Issues in database.php (master) - Issues in master - Enalean/tuleap - Measure and Improve Code Quality continuously with Scrutinizer

Issues (4873)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/www/include/database.php (1 issue)

Labels

Documentation 1

Severity

Minor 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
//
// SourceForge: Breaking Down the Barriers to Open Source Development
// Copyright 1999-2000 (c) The SourceForge Crew
// http://sourceforge.net
//
// 
//
//
$GLOBALS['DEBUG_DBPHP_QUERY_COUNT'] = 0;
if(!defined('CODENDI_DB_NULL')) define('CODENDI_DB_NULL', 0);
if(!defined('CODENDI_DB_NOT_NULL')) define('CODENDI_DB_NOT_NULL', 1);

$conn = null;
function db_connect() {
    global $conn;
    $conn = CodendiDataAccess::instance();
}

/**
 * Returns the connection object, or null if there is no connection
 *
 * @return {resource} the connection, or null if no connection

 */
function getConnection() {
    global $conn;
    if (isset($conn) && $conn) {
        return $conn;
    } else {
        return null;
    }
}

function db_query($sql,$print=0) {
    global $conn;
    if ($print) {
        print "<br>Query is: $sql<br>";
    }
    return db_query_params($sql, array());
}

function db_query_params($sql, $params) {
    global $conn;
	$dar = $conn->query($sql, $params);
    $GLOBALS['db_qhandle'] = $dar->getResult();
    if (db_numrows($GLOBALS['db_qhandle'])) {
        db_reset_result($GLOBALS['db_qhandle']);
    }
    return $GLOBALS['db_qhandle'];
}

function db_numrows($qhandle) {
    global $conn;
	// return only if qhandle exists, otherwise 0
	if ($qhandle) {
                return @$conn->numRows($qhandle);
	} else {
		return 0;
	}
}

function db_free_result($qhandle) {
	return @mysql_free_result($qhandle);
}

function db_result($qhandle,$row,$field) {
	return @mysql_result($qhandle,$row,$field);
}

function db_numfields($lhandle) {
	return @mysql_num_fields($lhandle);
}

function db_fieldname($lhandle,$fnumber) {
           return @mysql_field_name($lhandle,$fnumber);
}

function db_affected_rows($qhandle) {
	return @mysql_affected_rows();
}
	
function db_fetch_array($qhandle = 0) {
    global $conn;
	if ($qhandle) {
		return @$conn->fetchArray($qhandle);
	} else {
		if ($GLOBALS['db_qhandle']) {
			return @$conn->fetchArray($GLOBALS['db_qhandle']);
		} else {
			return (array());
		}
	}
}
	
function db_insertid($qhandle) {
	global $conn;
    if (isset($conn) && $conn) {
        return @mysql_insert_id($conn->db);
    } else {
        return @mysql_insert_id();
    }
}

/**
 * Display real error only if we are in Debug mode
 * 
 * @return String 
 */
function db_error() {
    $error = @mysql_error();
    if ($error && !ForgeConfig::get('DEBUG_MODE')) {
        $error = 'DB error';
    }
    return $error;
}

/**
 *  db_reset_result() - Reset a result set.
 *
 *  Reset is useful for db_fetch_array sometimes you need to start over
 *
 *  @param		string	Query result set handle
 *  @param		int		Row number
 */
function db_reset_result($qhandle,$row=0) {
    global $conn;
    return $conn->dataSeek($qhandle,$row);
}

function db_escape_string($string,$qhandle=false) {
  if (function_exists('mysql_real_escape_string')) {
    if ($qhandle) {
      return mysql_real_escape_string($string,$qhandle);
    } else {
      return mysql_real_escape_string($string);
    }
  } else {
    return mysql_escape_string($string);
  }
}

/**
 * Alias for db_escape_string.
 */
function db_es($string,$qhandle=false) {
    return db_escape_string($string,$qhandle);
}

/**
 * Escape value as a valid decimal integer.
 *
 * If input is not a valid decimal integer, return '0'.
 * If CODENDI_DB_NULL is used, empty string '' as $val returns 'NULL' string.
 * This last form is useful when the corresponding field is defined as INT or
 * NULL in SQL.
 *
 * @see http://php.net/language.types.integer
 * @see DataAccess::escapeInt for tests.
 * @param  mixed $val a value to escape
 * @param  int   $null CODENDI_DB_NOT_NULL or CODENDI_DB_NULL
 * @return string Decimal integer encoded as a string
 */
function db_escape_int($val, $null = CODENDI_DB_NOT_NULL) {
    $match = array();
    if($null === CODENDI_DB_NULL && $val === '') {
        return 'NULL';
    }
    if(preg_match('/^([+-]?[1-9][0-9]*|[+-]?0)$/', $val, $match)) {
        return $match[1];
    }
    return '0';
}

