Issues in fulltext_attribute.php (master) - Issues in master - ErnadoO/qte - Measure and Improve Code Quality continuously with Scrutinizer

Issues (45)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

search/fulltext_attribute.php (21 issues)

Labels

Severity

Minor 21

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
*
* phpBB Directory extension for the phpBB Forum Software package.
*
* @copyright (c) 2014 ErnadoO <http://www.phpbb-services.com>
* @license GNU General Public License, version 2 (GPL-2.0)
*
*/

namespace ernadoo\qte\search;

class fulltext_attribute extends \phpbb\search\base
{
	/** @var \phpbb\config\config */
	protected $config;

	/** @var \phpbb\db\driver\driver_interface */
	protected $db;

	/**
	* Constructor
	*
	* @param \phpbb\config\config				$config Config object
	* @param \phpbb\db\driver\driver_interface	$db		Database object
	*/
	public function __construct(\phpbb\config\config $config, \phpbb\db\driver\driver_interface $db)
	{
		$this->config	= $config;
		$this->db		= $db;
	}

	/**
	* Performs a search on keywords depending on display specific params. You have to run split_keywords() first
	*
	* @param	array		$keywords_ary		contains each words to search
/**
 * @param array $germany
 * @param array $island
 * @param array $italy
 */
function finale($germany, $island) {
    return "2:1";
}
	* @param	string		$terms				is either 'all' (use query as entered, words without prefix should default to "have to be in field") or 'any' (ignore search query parts and just return all posts that contain any of the specified words)
	* @param	array		$sort_by_sql		contains SQL code for the ORDER BY part of a query
	* @param	string		$sort_key			is the key of $sort_by_sql for the selected sorting
	* @param	string		$sort_dir			is either a or d representing ASC and DESC
	* @param	string		$sort_days			specifies the maximum amount of days a post may be old
	* @param	array		$ex_cid_ary			specifies an array of category ids which should not be searched
/**
 * @param array $germany
 * @param array $ireland
 */
function finale($germany, $island) {
    return "2:1";
}
	* @param	int			$cat_id				is set to 0 or a topic id, if it is not 0 then only posts in this topic should be searched
/**
 * @param array $germany
 * @param array $island
 * @param array $italy
 */
function finale($germany, $island) {
    return "2:1";
}
	* @param	array		&$id_ary			passed by reference, to be filled with ids for the page specified by $start and $per_page, should be ordered
	* @param	int			$start				indicates the first index of the page
	* @param	int			$per_page			number of ids each page is supposed to contain
	* @return	int								total number of results
	*/
	public function attribute_search($attribute_id, $type, $terms, $sort_by_sql, $sort_key, $sort_dir, $sort_days, $ex_fid_ary, $post_visibility, $topic_id, $author_ary, $author_name, &$id_ary, &$start, $per_page)
	{
		// generate a search_key from all the options to identify the results
		$search_key_array = array(
			$attribute_id,
			$type,
			'firstpost',
			'',
			'',
			$sort_days,
			$sort_key,
			$topic_id,
			implode(',', $ex_fid_ary),
			$post_visibility,
			implode(',', $author_ary),
			$author_name,
		);

		$search_key = md5(implode('#', $search_key_array));

		if ($start < 0)
		{
			$start = 0;
		}

		// try reading the results from cache
		$result_count = 0;
		if ($this->obtain_ids($search_key, $result_count, $id_ary, $start, $per_page, $sort_dir) == SEARCH_RESULT_IN_CACHE)
		{
			return $result_count;
		}

		$id_ary = array();

		// Create some display specific sql strings
		$sql_attribute	= 't.topic_attr_id = ' . (int) $attribute_id;
		$sql_fora		= (sizeof($ex_fid_ary)) ? ' AND ' . $this->db->sql_in_set('p.forum_id', $ex_fid_ary, true) : '';
		$sql_topic_id	= ($topic_id) ? ' AND p.topic_id = ' . (int) $topic_id : '';
		$sql_time		= ($sort_days) ? ' AND p.post_time >= ' . (time() - ($sort_days * 86400)) : '';
		$sql_firstpost	= ' AND p.post_id = t.topic_first_post_id';

