'quiz-master-nex
 											'value' => 0,
 										),
 									),
-									'help'        => __( 'Display a contact form before quiz', 'quiz-master-next' ),
 								),
 								'timer_limit'            => array(
 									'option_name' => __( 'Time Limit (in Minute)', 'quiz-master-next' ),
@@ -1391,8 +1390,8 @@ function qsm_quiz_theme_settings( $type, $label, $name, $value, $default_value,
 		            break;
 				case 'dropdown':
 					$param = array(
-						'name'  => "settings[". $name ."]",
-						'value' => $value,
+						'name'          => "settings[". $name ."]",
+						'value'         => $value,
 						'default_value' => $default_value,
 					);
 					qsm_get_input_label_selected( $param );
@@ -1508,7 +1507,7 @@ function qsm_get_input_label_selected( $param ) {
         return;
     }
     $value = '';
-	
+
     if ( ! empty( $param['value'] ) ) {
         $value = $param['value'];
     }

diff --git a/php/classes/class-qmn-quiz-manager.php b/php/classes/class-qmn-quiz-manager.php
@@ -705,7 +705,17 @@ public function load_questions( $quiz_id, $quiz_options, $is_quiz_page, $questio
 					$term_ids    = implode( ',', $category_ids );
 					$question_id = implode( ',', $question_ids );
 					$term_ids    = ( '' !== $quiz_options->randon_category ) ? $quiz_options->randon_category : $term_ids;
-					$tq_ids = $wpdb->get_results( "SELECT DISTINCT `term_id`, `question_id` FROM `{$wpdb->prefix}mlw_question_terms` WHERE `question_id` IN ({$question_id}) AND `term_id` IN ({$term_ids}) AND `taxonomy`='qsm_category'", ARRAY_A );
+					$tq_ids = $wpdb->get_results(
+						"SELECT DISTINCT `term_id`, `question_id`
+						FROM `{$wpdb->prefix}mlw_question_terms`
+						JOIN `{$wpdb->prefix}mlw_questions` ON `{$wpdb->prefix}mlw_question_terms`.`question_id` = `{$wpdb->prefix}mlw_questions`.`question_id`
+						WHERE `{$wpdb->prefix}mlw_question_terms`.`question_id` IN ($question_id)
+							AND `{$wpdb->prefix}mlw_question_terms`.`term_id` IN ($term_ids)
+							AND `{$wpdb->prefix}mlw_question_terms`.`taxonomy` = 'qsm_category'
+							AND `{$wpdb->prefix}mlw_questions`.`deleted` = 0
+						",
+						ARRAY_A
+					);
 					$random = array();
 					if ( ! empty( $tq_ids ) ) {
 						$term_data = array();
@@ -748,7 +758,19 @@ public function load_questions( $quiz_id, $quiz_options, $is_quiz_page, $questio
 						if ( 1 == $quiz_options->randomness_order || 2 == $quiz_options->randomness_order ) {
 							$category_order_sql = 'ORDER BY rand()';
 						}
-						$tq_ids[] = $wpdb->get_results( "SELECT DISTINCT `question_id` FROM `{$wpdb->prefix}mlw_question_terms` WHERE `quiz_id` = $quiz_id AND `term_id` = $category  AND `taxonomy`='qsm_category' AND question_id NOT IN ($exclude_ids) ".esc_sql( $category_order_sql )." LIMIT $limit", ARRAY_A );
+						$tq_ids[] = $wpdb->get_results(
+							"SELECT DISTINCT q.`question_id`
+							FROM `{$wpdb->prefix}mlw_questions` AS q
+							JOIN `{$wpdb->prefix}mlw_question_terms` AS qt ON q.`question_id` = qt.`question_id`
+							WHERE qt.`quiz_id` = $quiz_id
+								AND qt.`term_id` = $category
+								AND qt.`taxonomy` = 'qsm_category'
+								AND qt.`question_id` NOT IN ($exclude_ids)
+								AND q.`deleted` = 0
+							".esc_sql( $category_order_sql )."
+							LIMIT $limit",
+							ARRAY_A
+						);
 					}
 					$final_result = array_column(array_merge(...array_map('array_merge', $tq_ids)),'question_id');
 					if ( 1 == $quiz_options->randomness_order || 2 == $quiz_options->randomness_order ) {

