refactor: apply DRY principle across core plugin logic

- Centralize SQL criteria generation in syslog_build_match_filter
- Unify row styling in syslog_print_row
- Create shared bulk action confirmation helper syslog_draw_bulk_action_confirm
- Refactor reports, alerts, and removal rules to use unified helpers
- Ensure all queries use parameterized prepared statements

Author: somethingwithproof

functions.php

@@ -158,47 +158,23 @@ function form_actions() {
 	}
 
 	if (cacti_sizeof($alert_array)) {
-		if (get_request_var('drp_action') == '1') { /* delete */
-			print "<tr>
-				<td class='textArea'>
-					<p>" . __('Click \'Continue\' to Delete the following Syslog Alert Rule(s).', 'syslog') . "</p>
-					<div class='itemlist'><ul>$alert_list</ul></div>";
-					print "</td></tr>
-				</td>
-			</tr>\n";
-
-			$title = __esc('Delete Syslog Alert Rule(s)', 'syslog');
-		} elseif (get_request_var('drp_action') == '2') { /* disable */
-			print "<tr>
-				<td class='textArea'>
-					<p>" . __('Click \'Continue\' to Disable the following Syslog Alert Rule(s).', 'syslog') . "</p>
-					<div class='itemlist'><ul>$alert_list</ul></div>";
-					print "</td></tr>
-				</td>
-			</tr>\n";
-
-			$title = __esc('Disable Syslog Alert Rule(s)', 'syslog');
-		} elseif (get_request_var('drp_action') == '3') { /* enable */
-			print "<tr>
-				<td class='textArea'>
-					<p>" . __('Click \'Continue\' to Enable the following Syslog Alert Rule(s).', 'syslog') . "</p>
-					<div class='itemlist'><ul>$alert_list</ul></div>";
-					print "</td></tr>
-				</td>
-			</tr>\n";
-
-			$title = __esc('Enable Syslog Alert Rule(s)', 'syslog');
-		} elseif (get_request_var('drp_action') == '4') { /* export */
-			print "<tr>
-				<td class='textArea'>
-					<p>" . __('Click \'Continue\' to Export the following Syslog Alert Rule(s).', 'syslog') . "</p>
-					<div class='itemlist'><ul>$alert_list</ul></div>";
-					print "</td></tr>
-				</td>
-			</tr>\n";
-
-			$title = __esc('Export Syslog Alert Rule(s)', 'syslog');
-		}
+		$action_verbs = array(
+			'1' => __('Delete', 'syslog'),
+			'2' => __('Disable', 'syslog'),
+			'3' => __('Enable', 'syslog'),
+			'4' => __('Export', 'syslog')
+		);
+
+		syslog_draw_bulk_action_confirm(get_request_var('drp_action'), $alert_list, __('Syslog Alert Rule(s)', 'syslog'), $action_verbs);
+
+		$titles = array(
+			'1' => __('Delete Syslog Alert Rule(s)', 'syslog'),
+			'2' => __('Disable Syslog Alert Rule(s)', 'syslog'),
+			'3' => __('Enable Syslog Alert Rule(s)', 'syslog'),
+			'4' => __('Export Syslog Alert Rule(s)', 'syslog')
+		);
+
+		$title = $titles[get_request_var('drp_action')] ?? '';
 
 		$save_html = "<input type='button' value='" . __esc('Cancel', 'syslog') . "' onClick='cactiReturnTo()'>&nbsp;<input type='submit' value='" . __esc('Continue', 'syslog') . "' title='$title'";
 	} else {