		// Build sql strings for sorting
		$sql_sort = $sort_by_sql[$sort_key] . (($sort_dir == 'a') ? ' ASC' : ' DESC');
		$sql_sort_table = $sql_sort_join = '';
		switch ($sql_sort[0])
		{
			case 'u':
				$sql_sort_table	= USERS_TABLE . ' u, ';
				$sql_sort_join	= ($type == 'posts') ? ' AND u.user_id = p.poster_id ' : ' AND u.user_id = t.topic_poster ';
			break;

			case 'f':
				$sql_sort_table	= FORUMS_TABLE . ' f, ';
				$sql_sort_join	= ' AND f.forum_id = p.forum_id ';
			break;
		}

		$m_approve_fid_sql = ' AND ' . $post_visibility;

		// If the cache was completely empty count the results
		$calc_results = ($result_count) ? '' : 'SQL_CALC_FOUND_ROWS ';

		// Build the query for really selecting the post_ids
		if ($type == 'posts')
		{
			$sql = "SELECT {$calc_results}p.post_id
// Instead of
$x = "foo $bar $baz";

// Better use either
$x = "foo " . $bar . " " . $baz;
$x = sprintf("foo %s %s", $bar, $baz);
				FROM " . $sql_sort_table . POSTS_TABLE . ' p, ' . TOPICS_TABLE . ' t ' . "
// Instead of
$x = "foo $bar $baz";

// Better use either
$x = "foo " . $bar . " " . $baz;
$x = sprintf("foo %s %s", $bar, $baz);
				WHERE $sql_attribute
					$sql_topic_id
					$sql_firstpost
					$m_approve_fid_sql
					$sql_fora
					$sql_sort_join
					$sql_time
				ORDER BY $sql_sort";
			$field = 'post_id';
		}
		else
		{
			$sql = "SELECT {$calc_results}t.topic_id
// Instead of
$x = "foo $bar $baz";

// Better use either
$x = "foo " . $bar . " " . $baz;
$x = sprintf("foo %s %s", $bar, $baz);
				FROM " . $sql_sort_table . TOPICS_TABLE . ' t, ' . POSTS_TABLE . " p
// Instead of
$x = "foo $bar $baz";

// Better use either
$x = "foo " . $bar . " " . $baz;
$x = sprintf("foo %s %s", $bar, $baz);
				WHERE $sql_attribute
					$sql_topic_id
					$sql_firstpost
					$m_approve_fid_sql
					$sql_fora
					AND t.topic_id = p.topic_id
					$sql_sort_join
					$sql_time
				GROUP BY t.topic_id
				ORDER BY $sql_sort";
			$field = 'topic_id';
		}

		// Only read one block of posts from the db and then cache it
		$result = $this->db->sql_query_limit($sql, $this->config['search_block_size'], $start);

		while ($row = $this->db->sql_fetchrow($result))
		{
			$id_ary[] = (int) $row[$field];
		}
		$this->db->sql_freeresult($result);

		// retrieve the total result count if needed
		if (!$result_count)
		{
			$sql_found_rows = 'SELECT FOUND_ROWS() as result_count';
			$result = $this->db->sql_query($sql_found_rows);
			$result_count = (int) $this->db->sql_fetchfield('result_count');
			$this->db->sql_freeresult($result);

			if (!$result_count)
			{
				return false;
			}
		}

		if ($start >= $result_count)
		{
			$start = floor(($result_count - 1) / $per_page) * $per_page;

			$result = $this->db->sql_query_limit($sql, $this->config['search_block_size'], $start);
			while ($row = $this->db->sql_fetchrow($result))
			{
				$id_ary[] = (int) $row[$field];
			}
			$this->db->sql_freeresult($result);

			$id_ary = array_unique($id_ary);
		}

		if (sizeof($id_ary))
		{
			$this->save_ids($search_key, '', $author_ary, $result_count, $id_ary, $start, $sort_dir);
			$id_ary = array_slice($id_ary, 0, $per_page);