diff --git a/php/classes/class-qsm-quiz-api.php b/php/classes/class-qsm-quiz-api.php
@@ -11,7 +11,7 @@
  * @since 4.0.0
  */
 class QSMQuizApi {
-	
+
 	public function __construct() {
 		add_action( 'rest_api_init', array( $this, 'register_routes' ) );
 		add_action( 'wp_ajax_regenerate_api_key', array( $this, 'regenerate_api_key' ) );
@@ -64,27 +64,27 @@ public function register_routes() {
     }
 
 	public function regenerate_api_key() {
-		if ( ! isset( $_POST['nonce'] ) || ! wp_verify_nonce( $_POST['nonce'], 'regenerate_api_key_nonce' ) ) {
-			wp_send_json_error( 'Invalid nonce.' );
+		if ( ! isset( $_POST['nonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['nonce'] ) ), 'regenerate_api_key_nonce' ) ) {
+			wp_send_json_error( __('Invalid nonce.', 'quiz-master-next' ) );
 		}
 		$api_key = bin2hex(random_bytes(16));
 		$api_key = password_hash($api_key, PASSWORD_BCRYPT);
 		wp_send_json_success( $api_key );
 	}
 
 	public function load_form_field() {
-	
-		if ( isset($_POST['qsm_api_form_nonce']) && wp_verify_nonce($_POST['qsm_api_form_nonce'], 'qsm_api_form') && isset($_POST['qsm_api_settings']) ) {
-			$qsm_api_settings = maybe_serialize($_POST['qsm_api_settings']); 
+
+		if ( isset($_POST['qsm_api_form_nonce']) && wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['qsm_api_form_nonce'] ) ), 'qsm_api_form') && isset($_POST['qsm_api_settings']) ) {
+			$qsm_api_settings = maybe_serialize( qsm_sanitize_rec_array( wp_unslash( $_POST['qsm_api_settings'] ) ) ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
 			update_option('qsm_quiz_api_settings', $qsm_api_settings);
 		}
-		
+
 		$qsm_api_settings_serialized = get_option('qsm_quiz_api_settings');
 
 		if ( $qsm_api_settings_serialized ) {
 			$qsm_api_settings = maybe_unserialize($qsm_api_settings_serialized);
 		} else {
-			
+
 			$default_api_settings = array(
 				'api_key'           => '',
 				'get_questions'     => '',
@@ -147,7 +147,7 @@ public function load_form_field() {
 			<?php wp_nonce_field('qsm_api_form', 'qsm_api_form_nonce'); ?>
 			<button type="submit" name="qsm_api_submit" class="button-primary"><?php esc_html_e('Save Changes', 'quiz-master-next'); ?></button>
 		</form>
-		<?php 
+		<?php
 	}
 
 	/**
@@ -188,14 +188,14 @@ protected function qsm_verify_api_key_settings( $api_key, $type ) {
 	}
 
