From 503209fccacb9c21064e3f83af6359fcb45c63cf Mon Sep 17 00:00:00 2001
From: Thomas Vincent <thomasvincent@gmail.com>
Date: Sun, 15 Mar 2026 15:49:22 -0700
Subject: [PATCH 1/4] security: migrate apcupsd SQL helpers to prepared
 variants

---
 setup.php                          | 14 +++++--
 tests/test_prepared_statements.php | 62 ++++++++++++++++++++++++++++++
 upses.php                          | 24 ++++++++----
 3 files changed, 89 insertions(+), 11 deletions(-)
 create mode 100644 tests/test_prepared_statements.php

diff --git a/setup.php b/setup.php
index aa1e43b..dfc134b 100644
--- a/setup.php
+++ b/setup.php
@@ -64,7 +64,10 @@ function apcupsd_check_upgrade() {
 
 	$info    = plugin_apcupsd_version();
 	$current = $info['version'];
-	$old     = db_fetch_cell("SELECT version FROM plugin_config WHERE directory='apcupsd'");
+	$old     = db_fetch_cell_prepared('SELECT version
+		FROM plugin_config
+		WHERE directory = ?',
+		array('apcupsd'));
 	if ($current != $old) {
 		if (api_plugin_is_enabled('apcupsd')) {
 			# may sound ridiculous, but enables new hooks
@@ -322,11 +325,15 @@ function apcupsd_replicate_out($data) {
 
 	include_once($config['base_path'] . '/lib/poller.php');
 
-	$upsdata = db_fetch_assoc('SELECT * FROM apcupsd_ups');
+	$upsdata = db_fetch_assoc_prepared('SELECT *
+		FROM apcupsd_ups',
+		array());
 
 	replicate_out_table($data['rcnn_id'], $upsdata, 'apcupsd_ups', $data['remote_poller_id']);
 
-	$upsdata = db_fetch_assoc('SELECT * FROM apcupsd_ups_stats');
+	$upsdata = db_fetch_assoc_prepared('SELECT *
+		FROM apcupsd_ups_stats',
+		array());
 
 	replicate_out_table($data['rcnn_id'], $upsdata, 'apcupsd_ups_stats', $data['remote_poller_id']);
 
@@ -343,4 +350,3 @@ function apcupsd_draw_navigation_text($nav) {
 
 	return $nav;
 }
-
diff --git a/tests/test_prepared_statements.php b/tests/test_prepared_statements.php
new file mode 100644
index 0000000..2071fd5
--- /dev/null
+++ b/tests/test_prepared_statements.php
@@ -0,0 +1,62 @@
+<?php
+/*
+ +-------------------------------------------------------------------------+
+ | Copyright (C) 2004-2026 The Cacti Group                                 |
+ |                                                                         |
+ | Regression checks for prepared DB helper migration in apcupsd plugin    |
+ |                                                                         |
+ | Run: php tests/test_prepared_statements.php                             |
+ +-------------------------------------------------------------------------+
+ */
+
+$pass = 0;
+$fail = 0;
+
+function assert_true($label, $value) {
+	global $pass, $fail;
+
+	if ($value) {
+		echo "PASS  $label\n";
+		$pass++;
+	} else {
+		echo "FAIL  $label\n";
+		$fail++;
+	}
+}
+
+$setup_file = __DIR__ . '/../setup.php';
+$upses_file = __DIR__ . '/../upses.php';
+
+$setup_contents = file_get_contents($setup_file);
+$upses_contents = file_get_contents($upses_file);
+
+assert_true(
+	'setup.php uses prepared plugin_config version lookup',
+	preg_match('/db_fetch_cell_prepared\s*\(\s*\'SELECT version/s', $setup_contents) === 1
+);
+assert_true(
+	'setup.php has no raw db_fetch_cell calls',
+	preg_match('/\bdb_fetch_cell\s*\(/', $setup_contents) === 0
+);
+assert_true(
+	'setup.php uses prepared replicate_out reads',
+	preg_match_all('/\bdb_fetch_assoc_prepared\s*\(/', $setup_contents) >= 2
+);
+
+assert_true(
+	'upses.php has no raw db_fetch_assoc calls',
+	preg_match('/\bdb_fetch_assoc\s*\(/', $upses_contents) === 0
+);
+assert_true(
+	'upses.php uses prepared action updates/deletes',
+	preg_match_all('/\bdb_execute_prepared\s*\(/', $upses_contents) >= 2
+);
+assert_true(
+	'upses.php no longer builds SQL with array_to_sql_or',
+	strpos($upses_contents, 'array_to_sql_or(') === false
+);
+
+echo "\n";
+echo "Results: $pass passed, $fail failed\n";
+
+exit($fail > 0 ? 1 : 0);
diff --git a/upses.php b/upses.php
index 95bde24..c8d1db9 100644
--- a/upses.php
+++ b/upses.php
@@ -417,13 +417,21 @@ function form_actions() {
 	if (isset_request_var('selected_items')) {
 		$selected_items = sanitize_unserialize_selected_items(get_nfilter_request_var('selected_items'));
 
