Sitemaps: backtick column names via %i placeholders

[StefMattana]

Fixes #48202

Jetpack_Sitemap_Librarian::get_sanitized_post_columns() was running column names through esc_sql(), which is for string values, not identifiers. If wp_posts had a column whose name was a reserved SQL keyword (e.g. order), the resulting SELECT would error out.

As suggested in the issue thread, switching to %i identifier placeholders in wpdb::prepare() is the idiomatic fix.
It backtick-quotes and escapes identifiers correctly. The helper now returns both the placeholder string and the column array; both call sites splat the array into prepare().

Includes a regression test that adds an order column to wp_posts, runs the query, and asserts it succeeds.
Reported by @nebbens, with the suggested approach from @anomiex.

[Copilot]

Pull request overview

This PR updates Jetpack’s sitemaps librarian to build post-column SELECT lists with identifier placeholders so sitemap queries keep working when wp_posts contains reserved-word column names. It fits into the sitemaps subsystem by hardening both the main sitemap and news sitemap post-fetch queries.

Changes:

• Reworks get_sanitized_post_columns() to return %i placeholder SQL plus the corresponding column names for wpdb::prepare().
• Applies that prepared column list to both query_posts_after_id() and query_most_recent_posts().
• Adds a regression test for a reserved-keyword wp_posts column and records the fix in the Jetpack changelog.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

File	Description
projects/plugins/jetpack/modules/sitemaps/sitemap-librarian.php	Switches sitemap post queries to prepared identifier placeholders for column names.
projects/plugins/jetpack/tests/php/modules/sitemaps/Jetpack_Sitemap_Librarian_Test.php	Adds a regression test that alters wp_posts to include a reserved-word column.
projects/plugins/jetpack/changelog/fix-48202-sitemap-backtick-columns	Adds the Jetpack changelog entry for the sitemap SQL fix.

[github-actions]

Are you an Automattician? Please test your changes on all WordPress.com environments to help mitigate accidental explosions.

• To test on WoA, go to the Plugins menu on a WoA dev site. Click on the "Upload" button and follow the upgrade flow to be able to upload, install, and activate the Jetpack Beta plugin. Once the plugin is active, go to Jetpack > Jetpack Beta, select your plugin (Jetpack), and enable the fix/48202-sitemap-backtick-columns branch.
• To test on Simple, run the following command on your sandbox:

bin/jetpack-downloader test jetpack fix/48202-sitemap-backtick-columns

Interested in more tips and information?

• In your local development environment, use the jetpack rsync command to sync your changes to a WoA dev blog.
• Read more about our development workflow here: PCYsg-eg0-p2
• Figure out when your changes will be shipped to customers here: PCYsg-eg5-p2

[github-actions]

Thank you for your PR!

When contributing to Jetpack, we have a few suggestions that can help us test and review your patch:

• ✅ Include a description of your PR changes.
  
• ✅ Add a "[Status]" label (In Progress, Needs Review, ...).
  
• 🔴 Add testing instructions.
  
• 🔴 Specify whether this PR includes any changes to data or privacy.
  
• ✅ Add changelog entries to affected projects
  

This comment will be updated as you work on your PR and make changes. If you think that some of those checks are not needed for your PR, please explain why you think so. Thanks for cooperation 🤖

---

🔴 Action required: Please include detailed testing steps, explaining how to test your change, like so:

## Testing instructions:

* Go to '..'
*

---

🔴 Action required: We would recommend that you add a section to the PR description to specify whether this PR includes any changes to data or privacy, like so:

## Does this pull request change what data or activity we track or use?

My PR adds *x* and *y*.

---

Follow this PR Review Process:

1. Ensure all required checks appearing at the bottom of this PR are passing.
2. Make sure to test your changes on all platforms that it applies to. You're responsible for the quality of the code you ship.
3. You can use GitHub's Reviewers functionality to request a review.
4. When it's reviewed and merged, you will be pinged in Slack to deploy the changes to WordPress.com simple once the build is done.

If you have questions about anything, reach out in #jetpack-developers for guidance!

---

Jetpack plugin:

No scheduled milestone found for this plugin.

If you have any questions about the release process, please ask in the #jetpack-releases channel on Slack.

[jp-launch-control]

Code Coverage Summary

Coverage changed in 1 file.

File	Coverage	Δ%	Δ Uncovered
projects/plugins/jetpack/modules/sitemaps/sitemap-librarian.php	89/167 (53.29%)	16.71%	-26 💚

Full summary · PHP report · JS report

[StefMattana]

Hey @anomiex! Would you terribly mind taking a look at this PR? I was working on it within our Bug Blitz project - the issue was added in this list on Linear :) TIA!

[anomiex]

Looks reasonable. I flagged fixes for the linting errors.

[anomiex]

The lint issue on this line is doubly confused. Best to suppress it.

Suggested change

	$wpdb->prepare(
	// phpcs:ignore WordPress.DB.PreparedSQLPlaceholders.ReplacementsWrongNumber -- Sniff is confused by both the interpolation of `$columns['placeholders']` and the spread.
	$wpdb->prepare(

[anomiex]

Same as above

Suggested change

	$wpdb->prepare(
	// phpcs:ignore WordPress.DB.PreparedSQLPlaceholders.ReplacementsWrongNumber -- Sniff is confused by both the interpolation of `$columns['placeholders']` and the spread.
	$wpdb->prepare(