 	public function qsm_get_quiz_result_info( WP_REST_Request $request ) {
-		
+
 		$api_key_param = $request->get_header('authorization');
 		$verification = $this->qsm_verify_api_key_settings($api_key_param, 'get_result');
 		if ( $verification['success'] ) {
 			if ( $request->get_param('result_id') ) {
 				global $wpdb;
 				$results_data = $wpdb->get_row( $wpdb->prepare( "SELECT * FROM {$wpdb->prefix}mlw_results WHERE result_id = %d", $request->get_param('result_id') ) );
-		
+
 				if ( $results_data ) {
 					$results_data->quiz_results = maybe_unserialize($results_data->quiz_results);
 					$response = array(
@@ -217,34 +217,34 @@ public function qsm_get_quiz_result_info( WP_REST_Request $request ) {
 				$from_date = $request->get_param('from_date');
 				$order = $request->get_param('order');
 				$s = $request->get_param('s');
-		
+
 				$query = "SELECT * FROM {$wpdb->prefix}mlw_results WHERE 1=1";
 				$limit = empty($limit) ? 10 : $limit;
 				$order = empty($order) ? 'ASC' : $order;
-		
+
 				if ( ! empty($quiz_id) ) {
 					$query .= $wpdb->prepare(" AND quiz_id = %s", $quiz_id);
 				}
-		
+
 				if ( ! empty($s) ) {
 					$rsearch  = '%' . esc_sql( $wpdb->esc_like( $s ) ) . '%';
 					$query .= $wpdb->prepare(" AND (name LIKE %s OR quiz_name LIKE %s OR email LIKE %s)", $rsearch, $rsearch, $rsearch);
 				}
-				
+
 				if ( ! empty($name) ) {
 					$query .= $wpdb->prepare(" AND name = %s", $name);
 				}
-				
+
 				if ( ! empty($email) ) {
 					$query .= $wpdb->prepare(" AND email = %s", $email);
 				}
-		
+
 				if ( ! empty($from_date) ) {
 					$query .= $wpdb->prepare( " AND time_taken_real >= %s", $from_date );
 				}
-		
+
 				$results = $wpdb->get_results($query .= " ORDER BY result_id {$order} LIMIT {$limit}");
-				
+
 				if ( $results ) {
 					$data = [];
 					foreach ( $results as $key => $value ) {
@@ -262,7 +262,7 @@ public function qsm_get_quiz_result_info( WP_REST_Request $request ) {
 						'message' => "",
 					);
 				}
-		
+
 				if ( ! $results ) {
 					if ( ! $request->get_param('result_id') && ! $request->get_param('quizId') && empty($name) && empty($email) && ! $request->get_param('from_date') ) {
 						$response['message'] = __('No quiz results available.found for the specified criteria.', 'quiz-master-next');
@@ -285,7 +285,7 @@ public function qsm_get_quiz_result_info( WP_REST_Request $request ) {
 		}
 		return rest_ensure_response($response);
 	}
-		
+
 	public function qsm_get_quiz_info( WP_REST_Request $request ) {
 		$api_key_param = $request->get_header('authorization');
 		$verification = $this->qsm_verify_api_key_settings($api_key_param, 'get_quiz');
@@ -365,26 +365,26 @@ public function qsm_get_quiz_info( WP_REST_Request $request ) {
 	public function qsm_convert_to_api_format( $inputObject ) {
 
 		$apiFormat = [];
-	
+
 		foreach ( $inputObject as $key => $value ) {
-			if ( $key === 'message_after' || $key === 'user_email_template' || $key === 'quiz_settings' ) {
+			if ( 'message_after' === $key || 'user_email_template' === $key || 'quiz_settings' === $key ) {
 				$apiFormat[ $key ] = maybe_unserialize($value);
-				if ( $key === 'quiz_settings' ) {
+				if ( 'quiz_settings' === $key ) {
 					$apiFormat[ $key ] = $this->qsm_unserialize_to_api_format($apiFormat[ $key ]);
 				}
 			} elseif ( is_array($value) || is_object($value) ) {
-				$apiFormat[ $key ] = $this->qsm_convert_to_api_format($value); 
+				$apiFormat[ $key ] = $this->qsm_convert_to_api_format($value);
 			} else {
 				$apiFormat[ $key ] = $value;
 			}
 		}
-	
+
 		return $apiFormat;
 	}
-	
+
 	public function qsm_unserialize_to_api_format( $data ) {
 		$result = array();
-	
+
 		if ( is_serialized($data) ) {
 			return maybe_unserialize($data);
 		}
@@ -398,19 +398,19 @@ public function qsm_unserialize_to_api_format( $data ) {
 				}
 			}
 		}
-	
+
 		return $result;
 	}
-	
+
 	public function qsm_unserialize_recursive_loop( $value ) {
 		$unserializedValue = maybe_unserialize($value);
-	
+
 		if ( is_array($unserializedValue) ) {
 			foreach ( $unserializedValue as $innerKey => $innerValue ) {
 				$unserializedValue[ $innerKey ] = $this->qsm_unserialize_recursive_loop($innerValue);
 			}
 		}
-	
+
 		return $unserializedValue;
 	}
 