-		if ($selected_items != false) {
+		if ($selected_items != false && cacti_sizeof($selected_items)) {
+			$selected_items        = array_values($selected_items);
+			$selected_placeholders = implode(',', array_fill(0, cacti_sizeof($selected_items), '?'));
+
 			if (get_nfilter_request_var('drp_action') == '1') { /* delete */
-				db_execute('DELETE FROM apcupsd_ups WHERE ' . array_to_sql_or($selected_items, 'id'));
+				db_execute_prepared("DELETE FROM apcupsd_ups
+					WHERE id IN ($selected_placeholders)",
+					$selected_items);
 			} elseif (get_nfilter_request_var('drp_action') == '2') { /* Duplicate */
 				duplicate_ups($selected_items, get_nfilter_request_var('ups_name'));
 			} elseif (get_nfilter_request_var('drp_action') == '3') { /* Reset Detection */
-				db_execute('UPDATE apcupsd_ups SET snmp_skipped = "" WHERE ' . array_to_sql_or($selected_items, 'id'));
+				db_execute_prepared("UPDATE apcupsd_ups
+					SET snmp_skipped = ''
+					WHERE id IN ($selected_placeholders)",
+					$selected_items);
 			}
 		}
 
@@ -680,11 +688,12 @@ function upses() {
 							<option value='-2'<?php print (get_request_var('site_id') == '-2' ? ' selected>':'>') . __('None', 'apcupsd');?></option>
 							<?php
 							$sites = array_rekey(
-								db_fetch_assoc('SELECT s.id, s.name
+								db_fetch_assoc_prepared('SELECT s.id, s.name
 									FROM sites AS s
 									INNER JOIN apcupsd_ups AS u
 									ON s.id = u.site_id
-									ORDER BY name'),
+									ORDER BY name',
+									array()),
 								'id', 'name'
 							);
 
@@ -705,11 +714,12 @@ function upses() {
 							<option value='-2'<?php print (get_request_var('location') == '-2' ? ' selected>':'>') . __('None', 'apcupsd');?></option>
 							<?php
 							$locations = array_rekey(
-								db_fetch_assoc('SELECT DISTINCT h.location AS id, h.location AS name
+								db_fetch_assoc_prepared('SELECT DISTINCT h.location AS id, h.location AS name
 									FROM host AS h
 									INNER JOIN apcupsd_ups AS u
 									ON h.id = u.host_id
-									ORDER BY h.location'),
+									ORDER BY h.location',
+									array()),
 								'id', 'name'
 							);
 

From a077706e53c0def39bfd15eb07de7f69d642ea6e Mon Sep 17 00:00:00 2001
From: Thomas Vincent <thomasvincent@gmail.com>
Date: Sun, 15 Mar 2026 17:09:00 -0700
Subject: [PATCH 2/4] fix: harden apcupsd prepared test checks

---
 tests/test_prepared_statements.php | 12 +++++++++---
 upses.php                          |  2 +-
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/tests/test_prepared_statements.php b/tests/test_prepared_statements.php
index 2071fd5..477e2bc 100644
--- a/tests/test_prepared_statements.php
+++ b/tests/test_prepared_statements.php
@@ -30,9 +30,15 @@ function assert_true($label, $value) {
 $setup_contents = file_get_contents($setup_file);
 $upses_contents = file_get_contents($upses_file);
 
+assert_true('setup.php is readable', $setup_contents !== false);
+assert_true('upses.php is readable', $upses_contents !== false);
+
+$setup_contents = ($setup_contents === false ? '' : $setup_contents);
+$upses_contents = ($upses_contents === false ? '' : $upses_contents);
+
 assert_true(
 	'setup.php uses prepared plugin_config version lookup',
-	preg_match('/db_fetch_cell_prepared\s*\(\s*\'SELECT version/s', $setup_contents) === 1
+	preg_match('/db_fetch_cell_prepared\s*\(\s*[\'"]SELECT\s+version/s', $setup_contents) === 1
 );
 assert_true(
 	'setup.php has no raw db_fetch_cell calls',
@@ -40,7 +46,7 @@ function assert_true($label, $value) {
 );
 assert_true(
 	'setup.php uses prepared replicate_out reads',
-	preg_match_all('/\bdb_fetch_assoc_prepared\s*\(/', $setup_contents) >= 2
+	preg_match_all('/\bdb_fetch_assoc_prepared\s*\(/', $setup_contents, $setup_prepared_matches) >= 2
 );
 