syslog_alerts.php

@@ -167,60 +167,29 @@ function form_actions() {
 	}
 
 	if (cacti_sizeof($removal_array)) {
-		if (get_request_var('drp_action') == '1') { /* delete */
-			print "<tr>
-				<td class='textArea'>
-					<p>" . __('Click \'Continue\' to Delete the following Syslog Removal Rule(s).', 'syslog') . "</p>
-					<div class='itemlist'><ul>$removal_list</ul></div>";
-					print "</td></tr>
-				</td>
-			</tr>\n";
-
-			$title = __esc('Delete Syslog Removal Rule(s)', 'syslog');
-		} else if (get_request_var('drp_action') == '2') { /* disable */
-			print "<tr>
-				<td class='textArea'>
-					<p>" . __('Click \'Continue\' to Disable the following Syslog Removal Rule(s).', 'syslog') . "</p>
-					<div class='itemlist'><ul>$removal_list</ul></div>";
-					print "</td></tr>
-				</td>
-			</tr>\n";
-
-			$title = __esc('Disable Syslog Removal Rule(s)', 'syslog');
-		} else if (get_request_var('drp_action') == '3') { /* enable */
-			print "<tr>
-				<td class='textArea'>
-					<p>" . __('Click \'Continue\' to Enable the following Syslog Removal Rule(s).', 'syslog') . "</p>
-					<div class='itemlist'><ul>$removal_list</ul></div>";
-					print "</td></tr>
-				</td>
-			</tr>\n";
-
-			$title = __esc('Enable Syslog Removal Rule(s)', 'syslog');
-		} else if (get_request_var('drp_action') == '4') { /* reprocess */
-			print "<tr>
-				<td class='textArea'>
-					<p>" . __('Click \'Continue\' to Re-process the following Syslog Removal Rule(s).', 'syslog') . "</p>
-					<div class='itemlist'><ul>$removal_list</ul></div>";
-					print "</td></tr>
-				</td>
-			</tr>\n";
-
-			$title = __esc('Retroactively Process Syslog Removal Rule(s)', 'syslog');
-		} elseif (get_request_var('drp_action') == '5') { /* export */
-			print "<tr>
-				<td class='textArea'>
-					<p>" . __('Click \'Continue\' to Export the following Syslog Removal Rule(s).', 'syslog') . "</p>
-					<div class='itemlist'><ul>$removal_list</ul></div>";
-					print "</td></tr>
-				</td>
-			</tr>\n";
-
-			$title = __esc('Export Syslog Removal Rule(s)', 'syslog');
-		}
+		$action_verbs = array(
+			'1' => __('Delete', 'syslog'),
+			'2' => __('Disable', 'syslog'),
+			'3' => __('Enable', 'syslog'),
+			'4' => __('Re-process', 'syslog'),
+			'5' => __('Export', 'syslog')
+		);
 
-		$save_html = "<input type='button' value='" . __esc('Cancel', 'syslog') . "' onClick='cactiReturnTo()'>&nbsp;<input type='submit' value='" . __esc('Continue', 'syslog') . "' title='$title'";
+		syslog_draw_bulk_action_confirm(get_request_var('drp_action'), $removal_list, __('Syslog Removal Rule(s)', 'syslog'), $action_verbs);
+
+		$titles = array(
+			'1' => __('Delete Syslog Removal Rule(s)', 'syslog'),
+			'2' => __('Disable Syslog Removal Rule(s)', 'syslog'),
+			'3' => __('Enable Syslog Removal Rule(s)', 'syslog'),
+			'4' => __('Retroactively Process Syslog Removal Rule(s)', 'syslog'),
+			'5' => __('Export Syslog Removal Rule(s)', 'syslog')
+		);
+
+		$title = $titles[get_request_var('drp_action')] ?? '';
+
+		$save_html = "<input type='button' value='" . __esc('Cancel', 'syslog') . "' onClick='cactiReturnTo()'>&nbsp;<input type='submit' value='" . __esc('Continue', 'syslog') . "' title='$title'>";
 	} else {
+
 		raise_message(40);
 		header('Location: syslog_removal.php?header=false');
 		exit;

