Issues in ActiveRecord.php (master) - Issues in master - KumbiaPHP/ActiveRecord - Measure and Improve Code Quality continuously with Scrutinizer

Issues (15)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

ActiveRecord.php (2 issues)

Labels

Severity

Minor 2

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * KumbiaPHP web & app Framework.
 *
 * LICENSE
 *
 * This source file is subject to the new BSD license that is bundled
 * with this package in the file LICENSE.txt.
 * It is also available through the world-wide-web at this URL:
 * http://wiki.kumbiaphp.com/Licencia
 * If you did not receive a copy of the license and are unable to
 * obtain it through the world-wide-web, please send an email
 * to [email protected] so we can send you a copy immediately.
 *
 * @category   Kumbia
 *
 * @copyright  2005 - 2020  Kumbia Team (http://www.kumbiaphp.com)
 * @license    http://wiki.kumbiaphp.com/Licencia     New BSD License
 */

namespace Kumbia\ActiveRecord;

/**
 * Implementación de patrón ActiveRecord con ayudantes de consultas sql.
 */
class ActiveRecord extends LiteRecord implements \JsonSerializable
{
    const BELONG_TO = 1;
    const HAS_MANY = 2;
    const HAS_ONE = 3;

    /**
     * Describe the relationships.
     *
     * @var array
     */
    protected static $relations = [];

    public static function resolver($relations, $obj)
    {
        $model = $relations->model;
        if ($relations->type === self::HAS_MANY) {
            return $model::allBy($relations->via, $obj->pk());
        }

        return $model::first($relations->via, $obj->pk());
    }

    public static function hasMany($name, $class, $via = null)
    {
        $str = strtolower($name);
        $name = static::getTable();
        static::$relations[$str] = (object) [
            'model' => $class,
            'type' => self::HAS_MANY,
            'via' => $via ? $via : "{$name}_id",
        ];
    }

    public static function hasOne($name, $class, $via = null)
    {
        $str = strtolower($name);
        $name = static::getTable();
        static::$relations[$str] = (object) [
            'model' => $class,
            'type' => self::HAS_ONE,
            'via' => $via ? $via : "{$name}_id",
        ];
    }

    /**
     * json_encode() method.
     */
    public function jsonSerialize()
    {
        return $this; //TODO: populate relations before
    }

    public function __get($key)
    {
        if (property_exists($this, $key)) {
            return $this->$key;
        }
        //it's a relationship
        if (isset(static::$relations[$key])) {
            $this->populate($key);

            return $this->$key;
        }

        return null; //TODO: change for error
    }

    protected static function getRelationship($rel)
    {
        if (!isset(static::$relations[$rel])) {
            throw new \RuntimeException("Invalid relationship '$rel'", 500);
        }

        return static::$relations[$rel];
    }

    public function populate($rel)
    {
        $relations = static::getRelationship($rel);
        $this->$rel = static::resolver($relations, $this);
    }

    /**
     * Pagination of Results.
     *
     * @param array $params   [description]
     * @param array $values   [description]
     * @param int   $page     [description]
     * @param int   $per_page [description]
     *
     * @return Paginator [description]
     */
    public static function pagination($params = [], $values = [], $page = 1, $per_page = 10)
    {
        $model = static::class;
        unset($params['limit'], $params['offset']);
        $sql = QueryGenerator::select($model::getSource(), $model::getDriver(), $params);

        return new Paginator($model, $sql, $page, $per_page, $values);
    }

    /**
     * Actualizar registros.
     *
     * @param array  $fields
     * @param string $where  condiciones
     * @param array  $values valores para condiciones
     *
     * @return int numero de registros actualizados
     */
    public static function updateAll(array $fields, string $where = '', array $values = [])
    {
        $sql = QueryGenerator::updateAll(static::class, $fields, $values, $where);
        $sth = self::prepare($sql);
        $sth->execute($values);