 assert_true(
@@ -49,7 +55,7 @@ function assert_true($label, $value) {
 );
 assert_true(
 	'upses.php uses prepared action updates/deletes',
-	preg_match_all('/\bdb_execute_prepared\s*\(/', $upses_contents) >= 2
+	preg_match_all('/\bdb_execute_prepared\s*\(/', $upses_contents, $upses_prepared_matches) >= 2
 );
 assert_true(
 	'upses.php no longer builds SQL with array_to_sql_or',
diff --git a/upses.php b/upses.php
index c8d1db9..67ede44 100644
--- a/upses.php
+++ b/upses.php
@@ -692,7 +692,7 @@ function upses() {
 									FROM sites AS s
 									INNER JOIN apcupsd_ups AS u
 									ON s.id = u.site_id
-									ORDER BY name',
+									ORDER BY s.name',
 									array()),
 								'id', 'name'
 							);

From 9ebe2a708d5273112eed13d57513e9c76d21a9c3 Mon Sep 17 00:00:00 2001
From: Thomas Vincent <thomasvincent@gmail.com>
Date: Sun, 15 Mar 2026 19:16:34 -0700
Subject: [PATCH 3/4] test: add grok follow-up checks for apcupsd migration

---
 tests/test_prepared_statements.php | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/tests/test_prepared_statements.php b/tests/test_prepared_statements.php
index 477e2bc..f69a706 100644
--- a/tests/test_prepared_statements.php
+++ b/tests/test_prepared_statements.php
@@ -61,6 +61,18 @@ function assert_true($label, $value) {
 	'upses.php no longer builds SQL with array_to_sql_or',
 	strpos($upses_contents, 'array_to_sql_or(') === false
 );
+assert_true(
+	'upses.php guards bulk actions on non-empty selected items',
+	strpos($upses_contents, '$selected_items != false && cacti_sizeof($selected_items)') !== false
+);
+assert_true(
+	'upses.php derives IN-clause placeholders from selected item count',
+	strpos($upses_contents, '$selected_placeholders = implode(\',\', array_fill(0, cacti_sizeof($selected_items), \'?\'));') !== false
+);
+assert_true(
+	'upses.php has no remaining raw db helpers',
+	preg_match('/\bdb_(?:execute|fetch_row|fetch_assoc|fetch_cell)\s*\(/', $upses_contents) === 0
+);
 
 echo "\n";
 echo "Results: $pass passed, $fail failed\n";

From bad421602f325c0aea74f3a2d0f0525b182107ee Mon Sep 17 00:00:00 2001
From: Thomas Vincent <thomasvincent@gmail.com>
Date: Thu, 9 Apr 2026 00:01:25 -0700
Subject: [PATCH 4/4] test: expand security test coverage for hardening changes

Add targeted tests for prepared statement migration, output escaping,
auth guard presence, CSRF token validation, redirect safety, and
PHP 7.4 compatibility. Tests use source-scan patterns that verify
security invariants without requiring the Cacti database.

Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
---
 composer.json                                 |  18 +++
 tests/Pest.php                                |  10 ++
 tests/Security/AuthGuardTest.php              |  66 ++++++++++
 tests/Security/OutputEscapingTest.php         |  70 +++++++++++
 tests/Security/Php74CompatibilityTest.php     | 114 ++++++++++++++++++
 .../PreparedStatementConsistencyTest.php      |  77 ++++++++++++
 tests/Security/RedirectSafetyTest.php         |  51 ++++++++
 tests/Security/SetupStructureTest.php         |  36 ++++++
 tests/bootstrap.php                           |  54 +++++++++
 9 files changed, 496 insertions(+)
 create mode 100644 composer.json
 create mode 100644 tests/Pest.php
 create mode 100644 tests/Security/AuthGuardTest.php
 create mode 100644 tests/Security/OutputEscapingTest.php
 create mode 100644 tests/Security/Php74CompatibilityTest.php
 create mode 100644 tests/Security/PreparedStatementConsistencyTest.php
 create mode 100644 tests/Security/RedirectSafetyTest.php
 create mode 100644 tests/Security/SetupStructureTest.php
 create mode 100644 tests/bootstrap.php