/**
 * Alias for db_escape_int
 *
 * @param mixed $val a value to escape
 * @param  int   $null CODENDI_DB_NOT_NULL or CODENDI_DB_NULL
 * @return string Decimal integer encoded as a string
 */
function db_ei($val, $null = CODENDI_DB_NOT_NULL) {
    return db_escape_int($val, $null);
}

/**
 * @deprecated
 * @see DataAccess::escapeIntImplode()
 */
function db_ei_implode($val) {
    return implode(',', array_map('db_ei', $val));
}

function db_begin(){
	echo "db_begin()\n";
}
function db_commit(){
	echo "db_commit()\n";
}
function db_rollback(){
	echo "db_rollback()\n";
}

/**
 *  db_query_from_file() - Query the database, from a file.
 *
 *  @param string File that contains the SQL statements.
 *  @param int How many rows do you want returned.
 *  @param int Of matching rows, return only rows starting here.
 *  @param int ability to spread load to multiple db servers.
 *  @return int result set handle.
 */
function db_query_from_file($file,$limit='-1',$offset=0,$dbserver=NULL) {
/*      
        db_connect_if_needed () ;
        $dbconn = db_switcher($dbserver) ;

        global $QUERY_COUNT;
        $QUERY_COUNT++;

        $qstring = file_get_contents($file);
        if (!$qstring) {
                error_log('db_query_from_file(): Cannot read file $file!');
                return false;
        }
        if (!$limit || !is_numeric($limit) || $limit < 0) {
                $limit=0;
        }
        if ($limit > 0) {
                if (!$offset || !is_numeric($offset) || $offset < 0) {
                        $offset=0;
                }
                $qstring=$qstring." LIMIT $limit OFFSET $offset";
        }
        $res = @pg_query($dbconn,$qstring);
        if (!$res) {
                error_log('SQL: ' . preg_replace('/\n\t+/', ' ',$qstring));
                error_log('SQL> ' . db_error($dbserver));
        }
        return $res;
*/
	// inspired from /usr/share/mediawiki115/includes/db/Database.php
        $fp = fopen( $file, 'r' );
        if ( false === $fp ) {
                error_log('db_query_from_file(): Cannot read file $file!');
        	fclose( $fp );
		return false;
        }

	$cmd = "";
	$done = false;
	$dollarquote = false;

	while ( ! feof( $fp ) ) {
		$line = trim( fgets( $fp, 1024 ) );
		$sl = strlen( $line ) - 1;

		if ( $sl < 0 ) { continue; }
		if ( '-' == $line{0} && '-' == $line{1} ) { continue; }

		## Allow dollar quoting for function declarations
		if (substr($line,0,4) == '$mw$') {
			if ($dollarquote) {
				$dollarquote = false;
				$done = true;
			}
			else {
				$dollarquote = true;
			}
		}
		else if (!$dollarquote) {
			if ( ';' == $line{$sl} && ($sl < 2 || ';' != $line{$sl - 1})) {
				$done = true;
				$line = substr( $line, 0, $sl );
			}
		}

		if ( '' != $cmd ) { $cmd .= ' '; }
		$cmd .= "$line\n";

		if ( $done ) {
			$cmd = str_replace(';;', ";", $cmd);
			// next 2 lines are for mediawiki subst
			$cmd = preg_replace(":/\*_\*/:","mw",$cmd );
                        // TOCHECK WITH CHRISTIAN: Do not change indexes for mediawiki (doesn't seems well supported)
			//$cmd = preg_replace(":/\*i\*/:","mw",$cmd );
			$res = db_query( $cmd );

        		if (!$res) {
                		error_log('SQL: ' . preg_replace('/\n\t+/', ' ',$cmd));
                		error_log('SQL> ' . db_error($dbserver));
        			return $res;
        		}

			$cmd = '';
			$done = false;
		}
	}
        fclose( $fp );
	return true;
}

?>


GitHub Access Token became invalid

Issues (4873)