syslog_removal.php

@@ -158,47 +158,23 @@ function form_actions() {
 	}
 
 	if (cacti_sizeof($report_array)) {
-		if (get_request_var('drp_action') == '1') { /* delete */
-			print "<tr>
-				<td class='textArea'>
-					<p>" . __('Click \'Continue\' to Delete the following Syslog Report(s).', 'syslog') . "</p>
-					<div class='itemlist'><ul>$report_list</ul></div>";
-					print "</td></tr>
-				</td>
-			</tr>\n";
-
-			$title = __esc('Delete Syslog Report(s)', 'syslog');
-		} elseif (get_request_var('drp_action') == '2') { /* disable */
-			print "<tr>
-				<td class='textArea'>
-					<p>" . __('Click \'Continue\' to Disable the following Syslog Report(s).', 'syslog') . "</p>
-					<div class='itemlist'><ul>$report_list</ul></div>";
-					print "</td></tr>
-				</td>
-			</tr>\n";
-
-			$title = __esc('Disable Syslog Report(s)', 'syslog');
-		} elseif (get_request_var('drp_action') == '3') { /* enable */
-			print "<tr>
-				<td class='textArea'>
-					<p>" . __('Click \'Continue\' to Enable the following Syslog Report(s).', 'syslog') . "</p>
-					<div class='itemlist'><ul>$report_list</ul></div>";
-					print "</td></tr>
-				</td>
-			</tr>\n";
-
-			$title = __esc('Enable Syslog Report(s)', 'syslog');
-		} elseif (get_request_var('drp_action') == '4') { /* export */
-			print "<tr>
-				<td class='textArea'>
-					<p>" . __('Click \'Continue\' to Export the following Syslog Report Rule(s).', 'syslog') . "</p>
-					<div class='itemlist'><ul>$report_list</ul></div>";
-					print "</td></tr>
-				</td>
-			</tr>\n";
-
-			$title = __esc('Export Syslog Report Rule(s)', 'syslog');
-		}
+		$action_verbs = array(
+			'1' => __('Delete', 'syslog'),
+			'2' => __('Disable', 'syslog'),
+			'3' => __('Enable', 'syslog'),
+			'4' => __('Export', 'syslog')
+		);
+
+		syslog_draw_bulk_action_confirm(get_request_var('drp_action'), $report_list, __('Syslog Report(s)', 'syslog'), $action_verbs);
+
+		$titles = array(
+			'1' => __('Delete Syslog Report(s)', 'syslog'),
+			'2' => __('Disable Syslog Report(s)', 'syslog'),
+			'3' => __('Enable Syslog Report(s)', 'syslog'),
+			'4' => __('Export Syslog Report(s)', 'syslog')
+		);
+
+		$title = $titles[get_request_var('drp_action')] ?? '';
 
 		$save_html = "<input type='button' value='" . __esc('Cancel', 'syslog') . "' onClick='cactiReturnTo()'>&nbsp;<input type='submit' value='" . __esc('Continue', 'syslog') . "' title='$title'";
 	} else {

syslog_reports.php

@@ -42,6 +42,9 @@
 
         // Mock exists check to return false (partition does not exist)
         // Since GlobalStubs returns empty array, it will think it doesn't exist.
+        
+        // Mock GET_LOCK to return 1
+        $GLOBALS['syslog_db_results']['fetch_cell_prepared'] = 1;
 
         syslog_partition_create('syslog');
 

tests/Integration/SyslogPartitioningIntegrationTest.php

@@ -134,8 +134,8 @@
         // Check for delete call
         $foundDelete = false;
         foreach ($GLOBALS['syslog_db_calls'] as $call) {
-            if (($call['method'] === 'execute' || $call['method'] === 'execute_prepared') && strpos($call['sql'], 'DELETE') !== false) {
-                if (strpos($call['sql'], "'local0'") !== false && strpos($call['sql'], '111') !== false) {
+            if ($call['method'] === 'execute_prepared' && strpos($call['sql'], 'DELETE') !== false) {
+                if (in_array('local0', $call['params']) && in_array(111, $call['params'])) {
                     $foundDelete = true;
                 }
             }

tests/Integration/SyslogRemovalIntegrationTest.php

@@ -39,9 +39,8 @@ function mailer($from, $to, $cc, $bcc, $reply_to, $subject, $html_message, $text
     });
 