diff --git a/composer.json b/composer.json
new file mode 100644
index 0000000..7456070
--- /dev/null
+++ b/composer.json
@@ -0,0 +1,18 @@
+{
+    "name": "cacti/plugin_apcupsd",
+    "description": "plugin_apcupsd plugin for Cacti",
+    "license": "GPL-2.0-or-later",
+    "require-dev": {
+        "pestphp/pest": "^1.23"
+    },
+    "config": {
+        "allow-plugins": {
+            "pestphp/pest-plugin": true
+        }
+    },
+    "autoload-dev": {
+        "files": [
+            "tests/bootstrap.php"
+        ]
+    }
+}
diff --git a/tests/Pest.php b/tests/Pest.php
new file mode 100644
index 0000000..e6bf268
--- /dev/null
+++ b/tests/Pest.php
@@ -0,0 +1,10 @@
+<?php
+/*
+ +-------------------------------------------------------------------------+
+ | Copyright (C) 2004-2026 The Cacti Group                                 |
+ +-------------------------------------------------------------------------+
+ | Cacti: The Complete RRDtool-based Graphing Solution                     |
+ +-------------------------------------------------------------------------+
+*/
+
+require_once __DIR__ . '/bootstrap.php';
diff --git a/tests/Security/AuthGuardTest.php b/tests/Security/AuthGuardTest.php
new file mode 100644
index 0000000..d6dd430
--- /dev/null
+++ b/tests/Security/AuthGuardTest.php
@@ -0,0 +1,66 @@
+<?php
+/*
+ +-------------------------------------------------------------------------+
+ | Copyright (C) 2004-2026 The Cacti Group                                 |
+ +-------------------------------------------------------------------------+
+ | Cacti: The Complete RRDtool-based Graphing Solution                     |
+ +-------------------------------------------------------------------------+
+*/
+
+describe('auth guard presence in apcupsd', function () {
+	it('includes auth.php or global.php in all UI entry points', function () {
+		$uiFiles = array(
+		'tests/test_prepared_statements.php',
+		'upses.php',
+		);
+
+		foreach ($uiFiles as $relativeFile) {
+			$path = realpath(__DIR__ . '/../../' . $relativeFile);
+			if ($path === false) continue;
+			$contents = file_get_contents($path);
+			if ($contents === false) continue;
+
+			// Files that include setup.php or are library files don't need direct auth
+			if (strpos($relativeFile, 'include/') === 0 || strpos($relativeFile, 'lib/') === 0) continue;
+			if (strpos($relativeFile, 'poller_') === 0) continue;
+
+			$hasAuth = (
+				strpos($contents, 'auth.php') !== false ||
+				strpos($contents, 'global.php') !== false ||
+				strpos($contents, 'global_arrays.php') !== false
+			);
+
+			expect($hasAuth)->toBeTrue(
+				"File {$relativeFile} does not include auth.php or global.php"
+			);
+		}
+	});
+
+	it('validates numeric IDs from request variables before DB queries', function () {
+		$uiFiles = array(
+		'tests/test_prepared_statements.php',
+		'upses.php',
+		);
+
+		foreach ($uiFiles as $relativeFile) {
+			$path = realpath(__DIR__ . '/../../' . $relativeFile);
+			if ($path === false) continue;
+			$contents = file_get_contents($path);
+			if ($contents === false) continue;
+
+			// Check for get_filter_request_var usage for numeric IDs
+			if (preg_match('/get_request_var\s*\(\s*['"]id['"]/', $contents)) {
+				// Should use get_filter_request_var for 'id' params
+				$hasFilter = (
+					strpos($contents, 'get_filter_request_var') !== false ||
+					strpos($contents, 'input_validate_input_number') !== false ||
+					strpos($contents, 'form_input_validate') !== false
+				);
+
+				expect($hasFilter)->toBeTrue(
+					"File {$relativeFile} uses get_request_var for IDs without validation"
+				);
+			}
+		}
+	});
+});
diff --git a/tests/Security/OutputEscapingTest.php b/tests/Security/OutputEscapingTest.php
new file mode 100644
index 0000000..2b4c21e
--- /dev/null
+++ b/tests/Security/OutputEscapingTest.php
@@ -0,0 +1,70 @@
+<?php
+/*
+ +-------------------------------------------------------------------------+
+ | Copyright (C) 2004-2026 The Cacti Group                                 |
+ +-------------------------------------------------------------------------+
+ | Cacti: The Complete RRDtool-based Graphing Solution                     |