        return $sth->rowCount();
    }

    /**
     * Eliminar registro.
     *
     * @param string        $where  condiciones
     * @param array |string $values valores
     *
     * @return int numero de registros eliminados
     */
    public static function deleteAll($where = null, $values = null)
    {
        $source = static::getSource();
        $sql = QueryGenerator::deleteAll($source, $where);
        $sth = self::query($sql, $values);

        return $sth->rowCount();
    }

    /**
     * Elimina caracteres que podrian ayudar a ejecutar
     * un ataque de Inyeccion SQL.
     *
     * @param string $sqlItem
     *
     * @return string
     * @throws \RuntimeException
     */
    public static function sqlItemSanitize($sqlItem)
    {
        $sqlItem = \trim($sqlItem);
        if ($sqlItem !== '' && $sqlItem !== null) {
            $sql_temp = \preg_replace('/\s+/', '', $sqlItem);
            if (!\preg_match('/^[a-zA-Z0-9_\.]+$/', $sql_temp)) {
                throw new \RuntimeException('Se está tratando de ejecutar un SQL peligroso!');
            }
        }

        return $sqlItem;
    }

    /**
     * Obtener la primera coincidencia por el campo indicado.
     *
     * @param string $field  campo
     * @param string $value  valor
     * @param array  $params parametros adicionales
     *                       order: criterio de ordenamiento
     *                       fields: lista de campos
     *                       join: joins de tablas
     *                       group: agrupar campos
     *                       having: condiciones de grupo
     *                       offset: valor offset
     *
     * @return ActiveRecord
     */
    public static function firstBy($field, $value, $params = [])
    {
        $field = self::sqlItemSanitize($field);
        $params['where'] = "$field = ?";

        return self::first($params, $value);
    }

    /**
     * Obtener la primera coincidencia de las condiciones indicadas.
     *
     * @param array $params parametros adicionales
     *                      order: criterio de ordenamiento
     *                      fields: lista de campos
     *                      group: agrupar campos
     *                      join: joins de tablas
     *                      having: condiciones de grupo
     *                      offset: valor offset queda
     * @param array $values valores de busqueda
     *
     * @return ActiveRecord
     */
    public static function first($params = [], $values = [])
    {
        $args = func_get_args();
        /*Reescribe el limit*/
        $args[0]['limit'] = 1;
        $res = self::doQuery($args);

        return $res->fetch();
    }

    /**
     * Obtener todos los registros.
     *
     * @param array $params
     *                      where: condiciones where
     *                      order: criterio de ordenamiento
     *                      fields: lista de campos
     *                      join: joins de tablas
     *                      group: agrupar campos
     *                      having: condiciones de grupo
     *                      limit: valor limit
     *                      offset: valor offset
     * @param array $values valores de busqueda
     *
     * @return \PDOStatement
     */
    public static function all($params = [], $values = [])
    {
        $res = self::doQuery(func_get_args());

        return $res->fetchAll();
    }

    /**
     * Do a query.
     *
     * @param array $array params of query
     *
     * @return \PDOStatement|false
     */
    protected static function doQuery(array $array)
    {
        $params = self::getParam($array);
        $values = self::getValues($array);
        $sql = QueryGenerator::select(static::getSource(), static::getDriver(), $params);
        $sth = static::query($sql, $values);

        return $sth;
    }

    /**
     * Retorna los parametros para el doQuery.
     *
     * @param array $array
     *
     * @return array
     */
    protected static function getParam(array &$array)
    {
        $val = array_shift($array);

        return is_null($val) ? [] : $val;
    }

    /**
     * Retorna los values para el doQuery.
     *
     * @param array $array
     *
     * @return array
     */
    protected static function getValues(array $array)
    {
        return isset($array[0]) ?
        is_array($array[0]) ? $array[0] : [$array[0]] : $array;
    }