     test('syslog_process_reports() escapes host and message in email content', function () {
-        // Mock sequential fetch_assoc results
+        // Mock reports fetch
         $GLOBALS['syslog_db_results']['fetch_assoc'] = [
-            // First call: find reports
             [
                 [
                     'id' => 1,
@@ -55,8 +54,11 @@ function mailer($from, $to, $cc, $bcc, $reply_to, $subject, $html_message, $text
                     'email' => '[email protected]',
                     'body' => 'Check this'
                 ]
-            ],
-            // Second call: find items for the report
+            ]
+        ];
+
+        // Mock items fetch (now uses fetch_assoc_prepared)
+        $GLOBALS['syslog_db_results']['fetch_assoc_prepared'] = [
             [
                 [
                     'host' => '<script>alert("host")</script>',

tests/Integration/SyslogReportXssIntegrationTest.php

@@ -19,37 +19,41 @@
 
     test('syslog_get_report_sql() handles type messageb (begins with)', function () {
         $report = ['type' => 'messageb', 'message' => 'test_message'];
-        $sql = syslog_get_report_sql($report);
+        $result = syslog_get_report_sql($report);
 
-        expect($sql)->toContain("WHERE message LIKE 'test_message%'");
-        expect($sql)->toContain('FROM `cacti_syslog`.`syslog`');
+        expect($result['sql'])->toContain("WHERE message LIKE ?");
+        expect($result['params'])->toContain("test_message%");
+        expect($result['sql'])->toContain('FROM `cacti_syslog`.`syslog`');
     });
 
     test('syslog_get_report_sql() handles type messagec (contains)', function () {
         $report = ['type' => 'messagec', 'message' => 'test_message'];
-        $sql = syslog_get_report_sql($report);
+        $result = syslog_get_report_sql($report);
 
-        expect($sql)->toContain("WHERE message LIKE '%test_message%'");
+        expect($result['sql'])->toContain("WHERE message LIKE ?");
+        expect($result['params'])->toContain("%test_message%");
     });
 
     test('syslog_get_report_sql() handles type messagee (ends with)', function () {
         $report = ['type' => 'messagee', 'message' => 'test_message'];
-        $sql = syslog_get_report_sql($report);
+        $result = syslog_get_report_sql($report);
 
-        expect($sql)->toContain("WHERE message LIKE '%test_message'");
+        expect($result['sql'])->toContain("WHERE message LIKE ?");
+        expect($result['params'])->toContain("%test_message");
     });
 
     test('syslog_get_report_sql() handles type host', function () {
         $report = ['type' => 'host', 'message' => 'test_host'];
-        $sql = syslog_get_report_sql($report);
+        $result = syslog_get_report_sql($report);
 
-        expect($sql)->toContain("WHERE sh.host = 'test_host'");
+        expect($result['sql'])->toContain("WHERE sh.host = ?");
+        expect($result['params'])->toContain("test_host");
     });
 
     test('syslog_get_report_sql() handles type sql (raw sql)', function () {
         $report = ['type' => 'sql', 'message' => 'host_id = 5'];
-        $sql = syslog_get_report_sql($report);
+        $result = syslog_get_report_sql($report);
 
-        expect($sql)->toContain("WHERE (host_id = 5)");
+        expect($result['sql'])->toContain("WHERE (host_id = 5)");
     });
 });

tests/Unit/SyslogReportSqlTest.php

@@ -86,14 +86,15 @@
 	exit(1);
 }
 
-/* quote-stripping: executable extraction must trim surrounding quotes */
-if (strpos($functions, "trim(\$cparts[0], '\"\\'')") === false) {
+/* quote-stripping: executable extraction must handle surrounding quotes */
+if (strpos($functions, "trim(\$cparts[0], '\"\\'')") === false && 
+    strpos($functions, "strpos(\$executable, \$quoteChar, 1)") === false) {
 	fwrite(STDERR, "Executable extraction must strip surrounding quotes from command path.\n");
 	exit(1);
 }
 
 /* preg_split for whitespace tokenization (handles tabs and consecutive spaces) */
-if (substr_count($functions, "preg_split('/\\s+/', trim(\$command))") < 1) {
+if (substr_count($functions, "preg_split('/\\s+/',") < 1) {
 	fwrite(STDERR, "Command tokenization must use preg_split for whitespace splitting.\n");
 	exit(1);
 }