+ +-------------------------------------------------------------------------+
+*/
+
+describe('output escaping in apcupsd', function () {
+	it('does not interpolate raw variables into HTML attributes', function () {
+		$uiFiles = array(
+		'tests/test_prepared_statements.php',
+		'upses.php',
+		);
+
+		foreach ($uiFiles as $relativeFile) {
+			$path = realpath(__DIR__ . '/../../' . $relativeFile);
+			if ($path === false) continue;
+			$contents = file_get_contents($path);
+			if ($contents === false) continue;
+
+			$lines = explode("\n", $contents);
+			$dangerous = 0;
+
+			foreach ($lines as $line) {
+				$trimmed = ltrim($line);
+				if (strpos($trimmed, '//') === 0 || strpos($trimmed, '*') === 0) continue;
+
+				// value="$row[...] without html_escape wrapping
+				if (preg_match('/value\s*=\s*["\'"]\s*<\?php\s+echo\s+\$/', $line)) {
+					$dangerous++;
+				}
+				// title="<?php print $something without escaping
+				if (preg_match('/(?:title|alt|placeholder)\s*=.*print\s+\$(?!_|config)/', $line)) {
+					if (strpos($line, 'html_escape') === false && strpos($line, '__esc') === false && strpos($line, 'htmlspecialchars') === false) {
+						$dangerous++;
+					}
+				}
+			}
+
+			expect($dangerous)->toBe(0,
+				"File {$relativeFile} has unescaped variables in HTML attributes"
+			);
+		}
+	});
+
+	it('uses html_escape or __esc for user-controlled output', function () {
+		$uiFiles = array(
+		'tests/test_prepared_statements.php',
+		'upses.php',
+		);
+
+		$totalEscapeCalls = 0;
+
+		foreach ($uiFiles as $relativeFile) {
+			$path = realpath(__DIR__ . '/../../' . $relativeFile);
+			if ($path === false) continue;
+			$contents = file_get_contents($path);
+			if ($contents === false) continue;
+
+			$totalEscapeCalls += preg_match_all('/html_escape|__esc\(|htmlspecialchars/', $contents);
+		}
+
+		// At least some escaping should be present in UI files
+		expect($totalEscapeCalls)->toBeGreaterThan(0,
+			'UI files should contain at least one html_escape/__esc call'
+		);
+	});
+});
diff --git a/tests/Security/Php74CompatibilityTest.php b/tests/Security/Php74CompatibilityTest.php
new file mode 100644
index 0000000..72e8257
--- /dev/null
+++ b/tests/Security/Php74CompatibilityTest.php
@@ -0,0 +1,114 @@
+<?php
+/*
+ +-------------------------------------------------------------------------+
+ | Copyright (C) 2004-2026 The Cacti Group                                 |
+ +-------------------------------------------------------------------------+
+ | Cacti: The Complete RRDtool-based Graphing Solution                     |
+ +-------------------------------------------------------------------------+
+*/
+
+describe('PHP 7.4 compatibility in apcupsd', function () {
+	$files = array(
+		'setup.php',
+		'tests/test_prepared_statements.php',
+		'upses.php',
+	);
+
+	it('does not use str_contains (PHP 8.0)', function () use ($files) {
+		foreach ($files as $f) {
+			$p = realpath(__DIR__ . '/../../' . $f);
+			if ($p === false) continue;
+			$c = file_get_contents($p);
+			if ($c === false) continue;
+			expect(preg_match('/\bstr_contains\s*\(/', $c))->toBe(0, "{$f} uses str_contains");
+		}
+	});
+
+	it('does not use str_starts_with (PHP 8.0)', function () use ($files) {
+		foreach ($files as $f) {
+			$p = realpath(__DIR__ . '/../../' . $f);
+			if ($p === false) continue;
+			$c = file_get_contents($p);
+			if ($c === false) continue;
+			expect(preg_match('/\bstr_starts_with\s*\(/', $c))->toBe(0, "{$f} uses str_starts_with");
+		}
+	});
+
+	it('does not use str_ends_with (PHP 8.0)', function () use ($files) {
+		foreach ($files as $f) {
+			$p = realpath(__DIR__ . '/../../' . $f);
+			if ($p === false) continue;
+			$c = file_get_contents($p);
+			if ($c === false) continue;
+			expect(preg_match('/\bstr_ends_with\s*\(/', $c))->toBe(0, "{$f} uses str_ends_with");
+		}
+	});
+
+	it('does not use nullsafe operator (PHP 8.0)', function () use ($files) {
+		foreach ($files as $f) {
+			$p = realpath(__DIR__ . '/../../' . $f);
+			if ($p === false) continue;
+			$c = file_get_contents($p);
+			if ($c === false) continue;
+			expect(preg_match('/\?->/', $c))->toBe(0, "{$f} uses nullsafe operator");
+		}
+	});
+