@@ -441,28 +441,28 @@ public function qsm_get_quiz_questions( WP_REST_Request $request ) {
 				$question_name = $request->get_param('question_name' );
 				$quiz_id = $request->get_param('quizId' );
 				$limit     = $request->get_param( 'limit' ) ? $request->get_param( 'limit' ) : 10;
-		
+
 				$query = "SELECT * FROM {$wpdb->prefix}mlw_questions WHERE 1=1";
-		
+
 				if ( ! empty($question_name) ) {
 					$qnsearch  = '%' . esc_sql( $wpdb->esc_like( $question_name ) ) . '%';
 					$query .= $wpdb->prepare(" AND question_name LIKE %s", $qnsearch);
 				}
-		
+
 				if ( ! empty($quiz_id) ) {
 					$query .= $wpdb->prepare( " AND quiz_id=%d", $quiz_id );
 				}
-		
+
 				$results = $wpdb->get_results($query .= " LIMIT {$limit}");
-		
+
 				if ( $results ) {
-		
+
 					foreach ( $results as $key => $result ) {
 						$result->answer_array = maybe_unserialize( $result->answer_array );
 						$result->question_settings = maybe_unserialize( $result->question_settings );
 						$data[] = $result;
 					}
-				
+
 					$response = array(
 						'count'   => count($data),
 						'success' => true,
@@ -474,7 +474,7 @@ public function qsm_get_quiz_questions( WP_REST_Request $request ) {
 						'message' => "",
 					);
 				}
-		
+
 				if ( ! $results ) {
 					if ( ! $request->get_param('quizId') && ! $request->get_param('question_name') ) {
 						$response['message'] = __('No quiz results available.', 'quiz-master-next');
@@ -495,18 +495,18 @@ public function qsm_get_quiz_questions( WP_REST_Request $request ) {
 		}
 		return $response;
 	}
-	
+
 	public function qsm_api_quiz_submit( $request ) {
-		
+
 		$qsm_api_settings_serialized = get_option('qsm_quiz_api_settings');
 		$api_key = $request->get_header('authorization');
 		if ( $qsm_api_settings_serialized ) {
-			$qsm_api_settings = maybe_unserialize($qsm_api_settings_serialized); 
-	
+			$qsm_api_settings = maybe_unserialize($qsm_api_settings_serialized);
+
 			if ( ($api_key && "" != $api_key) && (isset($qsm_api_settings['api_key']) && ("" != $qsm_api_settings['api_key'] && $api_key == $qsm_api_settings['api_key'])) && isset($qsm_api_settings['allow_submit_quiz']) && "1" == $qsm_api_settings['allow_submit_quiz'] ) {
-				
+
 				$quiz_id = ! empty( $_POST['qmn_quiz_id'] ) ? sanitize_text_field( wp_unslash( $_POST['qmn_quiz_id'] ) ) : 0 ;
-			
+
 				global $qmn_allowed_visit, $mlwQuizMasterNext, $wpdb, $qmnQuizManager;
 				$qmn_allowed_visit = true;
 				$qmnQuizManager = new QMNQuizManager();
@@ -521,11 +521,11 @@ public function qsm_api_quiz_submit( $request ) {
 					'fields'      => 'ids',
 					'numberposts' => 1,
 				));
-			
+
 				if ( ! empty( $post_ids[0] ) ) {
 					$post_status = get_post_status( $post_ids[0] );
 				}
-			
+
 				if ( is_null( $options ) || 1 == $options->deleted ) {
 					echo wp_json_encode(
 						array(
@@ -550,11 +550,11 @@ public function qsm_api_quiz_submit( $request ) {
 					);
 					wp_die();
 				}
-				
+
 				$qsm_option = isset( $options->quiz_settings ) ? maybe_unserialize( $options->quiz_settings ) : array();
 				$qsm_option = array_map( 'maybe_unserialize', $qsm_option );
 				$post_status = false;
-				
+
 				if ( 0 != $options->limit_total_entries ) {
 					$mlw_qmn_entries_count = $wpdb->get_var( $wpdb->prepare( "SELECT COUNT(quiz_id) FROM {$wpdb->prefix}mlw_results WHERE deleted=0 AND quiz_id=%d", $options->quiz_id ) );
 					if ( $mlw_qmn_entries_count >= $options->limit_total_entries ) {
@@ -606,7 +606,7 @@ public function qsm_api_quiz_submit( $request ) {
 				),
 			);
 		}
-		
+
 		return rest_ensure_response($response);
 	}
 

diff --git a/php/classes/class-qsm-results-pages.php b/php/classes/class-qsm-results-pages.php
@@ -177,7 +177,6 @@ public static function generate_pages( $response_data ) {
 
 			// Decodes special characters, runs through our template
 			// variables, and then outputs the text.
-			//$page = htmlspecialchars_decode( $content, ENT_QUOTES );
 			$page = wp_kses_post( $content );
 
 			//last chance to filter $page