Security Analysis not enabled

src/www/include/database.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

1			<?php
2			//
3			// SourceForge: Breaking Down the Barriers to Open Source Development
4			// Copyright 1999-2000 (c) The SourceForge Crew
5			// http://sourceforge.net
6			//
7			//
8			//
9			//
10			$GLOBALS['DEBUG_DBPHP_QUERY_COUNT'] = 0;
11			if(!defined('CODENDI_DB_NULL')) define('CODENDI_DB_NULL', 0);
12			if(!defined('CODENDI_DB_NOT_NULL')) define('CODENDI_DB_NOT_NULL', 1);
13
14			$conn = null;
15			function db_connect() {
16			global $conn;
17			$conn = CodendiDataAccess::instance();
18			}
19
20			/**
21			* Returns the connection object, or null if there is no connection
22			*
23			* @return {resource} the connection, or null if no connection
			0 ignored issues – show Documentation introduced 2015-12-16 20:30 UTC by Report Bug Copy Issue Report Show Similar Issues like this The doc-type `{resource}` could not be parsed: Unknown type name "{resource}" at position 0. (view supported doc-types) This check marks PHPDoc comments that could not be parsed by our parser. To see which comment annotations we can parse, please refer to our documentation on supported doc-types. Loading history...
24			*/
25			function getConnection() {
26			global $conn;
27			if (isset($conn) && $conn) {
28			return $conn;
29			} else {
30			return null;
31			}
32			}
33
34			function db_query($sql,$print=0) {
35			global $conn;
36			if ($print) {
37			print "<br>Query is: $sql<br>";
38			}
39			return db_query_params($sql, array());
40			}
41
42			function db_query_params($sql, $params) {
43			global $conn;
44			$dar = $conn->query($sql, $params);
45			$GLOBALS['db_qhandle'] = $dar->getResult();
46			if (db_numrows($GLOBALS['db_qhandle'])) {
47			db_reset_result($GLOBALS['db_qhandle']);
48			}
49			return $GLOBALS['db_qhandle'];
50			}
51
52			function db_numrows($qhandle) {
53			global $conn;
54			// return only if qhandle exists, otherwise 0
55			if ($qhandle) {
56			return @$conn->numRows($qhandle);
57			} else {
58			return 0;
59			}
60			}
61
62			function db_free_result($qhandle) {
63			return @mysql_free_result($qhandle);
64			}
65
66			function db_result($qhandle,$row,$field) {
67			return @mysql_result($qhandle,$row,$field);
68			}
69
70			function db_numfields($lhandle) {
71			return @mysql_num_fields($lhandle);
72			}
73
74			function db_fieldname($lhandle,$fnumber) {
75			return @mysql_field_name($lhandle,$fnumber);
76			}
77
78			function db_affected_rows($qhandle) {
79			return @mysql_affected_rows();
80			}
81
82			function db_fetch_array($qhandle = 0) {
83			global $conn;
84			if ($qhandle) {
85			return @$conn->fetchArray($qhandle);
86			} else {
87			if ($GLOBALS['db_qhandle']) {
88			return @$conn->fetchArray($GLOBALS['db_qhandle']);
89			} else {
90			return (array());
91			}
92			}
93			}
94
95			function db_insertid($qhandle) {
96			global $conn;
97			if (isset($conn) && $conn) {
98			return @mysql_insert_id($conn->db);
99			} else {
100			return @mysql_insert_id();
101			}
102			}
103
104			/**
105			* Display real error only if we are in Debug mode
106			*
107			* @return String
108			*/
109			function db_error() {
110			$error = @mysql_error();
111			if ($error && !ForgeConfig::get('DEBUG_MODE')) {
112			$error = 'DB error';
113			}
114			return $error;
115			}
116
117			/**
118			* db_reset_result() - Reset a result set.
119			*
120			* Reset is useful for db_fetch_array sometimes you need to start over
121			*
122			* @param string Query result set handle
123			* @param int Row number
124			*/
125			function db_reset_result($qhandle,$row=0) {
126			global $conn;
127			return $conn->dataSeek($qhandle,$row);
128			}
129
130			function db_escape_string($string,$qhandle=false) {
131			if (function_exists('mysql_real_escape_string')) {
132			if ($qhandle) {
133			return mysql_real_escape_string($string,$qhandle);
134			} else {
135			return mysql_real_escape_string($string);
136			}
137			} else {
138			return mysql_escape_string($string);
139			}
140			}
141
142			/**
143			* Alias for db_escape_string.
144			*/
145			function db_es($string,$qhandle=false) {
146			return db_escape_string($string,$qhandle);
147			}
148
149			/**
150			* Escape value as a valid decimal integer.
151			*
152			* If input is not a valid decimal integer, return '0'.
153			* If CODENDI_DB_NULL is used, empty string '' as $val returns 'NULL' string.