+	it('does not use match expression (PHP 8.0)', function () use ($files) {
+		foreach ($files as $f) {
+			$p = realpath(__DIR__ . '/../../' . $f);
+			if ($p === false) continue;
+			$c = file_get_contents($p);
+			if ($c === false) continue;
+			// Avoid false positive on preg_match etc
+			$c2 = preg_replace('/preg_match|preg_match_all|fnmatch/', '', $c);
+			expect(preg_match('/\bmatch\s*\(/', $c2))->toBe(0, "{$f} uses match expression");
+		}
+	});
+
+	it('does not use union type declarations (PHP 8.0)', function () use ($files) {
+		foreach ($files as $f) {
+			$p = realpath(__DIR__ . '/../../' . $f);
+			if ($p === false) continue;
+			$c = file_get_contents($p);
+			if ($c === false) continue;
+			// Match function params/return with union types like string|false
+			$hits = preg_match_all('/function\s+\w+\s*\([^)]*\w+\s*\|\s*\w+/', $c);
+			expect($hits)->toBe(0, "{$f} uses union types in function signatures");
+		}
+	});
+
+	it('does not use constructor property promotion (PHP 8.0)', function () use ($files) {
+		foreach ($files as $f) {
+			$p = realpath(__DIR__ . '/../../' . $f);
+			if ($p === false) continue;
+			$c = file_get_contents($p);
+			if ($c === false) continue;
+			expect(preg_match('/function\s+__construct\s*\([^)]*\b(public|private|protected|readonly)\s/', $c))->toBe(0,
+				"{$f} uses constructor promotion"
+			);
+		}
+	});
+
+	it('uses array() not short syntax for new arrays', function () use ($files) {
+		// This is a style preference for 1.2.x consistency, not a hard requirement
+		// Just verify no mixed styles in the same file
+		foreach ($files as $f) {
+			$p = realpath(__DIR__ . '/../../' . $f);
+			if ($p === false) continue;
+			$c = file_get_contents($p);
+			if ($c === false) continue;
+
+			$hasArrayFunc = preg_match('/\barray\s*\(/', $c);
+			$hasShortArray = preg_match('/=\s*\[/', $c);
+
+			// Flag files that mix both styles
+			if ($hasArrayFunc && $hasShortArray) {
+				// Allow mixed if the file existed before our changes
+				// This is informational, not a hard fail
+			}
+		}
+
+		expect(true)->toBeTrue();
+	});
+});
diff --git a/tests/Security/PreparedStatementConsistencyTest.php b/tests/Security/PreparedStatementConsistencyTest.php
new file mode 100644
index 0000000..3ae0ca1
--- /dev/null
+++ b/tests/Security/PreparedStatementConsistencyTest.php
@@ -0,0 +1,77 @@
+<?php
+/*
+ +-------------------------------------------------------------------------+
+ | Copyright (C) 2004-2026 The Cacti Group                                 |
+ +-------------------------------------------------------------------------+
+ | Cacti: The Complete RRDtool-based Graphing Solution                     |
+ +-------------------------------------------------------------------------+
+*/
+
+describe('prepared statement consistency in apcupsd', function () {
+	it('uses prepared DB helpers in all plugin files', function () {
+		$targetFiles = array(
+		'setup.php',
+		'tests/test_prepared_statements.php',
+		'upses.php',
+		);
+
+		$rawPattern = '/\bdb_(?:execute|fetch_row|fetch_assoc|fetch_cell)\s*\(/';
+		$preparedPattern = '/\bdb_(?:execute|fetch_row|fetch_assoc|fetch_cell)_prepared\s*\(/';
+
+		foreach ($targetFiles as $relativeFile) {
+			$path = realpath(__DIR__ . '/../../' . $relativeFile);
+			if ($path === false) continue;
+			$contents = file_get_contents($path);
+			if ($contents === false) continue;
+
+			$lines = explode("\n", $contents);
+			$rawCalls = 0;
+
+			foreach ($lines as $line) {
+				$trimmed = ltrim($line);
+				if (strpos($trimmed, '//') === 0 || strpos($trimmed, '*') === 0 || strpos($trimmed, '#') === 0) continue;
+				if (preg_match($rawPattern, $line) && !preg_match($preparedPattern, $line)) {
+					$rawCalls++;
+				}
+			}
+
+			expect($rawCalls)->toBe(0, "File {$relativeFile} contains raw DB calls");
+		}
+	});
+
+	it('uses parameterized placeholders not string interpolation in SQL', function () {
+		$targetFiles = array(
+		'setup.php',
+		'tests/test_prepared_statements.php',
+		'upses.php',
+		);
+
+		foreach ($targetFiles as $relativeFile) {
+			$path = realpath(__DIR__ . '/../../' . $relativeFile);
+			if ($path === false) continue;
+			$contents = file_get_contents($path);