    /**
     * Obtener todas las coincidencias por el campo indicado.
     *
     * @param string $field  campo
     * @param string $value  valor
     * @param array  $params
     *                       order: criterio de ordenamiento
     *                       fields: lista de campos
     *                       join: joins de tablas
     *                       group: agrupar campos
     *                       having: condiciones de grupo
     *                       limit: valor limit
     *                       offset: valor offset
     *
     * @return \PDOStatement
     */
    public static function allBy($field, $value, $params = [])
    {
        $field = self::sqlItemSanitize($field);
        $params['where'] = "$field = ?";

        return self::all($params, $value);
    }

    /**
     * Cuenta los registros que coincidan con las condiciones indicadas.
     *
     * @param string $where  condiciones
     * @param array  $values valores
     *
     * @return int
     */
    public static function count(string $where = '', array $values = [])
    {
        $source = static::getSource();
        $sql = QueryGenerator::count($source, $where);

        $sth = static::query($sql, $values);

        return $sth->fetch()->count;
    }

    /**
     * Paginar.
     *
     * @param array $params
     * @param int   $page    numero de pagina
     * @param int   $perPage cantidad de items por pagina
     * @param array $values  valores
     *
     * @return Paginator
     */
    public static function paginate(array $params, int $page, int $perPage, $values = null)
    {
        unset($params['limit'], $params['offset']);
        $sql = QueryGenerator::select(static::getSource(), static::getDriver(), $params);

        // Valores para consulta
        if ($values !== null && !\is_array($values)) {
            $values = \array_slice(func_get_args(), 3);
        }

        return new Paginator(static::class, $sql, $page, $perPage, $values);
    }

    /**
     * Obtiene todos los registros de la consulta sql.
     *
     * @param string         $sql
     * @param string | array $values
     *
     * @return array
     */
    public static function allBySql($sql, $values = null)
    {
        if (!is_array($values)) {
            $values = \array_slice(\func_get_args(), 1);
        }

        return parent::all($sql, $values);
class Daddy
{
    protected function getFirstName()
    {
        return "Eidur";
    }

    protected function getSurName()
    {
        return "Gudjohnsen";
    }
}

class Son
{
    public function getFirstName()
    {
        return parent::getSurname();
    }
}
    }

    /**
     * Obtiene el primer registro de la consulta sql.
     *
     * @param string         $sql
     * @param string | array $values
     *
     * @return array
     */
    public static function firstBySql($sql, $values = null)
    {
        if (!is_array($values)) {
            $values = \array_slice(\func_get_args(), 1);
        }

        return parent::first($sql, $values);
class Daddy
{
    protected function getFirstName()
    {
        return "Eidur";
    }

    protected function getSurName()
    {
        return "Gudjohnsen";
    }
}

class Son
{
    public function getFirstName()
    {
        return parent::getSurname();
    }
}
    }
}