154			* This last form is useful when the corresponding field is defined as INT or
155			* NULL in SQL.
156			*
157			* @see http://php.net/language.types.integer
158			* @see DataAccess::escapeInt for tests.
159			* @param mixed $val a value to escape
160			* @param int $null CODENDI_DB_NOT_NULL or CODENDI_DB_NULL
161			* @return string Decimal integer encoded as a string
162			*/
163			function db_escape_int($val, $null = CODENDI_DB_NOT_NULL) {
164			$match = array();
165			if($null === CODENDI_DB_NULL && $val === '') {
166			return 'NULL';
167			}
168			if(preg_match('/^([+-]?[1-9][0-9]*\|[+-]?0)$/', $val, $match)) {
169			return $match[1];
170			}
171			return '0';
172			}
173
174			/**
175			* Alias for db_escape_int
176			*
177			* @param mixed $val a value to escape
178			* @param int $null CODENDI_DB_NOT_NULL or CODENDI_DB_NULL
179			* @return string Decimal integer encoded as a string
180			*/
181			function db_ei($val, $null = CODENDI_DB_NOT_NULL) {
182			return db_escape_int($val, $null);
183			}
184
185			/**
186			* @deprecated
187			* @see DataAccess::escapeIntImplode()
188			*/
189			function db_ei_implode($val) {
190			return implode(',', array_map('db_ei', $val));
191			}
192
193			function db_begin(){
194			echo "db_begin()\n";
195			}
196			function db_commit(){
197			echo "db_commit()\n";
198			}
199			function db_rollback(){
200			echo "db_rollback()\n";
201			}
202
203			/**
204			* db_query_from_file() - Query the database, from a file.
205			*
206			* @param string File that contains the SQL statements.
207			* @param int How many rows do you want returned.
208			* @param int Of matching rows, return only rows starting here.
209			* @param int ability to spread load to multiple db servers.
210			* @return int result set handle.
211			*/
212			function db_query_from_file($file,$limit='-1',$offset=0,$dbserver=NULL) {
213			/*
214			db_connect_if_needed () ;
215			$dbconn = db_switcher($dbserver) ;
216
217			global $QUERY_COUNT;
218			$QUERY_COUNT++;
219
220			$qstring = file_get_contents($file);
221			if (!$qstring) {
222			error_log('db_query_from_file(): Cannot read file $file!');
223			return false;
224			}
225			if (!$limit \|\| !is_numeric($limit) \|\| $limit < 0) {
226			$limit=0;
227			}
228			if ($limit > 0) {
229			if (!$offset \|\| !is_numeric($offset) \|\| $offset < 0) {
230			$offset=0;
231			}
232			$qstring=$qstring." LIMIT $limit OFFSET $offset";
233			}
234			$res = @pg_query($dbconn,$qstring);
235			if (!$res) {
236			error_log('SQL: ' . preg_replace('/\n\t+/', ' ',$qstring));
237			error_log('SQL> ' . db_error($dbserver));
238			}
239			return $res;
240			*/
241			// inspired from /usr/share/mediawiki115/includes/db/Database.php
242			$fp = fopen( $file, 'r' );
243			if ( false === $fp ) {
244			error_log('db_query_from_file(): Cannot read file $file!');
245			fclose( $fp );
246			return false;
247			}
248
249			$cmd = "";
250			$done = false;
251			$dollarquote = false;
252
253			while ( ! feof( $fp ) ) {
254			$line = trim( fgets( $fp, 1024 ) );
255			$sl = strlen( $line ) - 1;
256
257			if ( $sl < 0 ) { continue; }
258			if ( '-' == $line{0} && '-' == $line{1} ) { continue; }
259
260			## Allow dollar quoting for function declarations
261			if (substr($line,0,4) == '$mw$') {
262			if ($dollarquote) {
263			$dollarquote = false;
264			$done = true;
265			}
266			else {
267			$dollarquote = true;
268			}
269			}
270			else if (!$dollarquote) {
271			if ( ';' == $line{$sl} && ($sl < 2 \|\| ';' != $line{$sl - 1})) {
272			$done = true;
273			$line = substr( $line, 0, $sl );
274			}
275			}
276
277			if ( '' != $cmd ) { $cmd .= ' '; }
278			$cmd .= "$line\n";
279
280			if ( $done ) {
281			$cmd = str_replace(';;', ";", $cmd);
282			// next 2 lines are for mediawiki subst
283			$cmd = preg_replace(":/\_\/:","mw",$cmd );
284			// TOCHECK WITH CHRISTIAN: Do not change indexes for mediawiki (doesn't seems well supported)
285			//$cmd = preg_replace(":/\i\/:","mw",$cmd );
286			$res = db_query( $cmd );
287
288			if (!$res) {
289			error_log('SQL: ' . preg_replace('/\n\t+/', ' ',$cmd));
290			error_log('SQL> ' . db_error($dbserver));
291			return $res;
292			}
293
294			$cmd = '';
295			$done = false;
296			}
297			}
298			fclose( $fp );
299			return true;
300			}
301
302			?>
303

Enalean / tuleap

GitHub Access Token became invalid

Issues (4873)

Security Analysis not enabled

src/www/include/database.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like