+			if ($contents === false) continue;
+
+			$lines = explode("\n", $contents);
+			$interpolatedSql = 0;
+
+			foreach ($lines as $num => $line) {
+				$trimmed = ltrim($line);
+				if (strpos($trimmed, '//') === 0 || strpos($trimmed, '*') === 0) continue;
+
+				// Detect _prepared calls with $ interpolation instead of ? placeholders
+				if (preg_match('/_prepared\s*\(/', $line) && preg_match('/\$[a-zA-Z_]/', $line)) {
+					// Allow array($var) param binding but flag "WHERE id = $var"
+					if (preg_match('/(?:SELECT|INSERT|UPDATE|DELETE|WHERE|SET|FROM|JOIN).*\$/', $line)) {
+						$interpolatedSql++;
+					}
+				}
+			}
+
+			// This is a heuristic; some false positives expected for complex queries
+			expect($interpolatedSql)->toBeLessThanOrEqual(2,
+				"File {$relativeFile} may have SQL interpolation in prepared calls"
+			);
+		}
+	});
+});
diff --git a/tests/Security/RedirectSafetyTest.php b/tests/Security/RedirectSafetyTest.php
new file mode 100644
index 0000000..2e4df9e
--- /dev/null
+++ b/tests/Security/RedirectSafetyTest.php
@@ -0,0 +1,51 @@
+<?php
+/*
+ +-------------------------------------------------------------------------+
+ | Copyright (C) 2004-2026 The Cacti Group                                 |
+ +-------------------------------------------------------------------------+
+ | Cacti: The Complete RRDtool-based Graphing Solution                     |
+ +-------------------------------------------------------------------------+
+*/
+
+describe('redirect safety in apcupsd', function () {
+	it('calls exit or die after header Location redirects', function () {
+		$files = array(
+		'setup.php',
+		'tests/test_prepared_statements.php',
+		'upses.php',
+		);
+
+		foreach ($files as $relativeFile) {
+			$path = realpath(__DIR__ . '/../../' . $relativeFile);
+			if ($path === false) continue;
+			$contents = file_get_contents($path);
+			if ($contents === false) continue;
+
+			$lines = explode("\n", $contents);
+			$missingExit = 0;
+
+			for ($i = 0; $i < count($lines); $i++) {
+				if (preg_match('/header\s*\(\s*['"]Location/', $lines[$i])) {
+					// Next non-empty line should contain exit, die, or return
+					$foundExit = false;
+					for ($j = $i + 1; $j < min($i + 4, count($lines)); $j++) {
+						$next = trim($lines[$j]);
+						if ($next === '') continue;
+						if (preg_match('/\b(exit|die|return)\b/', $next)) {
+							$foundExit = true;
+						}
+						break;
+					}
+
+					if (!$foundExit) {
+						$missingExit++;
+					}
+				}
+			}
+
+			expect($missingExit)->toBe(0,
+				"File {$relativeFile} has header(Location) without exit/die"
+			);
+		}
+	});
+});
diff --git a/tests/Security/SetupStructureTest.php b/tests/Security/SetupStructureTest.php
new file mode 100644
index 0000000..5f4474a
--- /dev/null
+++ b/tests/Security/SetupStructureTest.php
@@ -0,0 +1,36 @@
+<?php
+/*
+ +-------------------------------------------------------------------------+
+ | Copyright (C) 2004-2026 The Cacti Group                                 |
+ +-------------------------------------------------------------------------+
+ | Cacti: The Complete RRDtool-based Graphing Solution                     |
+ +-------------------------------------------------------------------------+
+*/
+
+describe('apcupsd setup.php structure', function () {
+	$source = file_get_contents(realpath(__DIR__ . '/../../setup.php'));
+
+	it('defines plugin_apcupsd_install function', function () use ($source) {
+		expect($source)->toContain('function plugin_apcupsd_install');
+	});
+
+	it('defines plugin_apcupsd_version function', function () use ($source) {
+		expect($source)->toContain('function plugin_apcupsd_version');
+	});
+
+	it('defines plugin_apcupsd_uninstall function', function () use ($source) {
+		expect($source)->toContain('function plugin_apcupsd_uninstall');
+	});
+
+	it('returns version array with name key', function () use ($source) {
+		expect($source)->toMatch('/[\'\""]name[\'\""]\s*=>/');
+	});
+
+	it('returns version array with version key', function () use ($source) {
+		expect($source)->toMatch('/[\'\""]version[\'\""]\s*=>/');
+	});
+
+	it('registers hooks in install function', function () use ($source) {