1		<?php
2		/**
3		* KumbiaPHP web & app Framework.
4		*
5		* LICENSE
6		*
7		* This source file is subject to the new BSD license that is bundled
8		* with this package in the file LICENSE.txt.
9		* It is also available through the world-wide-web at this URL:
10		* http://wiki.kumbiaphp.com/Licencia
11		* If you did not receive a copy of the license and are unable to
12		* obtain it through the world-wide-web, please send an email
13		* to [email protected] so we can send you a copy immediately.
14		*
15		* @category Kumbia
16		*
17		* @copyright 2005 - 2020 Kumbia Team (http://www.kumbiaphp.com)
18		* @license http://wiki.kumbiaphp.com/Licencia New BSD License
19		*/
20
21		namespace Kumbia\ActiveRecord;
22
23		/**
24		* Implementación de patrón ActiveRecord con ayudantes de consultas sql.
25		*/
26		class ActiveRecord extends LiteRecord implements \JsonSerializable
27		{
28		const BELONG_TO = 1;
29		const HAS_MANY = 2;
30		const HAS_ONE = 3;
31
32		/**
33		* Describe the relationships.
34		*
35		* @var array
36		*/
37		protected static $relations = [];
38
39		public static function resolver($relations, $obj)
40		{
41		$model = $relations->model;
42		if ($relations->type === self::HAS_MANY) {
43		return $model::allBy($relations->via, $obj->pk());
44		}
45
46		return $model::first($relations->via, $obj->pk());
47		}
48
49	View Code Duplication	public static function hasMany($name, $class, $via = null)
50		{
51		$str = strtolower($name);
52		$name = static::getTable();
53		static::$relations[$str] = (object) [
54		'model' => $class,
55		'type' => self::HAS_MANY,
56		'via' => $via ? $via : "{$name}_id",
57		];
58		}
59
60	View Code Duplication	public static function hasOne($name, $class, $via = null)
61		{
62		$str = strtolower($name);
63		$name = static::getTable();
64		static::$relations[$str] = (object) [
65		'model' => $class,
66		'type' => self::HAS_ONE,
67		'via' => $via ? $via : "{$name}_id",
68		];
69		}
70
71		/**
72		* json_encode() method.
73		*/
74		public function jsonSerialize()
75		{
76		return $this; //TODO: populate relations before
77		}
78
79		public function __get($key)
80		{
81		if (property_exists($this, $key)) {
82		return $this->$key;
83		}
84		//it's a relationship
85		if (isset(static::$relations[$key])) {
86		$this->populate($key);
87
88		return $this->$key;
89		}
90
91		return null; //TODO: change for error
92		}
93
94		protected static function getRelationship($rel)
95		{
96		if (!isset(static::$relations[$rel])) {
97		throw new \RuntimeException("Invalid relationship '$rel'", 500);
98		}
99
100		return static::$relations[$rel];
101		}
102
103		public function populate($rel)
104		{
105		$relations = static::getRelationship($rel);
106		$this->$rel = static::resolver($relations, $this);
107		}
108
109		/**
110		* Pagination of Results.
111		*
112		* @param array $params [description]
113		* @param array $values [description]
114		* @param int $page [description]
115		* @param int $per_page [description]
116		*
117		* @return Paginator [description]
118		*/
119		public static function pagination($params = [], $values = [], $page = 1, $per_page = 10)
120		{
121		$model = static::class;
122		unset($params['limit'], $params['offset']);
123		$sql = QueryGenerator::select($model::getSource(), $model::getDriver(), $params);
124
125		return new Paginator($model, $sql, $page, $per_page, $values);
126		}
127
128		/**
129		* Actualizar registros.
130		*
131		* @param array $fields
132		* @param string $where condiciones
133		* @param array $values valores para condiciones
134		*
135		* @return int numero de registros actualizados
136		*/
137		public static function updateAll(array $fields, string $where = '', array $values = [])
138		{
139		$sql = QueryGenerator::updateAll(static::class, $fields, $values, $where);
140		$sth = self::prepare($sql);
141		$sth->execute($values);
142
143		return $sth->rowCount();
144		}
145
146		/**
147		* Eliminar registro.
148		*
149		* @param string $where condiciones
150		* @param array \|string $values valores
151		*
152		* @return int numero de registros eliminados
153		*/
154		public static function deleteAll($where = null, $values = null)
155		{
156		$source = static::getSource();
157		$sql = QueryGenerator::deleteAll($source, $where);
158		$sth = self::query($sql, $values);
159
160		return $sth->rowCount();
161		}
162
163		/**
164		* Elimina caracteres que podrian ayudar a ejecutar
165		* un ataque de Inyeccion SQL.
166		*
167		* @param string $sqlItem
168		*
169		* @return string
170		* @throws \RuntimeException
171		*/
172		public static function sqlItemSanitize($sqlItem)