			return $result_count;
		}
		return false;
	}
}


1			<?php
2			/**
3			*
4			* phpBB Directory extension for the phpBB Forum Software package.
5			*
6			* @copyright (c) 2014 ErnadoO <http://www.phpbb-services.com>
7			* @license GNU General Public License, version 2 (GPL-2.0)
8			*
9			*/
10
11			namespace ernadoo\qte\search;
12
13			class fulltext_attribute extends \phpbb\search\base
14			{
15			/** @var \phpbb\config\config */
16			protected $config;
17
18			/** @var \phpbb\db\driver\driver_interface */
19			protected $db;
20
21			/**
22			* Constructor
23			*
24			* @param \phpbb\config\config $config Config object
25			* @param \phpbb\db\driver\driver_interface $db Database object
26			*/
27			public function __construct(\phpbb\config\config $config, \phpbb\db\driver\driver_interface $db)
28			{
29			$this->config = $config;
30			$this->db = $db;
31			}
32
33			/**
34			* Performs a search on keywords depending on display specific params. You have to run split_keywords() first
35			*
36			* @param array $keywords_ary contains each words to search
			0 ignored issues – show Bug introduced 2016-08-13 17:00 UTC by Report Bug Copy Issue Report Show Similar Issues like this There is no parameter named `$keywords_ary`. Was it maybe removed? This check looks for PHPDoc comments describing methods or function parameters that do not exist on the corresponding method or function. Consider the following example. The parameter `$italy` is not defined by the method `finale(...)`. /** * @param array $germany * @param array $island * @param array $italy */ function finale($germany, $island) { return "2:1"; } The most likely cause is that the parameter was removed, but the annotation was not. Loading history...
37			* @param string $terms is either 'all' (use query as entered, words without prefix should default to "have to be in field") or 'any' (ignore search query parts and just return all posts that contain any of the specified words)
38			* @param array $sort_by_sql contains SQL code for the ORDER BY part of a query
39			* @param string $sort_key is the key of $sort_by_sql for the selected sorting
40			* @param string $sort_dir is either a or d representing ASC and DESC
41			* @param string $sort_days specifies the maximum amount of days a post may be old
42			* @param array $ex_cid_ary specifies an array of category ids which should not be searched
			0 ignored issues – show Documentation introduced 2016-08-13 17:00 UTC by Report Bug Copy Issue Report Show Similar Issues like this There is no parameter named `$ex_cid_ary`. Did you maybe mean `$id_ary`? This check looks for PHPDoc comments describing methods or function parameters that do not exist on the corresponding method or function. It has, however, found a similar but not annotated parameter which might be a good fit. Consider the following example. The parameter `$ireland` is not defined by the method `finale(...)`. /** * @param array $germany * @param array $ireland */ function finale($germany, $island) { return "2:1"; } The most likely cause is that the parameter was changed, but the annotation was not. Loading history...
43			* @param int $cat_id is set to 0 or a topic id, if it is not 0 then only posts in this topic should be searched
			0 ignored issues – show Bug introduced 2016-08-13 17:00 UTC by Report Bug Copy Issue Report Show Similar Issues like this There is no parameter named `$cat_id`. Was it maybe removed? This check looks for PHPDoc comments describing methods or function parameters that do not exist on the corresponding method or function. Consider the following example. The parameter `$italy` is not defined by the method `finale(...)`. /** * @param array $germany * @param array $island * @param array $italy */ function finale($germany, $island) { return "2:1"; } The most likely cause is that the parameter was removed, but the annotation was not. Loading history...
44			* @param array &$id_ary passed by reference, to be filled with ids for the page specified by $start and $per_page, should be ordered
45			* @param int $start indicates the first index of the page
46			* @param int $per_page number of ids each page is supposed to contain
47			* @return int total number of results
48			*/
49			public function attribute_search($attribute_id, $type, $terms, $sort_by_sql, $sort_key, $sort_dir, $sort_days, $ex_fid_ary, $post_visibility, $topic_id, $author_ary, $author_name, &$id_ary, &$start, $per_page)
50			{
51			// generate a search_key from all the options to identify the results
52			$search_key_array = array(