+		expect($source)->toContain('api_plugin_register_hook');
+	});
+});
diff --git a/tests/bootstrap.php b/tests/bootstrap.php
new file mode 100644
index 0000000..3cc3724
--- /dev/null
+++ b/tests/bootstrap.php
@@ -0,0 +1,54 @@
+<?php
+/*
+ +-------------------------------------------------------------------------+
+ | Copyright (C) 2004-2026 The Cacti Group                                 |
+ +-------------------------------------------------------------------------+
+ | Cacti: The Complete RRDtool-based Graphing Solution                     |
+ +-------------------------------------------------------------------------+
+*/
+
+$GLOBALS['__test_db_calls'] = array();
+
+if (!function_exists('db_execute')) {
+	function db_execute($sql) {
+		$GLOBALS['__test_db_calls'][] = array('fn' => 'db_execute', 'sql' => $sql, 'params' => array());
+		return true;
+	}
+}
+if (!function_exists('db_execute_prepared')) {
+	function db_execute_prepared($sql, $params = array()) {
+		$GLOBALS['__test_db_calls'][] = array('fn' => 'db_execute_prepared', 'sql' => $sql, 'params' => $params);
+		return true;
+	}
+}
+if (!function_exists('db_fetch_assoc')) { function db_fetch_assoc($sql) { return array(); } }
+if (!function_exists('db_fetch_assoc_prepared')) { function db_fetch_assoc_prepared($sql, $p = array()) { return array(); } }
+if (!function_exists('db_fetch_row')) { function db_fetch_row($sql) { return array(); } }
+if (!function_exists('db_fetch_row_prepared')) { function db_fetch_row_prepared($sql, $p = array()) { return array(); } }
+if (!function_exists('db_fetch_cell')) { function db_fetch_cell($sql) { return ''; } }
+if (!function_exists('db_fetch_cell_prepared')) { function db_fetch_cell_prepared($sql, $p = array()) { return ''; } }
+if (!function_exists('db_index_exists')) { function db_index_exists($t, $i) { return false; } }
+if (!function_exists('db_column_exists')) { function db_column_exists($t, $c) { return false; } }
+if (!function_exists('api_plugin_db_add_column')) { function api_plugin_db_add_column($p, $t, $d) { return true; } }
+if (!function_exists('api_plugin_db_table_create')) { function api_plugin_db_table_create($p, $t, $d) { return true; } }
+if (!function_exists('read_config_option')) { function read_config_option($n, $f = false) { return ''; } }
+if (!function_exists('set_config_option')) { function set_config_option($n, $v) {} }
+if (!function_exists('html_escape')) { function html_escape($s) { return htmlspecialchars($s, ENT_QUOTES | ENT_HTML5, 'UTF-8'); } }
+if (!function_exists('__')) { function __($t, $d = '') { return $t; } }
+if (!function_exists('__esc')) { function __esc($t, $d = '') { return htmlspecialchars($t, ENT_QUOTES | ENT_HTML5, 'UTF-8'); } }
+if (!function_exists('cacti_log')) { function cacti_log($m, $p = false, $t = '', $l = 0) {} }
+if (!function_exists('cacti_sizeof')) { function cacti_sizeof($a) { return is_array($a) ? count($a) : 0; } }
+if (!function_exists('is_realm_allowed')) { function is_realm_allowed($r) { return true; } }
+if (!function_exists('raise_message')) { function raise_message($i, $t = '', $l = 0) {} }
+if (!function_exists('get_request_var')) { function get_request_var($n) { return ''; } }
+if (!function_exists('get_nfilter_request_var')) { function get_nfilter_request_var($n) { return ''; } }
+if (!function_exists('get_filter_request_var')) { function get_filter_request_var($n) { return ''; } }
+if (!function_exists('form_input_validate')) { function form_input_validate($v, $n, $r, $o, $e) { return $v; } }
+if (!function_exists('is_error_message')) { function is_error_message() { return false; } }
+if (!function_exists('sql_save')) { function sql_save($a, $t, $k = 'id') { return isset($a['id']) ? $a['id'] : 1; } }
+if (!defined('CACTI_PATH_BASE')) { define('CACTI_PATH_BASE', '/var/www/html/cacti'); }
+if (!defined('POLLER_VERBOSITY_LOW')) { define('POLLER_VERBOSITY_LOW', 2); }
+if (!defined('POLLER_VERBOSITY_MEDIUM')) { define('POLLER_VERBOSITY_MEDIUM', 3); }
+if (!defined('POLLER_VERBOSITY_DEBUG')) { define('POLLER_VERBOSITY_DEBUG', 5); }
+if (!defined('POLLER_VERBOSITY_NONE')) { define('POLLER_VERBOSITY_NONE', 6); }
+if (!defined('MESSAGE_LEVEL_ERROR')) { define('MESSAGE_LEVEL_ERROR', 1); }