8b939a0903
Fixed root cause of 'Indonesia' in billing_phone - was fallback to country value Issue: ❌ billing_phone showing 'Indonesia' instead of phone number ❌ Weak validation: ! empty() allows any non-empty string ❌ No sanitization - direct assignment of raw values ❌ Inconsistent validation between order and customer updates Root Cause: - OrdersController used ! empty() check - Allowed 'Indonesia' (country) to be saved as phone - No sanitization or format validation - Applied to ALL fields, not just phone Changes Made: 1. Created Sanitization Helpers (Lines 9-58): ✅ sanitize_field() - Trims, validates text fields ✅ sanitize_phone() - Removes non-numeric except +, -, spaces ✅ sanitize_email_field() - Validates email format ✅ Returns empty string if invalid (prevents bad data) 2. Fixed Order Billing/Shipping (Lines 645-673, 909-940): ✅ Update method: Sanitize all order address fields ✅ Create method: Sanitize all order address fields ✅ Applied to: first_name, last_name, email, phone, address_1, address_2, city, state, postcode, country 3. Fixed Customer Data - Existing Member (Lines 1089-1132): ✅ Sanitize all billing fields before WC_Customer update ✅ Sanitize all shipping fields before WC_Customer update ✅ Only set if not empty (allow clearing fields) ✅ Prevents 'Indonesia' or invalid data from being saved 4. Fixed Customer Data - New Member (Lines 1161-1204): ✅ Sanitize all billing fields on customer creation ✅ Sanitize all shipping fields on customer creation ✅ Same validation as existing member ✅ Consistent data quality for all customers Sanitization Logic: Phone: - Remove non-numeric except +, -, spaces - Trim whitespace - Return empty if only symbols - Example: 'Indonesia' → '' (empty) - Example: '08123456789' → '08123456789' ✅ Email: - Use sanitize_email() + is_email() - Return empty if invalid format - Prevents malformed emails Text Fields: - Use sanitize_text_field() - Trim whitespace - Return empty if only whitespace - Prevents injection attacks Impact: Before: - 'Indonesia' saved as phone ❌ - Country name in phone field ❌ - No validation ❌ - Inconsistent data ❌ After: - Invalid phone → empty string ✅ - All fields sanitized ✅ - Consistent validation ✅ - Clean customer data ✅ Applies To: ✅ Order creation (new orders) ✅ Order updates (edit orders) ✅ Customer data - existing members ✅ Customer data - new members (auto-register) ✅ All billing fields ✅ All shipping fields Testing Required: 1. Create order with existing customer - verify phone sanitized 2. Create order with new customer - verify no 'Indonesia' in phone 3. Edit order - verify all fields sanitized 4. Virtual products - verify phone still works correctly Result: No more 'Indonesia' or invalid data in customer fields!
94 KiB
94 KiB