53			$attribute_id,
54			$type,
55			'firstpost',
56			'',
57			'',
58			$sort_days,
59			$sort_key,
60			$topic_id,
61			implode(',', $ex_fid_ary),
62			$post_visibility,
63			implode(',', $author_ary),
64			$author_name,
65			);
66
67			$search_key = md5(implode('#', $search_key_array));
68
69			if ($start < 0)
70			{
71			$start = 0;
72			}
73
74			// try reading the results from cache
75			$result_count = 0;
76			if ($this->obtain_ids($search_key, $result_count, $id_ary, $start, $per_page, $sort_dir) == SEARCH_RESULT_IN_CACHE)
77			{
78			return $result_count;
79			}
80
81			$id_ary = array();
82
83			// Create some display specific sql strings
84			$sql_attribute = 't.topic_attr_id = ' . (int) $attribute_id;
85			$sql_fora = (sizeof($ex_fid_ary)) ? ' AND ' . $this->db->sql_in_set('p.forum_id', $ex_fid_ary, true) : '';
86			$sql_topic_id = ($topic_id) ? ' AND p.topic_id = ' . (int) $topic_id : '';
87			$sql_time = ($sort_days) ? ' AND p.post_time >= ' . (time() - ($sort_days * 86400)) : '';
88			$sql_firstpost = ' AND p.post_id = t.topic_first_post_id';
89
90			// Build sql strings for sorting
91			$sql_sort = $sort_by_sql[$sort_key] . (($sort_dir == 'a') ? ' ASC' : ' DESC');
92			$sql_sort_table = $sql_sort_join = '';
93			switch ($sql_sort[0])
94			{
95			case 'u':
96			$sql_sort_table = USERS_TABLE . ' u, ';
97			$sql_sort_join = ($type == 'posts') ? ' AND u.user_id = p.poster_id ' : ' AND u.user_id = t.topic_poster ';
98			break;
99
100			case 'f':
101			$sql_sort_table = FORUMS_TABLE . ' f, ';
102			$sql_sort_join = ' AND f.forum_id = p.forum_id ';
103			break;
104			}
105
106			$m_approve_fid_sql = ' AND ' . $post_visibility;
107
108			// If the cache was completely empty count the results
109			$calc_results = ($result_count) ? '' : 'SQL_CALC_FOUND_ROWS ';
110
111			// Build the query for really selecting the post_ids
112			if ($type == 'posts')
113			{
114			$sql = "SELECT {$calc_results}p.post_id
			0 ignored issues – show Coding Style Best Practice introduced 2016-08-13 17:00 UTC by Report Bug Copy Issue Report Show Similar Issues like this As per coding-style, please use concatenation or `sprintf` for the variable `$calc_results` instead of interpolation. It is generally a best practice as it is often more readable to use concatenation instead of interpolation for variables inside strings. // Instead of $x = "foo $bar $baz"; // Better use either $x = "foo " . $bar . " " . $baz; $x = sprintf("foo %s %s", $bar, $baz); Loading history...
115			FROM " . $sql_sort_table . POSTS_TABLE . ' p, ' . TOPICS_TABLE . ' t ' . "
			0 ignored issues – show Coding Style Best Practice introduced 2016-08-13 17:00 UTC by Report Bug Copy Issue Report Show Similar Issues like this As per coding-style, please use concatenation or `sprintf` for the variable `$sql_attribute` instead of interpolation. It is generally a best practice as it is often more readable to use concatenation instead of interpolation for variables inside strings. // Instead of $x = "foo $bar $baz"; // Better use either $x = "foo " . $bar . " " . $baz; $x = sprintf("foo %s %s", $bar, $baz); Loading history... Coding Style Best Practice introduced 2016-08-13 17:00 UTC by Report Bug Copy Issue Report Show Similar Issues like this As per coding-style, please use concatenation or `sprintf` for the variable `$sql_topic_id` instead of interpolation. It is generally a best practice as it is often more readable to use concatenation instead of interpolation for variables inside strings. // Instead of $x = "foo $bar $baz"; // Better use either $x = "foo " . $bar . " " . $baz; $x = sprintf("foo %s %s", $bar, $baz); Loading history... Coding Style Best Practice introduced 2016-08-13 17:00 UTC by Report Bug Copy Issue Report Show Similar Issues like this As per coding-style, please use concatenation or `sprintf` for the variable `$sql_firstpost` instead of interpolation. It is generally a best practice as it is often more readable to use concatenation instead of interpolation for variables inside strings. // Instead of $x = "foo $bar $baz"; // Better use either $x = "foo " . $bar . " " . $baz; $x = sprintf("foo %s %s", $bar, $baz); Loading history... Coding Style Best Practice introduced 2016-08-13 17:00 UTC by Report Bug Copy Issue Report Show Similar Issues like this As per coding-style, please use concatenation or `sprintf` for the variable `$m_approve_fid_sql` instead of interpolation. It is generally a best practice as it is often more readable to use concatenation instead of interpolation for variables inside strings. // Instead of $x = "foo $bar $baz"; // Better use either $x = "foo " . $bar . " " . $baz; $x = sprintf("foo %s %s", $bar, $baz); Loading history... Coding Style Best Practice introduced 2016-08-13 17:00 UTC by Report Bug Copy Issue Report Show Similar Issues like this As per coding-style, please use concatenation or `sprintf` for the variable `$sql_fora` instead of interpolation. It is generally a best practice as it is often more readable to use concatenation instead of interpolation for variables inside strings. // Instead of $x = "foo $bar $baz"; // Better use either $x = "foo " . $bar . " " . $baz; $x = sprintf("foo %s %s", $bar, $baz); Loading history... Coding Style Best Practice introduced 2016-08-13 17:00 UTC by Report Bug Copy Issue Report Show Similar Issues like this As per coding-style, please use concatenation or `sprintf` for the variable `$sql_sort_join` instead of interpolation. It is generally a best practice as it is often more readable to use concatenation instead of interpolation for variables inside strings. // Instead of $x = "foo $bar $baz"; // Better use either $x = "foo " . $bar . " " . $baz; $x = sprintf("foo %s %s", $bar, $baz); Loading history... Coding Style Best Practice introduced 2016-08-13 17:00 UTC by Report Bug Copy Issue Report Show Similar Issues like this As per coding-style, please use concatenation or `sprintf` for the variable `$sql_time` instead of interpolation. It is generally a best practice as it is often more readable to use concatenation instead of interpolation for variables inside strings. // Instead of $x = "foo $bar $baz"; // Better use either $x = "foo " . $bar . " " . $baz; $x = sprintf("foo %s %s", $bar, $baz); Loading history... Coding Style Best Practice introduced 2016-08-13 17:00 UTC by Report Bug Copy Issue Report Show Similar Issues like this As per coding-style, please use concatenation or `sprintf` for the variable `$sql_sort` instead of interpolation. It is generally a best practice as it is often more readable to use concatenation instead of interpolation for variables inside strings. // Instead of $x = "foo $bar $baz"; // Better use either $x = "foo " . $bar . " " . $baz; $x = sprintf("foo %s %s", $bar, $baz); Loading history...
116			WHERE $sql_attribute
117			$sql_topic_id
118			$sql_firstpost
119			$m_approve_fid_sql
120			$sql_fora
121			$sql_sort_join
122			$sql_time
123			ORDER BY $sql_sort";
124			$field = 'post_id';
125			}
126			else
127			{
128			$sql = "SELECT {$calc_results}t.topic_id
			0 ignored issues – show Coding Style Best Practice introduced 2016-08-13 17:00 UTC by Report Bug Copy Issue Report Show Similar Issues like this As per coding-style, please use concatenation or `sprintf` for the variable `$calc_results` instead of interpolation. It is generally a best practice as it is often more readable to use concatenation instead of interpolation for variables inside strings. // Instead of $x = "foo $bar $baz"; // Better use either $x = "foo " . $bar . " " . $baz; $x = sprintf("foo %s %s", $bar, $baz); Loading history...
129			FROM " . $sql_sort_table . TOPICS_TABLE . ' t, ' . POSTS_TABLE . " p
			0 ignored issues – show Coding Style Best Practice introduced 2016-08-13 17:00 UTC by Report Bug Copy Issue Report Show Similar Issues like this As per coding-style, please use concatenation or `sprintf` for the variable `$sql_attribute` instead of interpolation. It is generally a best practice as it is often more readable to use concatenation instead of interpolation for variables inside strings. // Instead of $x = "foo $bar $baz"; // Better use either $x = "foo " . $bar . " " . $baz; $x = sprintf("foo %s %s", $bar, $baz); Loading history... Coding Style Best Practice introduced 2016-08-13 17:00 UTC by Report Bug Copy Issue Report Show Similar Issues like this As per coding-style, please use concatenation or `sprintf` for the variable `$sql_topic_id` instead of interpolation. It is generally a best practice as it is often more readable to use concatenation instead of interpolation for variables inside strings. // Instead of $x = "foo $bar $baz"; // Better use either $x = "foo " . $bar . " " . $baz; $x = sprintf("foo %s %s", $bar, $baz); Loading history... Coding Style Best Practice introduced 2016-08-13 17:00 UTC by Report Bug Copy Issue Report Show Similar Issues like this As per coding-style, please use concatenation or `sprintf` for the variable `$sql_firstpost` instead of interpolation. It is generally a best practice as it is often more readable to use concatenation instead of interpolation for variables inside strings. // Instead