fix: resolve all Week 2 performance & security issues (F1.10–F1.19)

Security: - Replace maybe_serialize() in cookies with json_encode() (PHP object injection fix) - Add PayPal webhook signature verification - Add current_user_can('manage_options') to all 18 admin-ajax handlers Performance: - Remove flush_rewrite_rules() from init hooks (Thankyou + Payment) - Add activation/deactivation hooks for flush_rewrite_rules - Cache currency, country, flags JSON reads in static variables - Add server-side pagination to Customer::formipay_tabledata_customers() - Optimize Order::formipay_tabledata_orders() with COUNT(*) GROUP BY Cleanup: - Delete Paypal.phpbak backup file - Fix timezone hardcode Asia/Jakarta → wp_timezone_string() - Create uninstall.php for proper cleanup on uninstall Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-17 19:52:01 +07:00
parent be9a1a0a86
commit 66e7b37f92
15 changed files with 341 additions and 868 deletions
--- a/uninstall.php
+++ b/uninstall.php
@@ -0,0 +1,62 @@
+<?php
+/**
+ * Formipay Uninstall
+ *
+ * Removes all plugin data when the plugin is uninstalled via WordPress admin.
+ */
+
+if ( ! defined( 'WP_UNINSTALL_PLUGIN' ) ) {
+    exit;
+}
+
+global $wpdb;
+
+// Drop custom tables
+$tables = [
+    'formipay_orders',
+    'formipay_customers',
+    'formipay_bank_transfer_trx',
+    'formipay_paypal_trx',
+    'formipay_notification_log',
+    'formipay_tokens',
+];
+
+foreach ( $tables as $table_suffix ) {
+    // phpcs:ignore WordPress.DB.DirectDatabaseQuery.SchemaChange, WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+    $wpdb->query( "DROP TABLE IF EXISTS {$wpdb->prefix}{$table_suffix}" );
+}
+
+// Remove plugin options
+delete_option( 'formipay_settings' );
+
+// Clear scheduled cron events
+$crons = _get_cron_array();
+if ( ! empty( $crons ) ) {
+    foreach ( $crons as $timestamp => $cron ) {
+        if ( is_array( $cron ) ) {
+            foreach ( $cron as $hook => $events ) {
+                if ( strpos( $hook, 'formipay/' ) === 0 ) {
+                    foreach ( $events as $key => $event ) {
+                        wp_unschedule_event( $timestamp, $hook, $event['args'] ?? [] );
+                    }
+                }
+            }
+        }
+    }
+}
+
+// Remove custom post types and their meta
+$post_types = [ 'formipay-form', 'formipay-product', 'formipay-coupon', 'formipay-access', 'formipay-license' ];
+foreach ( $post_types as $post_type ) {
+    $posts = get_posts( [
+        'post_type'   => $post_type,
+        'numberposts' => -1,
+        'post_status' => 'any',
+    ] );
+    foreach ( $posts as $post ) {
+        wp_delete_post( $post->ID, true );
+    }
+}
+
+// Clear any cached data
+wp_cache_flush();