of $x = "foo $bar $baz"; // Better use either $x = "foo " . $bar . " " . $baz; $x = sprintf("foo %s %s", $bar, $baz); Loading history... Coding Style Best Practice introduced 2016-08-13 17:00 UTC by Report Bug Copy Issue Report Show Similar Issues like this As per coding-style, please use concatenation or `sprintf` for the variable `$m_approve_fid_sql` instead of interpolation. It is generally a best practice as it is often more readable to use concatenation instead of interpolation for variables inside strings. // Instead of $x = "foo $bar $baz"; // Better use either $x = "foo " . $bar . " " . $baz; $x = sprintf("foo %s %s", $bar, $baz); Loading history... Coding Style Best Practice introduced 2016-08-13 17:00 UTC by Report Bug Copy Issue Report Show Similar Issues like this As per coding-style, please use concatenation or `sprintf` for the variable `$sql_fora` instead of interpolation. It is generally a best practice as it is often more readable to use concatenation instead of interpolation for variables inside strings. // Instead of $x = "foo $bar $baz"; // Better use either $x = "foo " . $bar . " " . $baz; $x = sprintf("foo %s %s", $bar, $baz); Loading history... Coding Style Best Practice introduced 2016-08-13 17:00 UTC by Report Bug Copy Issue Report Show Similar Issues like this As per coding-style, please use concatenation or `sprintf` for the variable `$sql_sort_join` instead of interpolation. It is generally a best practice as it is often more readable to use concatenation instead of interpolation for variables inside strings. // Instead of $x = "foo $bar $baz"; // Better use either $x = "foo " . $bar . " " . $baz; $x = sprintf("foo %s %s", $bar, $baz); Loading history... Coding Style Best Practice introduced 2016-08-13 17:00 UTC by Report Bug Copy Issue Report Show Similar Issues like this As per coding-style, please use concatenation or `sprintf` for the variable `$sql_time` instead of interpolation. It is generally a best practice as it is often more readable to use concatenation instead of interpolation for variables inside strings. // Instead of $x = "foo $bar $baz"; // Better use either $x = "foo " . $bar . " " . $baz; $x = sprintf("foo %s %s", $bar, $baz); Loading history... Coding Style Best Practice introduced 2016-08-13 17:00 UTC by Report Bug Copy Issue Report Show Similar Issues like this As per coding-style, please use concatenation or `sprintf` for the variable `$sql_sort` instead of interpolation. It is generally a best practice as it is often more readable to use concatenation instead of interpolation for variables inside strings. // Instead of $x = "foo $bar $baz"; // Better use either $x = "foo " . $bar . " " . $baz; $x = sprintf("foo %s %s", $bar, $baz); Loading history...
130			WHERE $sql_attribute
131			$sql_topic_id
132			$sql_firstpost
133			$m_approve_fid_sql
134			$sql_fora
135			AND t.topic_id = p.topic_id
136			$sql_sort_join
137			$sql_time
138			GROUP BY t.topic_id
139			ORDER BY $sql_sort";
140			$field = 'topic_id';
141			}
142
143			// Only read one block of posts from the db and then cache it
144			$result = $this->db->sql_query_limit($sql, $this->config['search_block_size'], $start);
145
146			while ($row = $this->db->sql_fetchrow($result))
147			{
148			$id_ary[] = (int) $row[$field];
149			}
150			$this->db->sql_freeresult($result);
151
152			// retrieve the total result count if needed
153			if (!$result_count)
154			{
155			$sql_found_rows = 'SELECT FOUND_ROWS() as result_count';
156			$result = $this->db->sql_query($sql_found_rows);
157			$result_count = (int) $this->db->sql_fetchfield('result_count');
158			$this->db->sql_freeresult($result);
159
160			if (!$result_count)
161			{
162			return false;
163			}
164			}
165
166			if ($start >= $result_count)
167			{
168			$start = floor(($result_count - 1) / $per_page) * $per_page;
169
170			$result = $this->db->sql_query_limit($sql, $this->config['search_block_size'], $start);
171			while ($row = $this->db->sql_fetchrow($result))
172			{
173			$id_ary[] = (int) $row[$field];
174			}
175			$this->db->sql_freeresult($result);
176
177			$id_ary = array_unique($id_ary);
178			}
179
180			if (sizeof($id_ary))
181			{
182			$this->save_ids($search_key, '', $author_ary, $result_count, $id_ary, $start, $sort_dir);
183			$id_ary = array_slice($id_ary, 0, $per_page);
184
185			return $result_count;
186			}
187			return false;
188			}
189			}
190

ErnadoO / qte

Issues (45)

Security Analysis no request data

search/fulltext_attribute.php (21 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like