173		{
174		$sqlItem = \trim($sqlItem);
175		if ($sqlItem !== '' && $sqlItem !== null) {
176		$sql_temp = \preg_replace('/\s+/', '', $sqlItem);
177		if (!\preg_match('/^[a-zA-Z0-9_\.]+$/', $sql_temp)) {
178		throw new \RuntimeException('Se está tratando de ejecutar un SQL peligroso!');
179		}
180		}
181
182		return $sqlItem;
183		}
184
185		/**
186		* Obtener la primera coincidencia por el campo indicado.
187		*
188		* @param string $field campo
189		* @param string $value valor
190		* @param array $params parametros adicionales
191		* order: criterio de ordenamiento
192		* fields: lista de campos
193		* join: joins de tablas
194		* group: agrupar campos
195		* having: condiciones de grupo
196		* offset: valor offset
197		*
198		* @return ActiveRecord
199		*/
200	View Code Duplication	public static function firstBy($field, $value, $params = [])
201		{
202		$field = self::sqlItemSanitize($field);
203		$params['where'] = "$field = ?";
204
205		return self::first($params, $value);
206		}
207
208		/**
209		* Obtener la primera coincidencia de las condiciones indicadas.
210		*
211		* @param array $params parametros adicionales
212		* order: criterio de ordenamiento
213		* fields: lista de campos
214		* group: agrupar campos
215		* join: joins de tablas
216		* having: condiciones de grupo
217		* offset: valor offset queda
218		* @param array $values valores de busqueda
219		*
220		* @return ActiveRecord
221		*/
222		public static function first($params = [], $values = [])
223		{
224		$args = func_get_args();
225		/Reescribe el limit/
226		$args[0]['limit'] = 1;
227		$res = self::doQuery($args);
228
229		return $res->fetch();
230		}
231
232		/**
233		* Obtener todos los registros.
234		*
235		* @param array $params
236		* where: condiciones where
237		* order: criterio de ordenamiento
238		* fields: lista de campos
239		* join: joins de tablas
240		* group: agrupar campos
241		* having: condiciones de grupo
242		* limit: valor limit
243		* offset: valor offset
244		* @param array $values valores de busqueda
245		*
246		* @return \PDOStatement
247		*/
248		public static function all($params = [], $values = [])
249		{
250		$res = self::doQuery(func_get_args());
251
252		return $res->fetchAll();
253		}
254
255		/**
256		* Do a query.
257		*
258		* @param array $array params of query
259		*
260		* @return \PDOStatement\|false
261		*/
262		protected static function doQuery(array $array)
263		{
264		$params = self::getParam($array);
265		$values = self::getValues($array);
266		$sql = QueryGenerator::select(static::getSource(), static::getDriver(), $params);
267		$sth = static::query($sql, $values);
268
269		return $sth;
270		}
271
272		/**
273		* Retorna los parametros para el doQuery.
274		*
275		* @param array $array
276		*
277		* @return array
278		*/
279		protected static function getParam(array &$array)
280		{
281		$val = array_shift($array);
282
283		return is_null($val) ? [] : $val;
284		}
285
286		/**
287		* Retorna los values para el doQuery.
288		*
289		* @param array $array
290		*
291		* @return array
292		*/
293		protected static function getValues(array $array)
294		{
295		return isset($array[0]) ?
296		is_array($array[0]) ? $array[0] : [$array[0]] : $array;
297		}
298
299		/**
300		* Obtener todas las coincidencias por el campo indicado.
301		*
302		* @param string $field campo
303		* @param string $value valor
304		* @param array $params
305		* order: criterio de ordenamiento
306		* fields: lista de campos
307		* join: joins de tablas
308		* group: agrupar campos
309		* having: condiciones de grupo
310		* limit: valor limit
311		* offset: valor offset
312		*
313		* @return \PDOStatement
314		*/
315	View Code Duplication	public static function allBy($field, $value, $params = [])
316		{
317		$field = self::sqlItemSanitize($field);
318		$params['where'] = "$field = ?";
319
320		return self::all($params, $value);
321		}
322
323		/**
324		* Cuenta los registros que coincidan con las condiciones indicadas.
325		*
326		* @param string $where condiciones
327		* @param array $values valores
328		*
329		* @return int
330		*/
331		public static function count(string $where = '', array $values = [])
332		{
333		$source = static::getSource();
334		$sql = QueryGenerator::count($source, $where);
335
336		$sth = static::query($sql, $values);
337
338		return $sth->fetch()->count;
339		}
340
341		/**
342		* Paginar.
343		*
344		* @param array $params
345		* @param int $page numero de pagina
346		* @param int $perPage cantidad de items por pagina
347		* @param array $values valores
348		*
349		* @return Paginator
350		*/
351		public static function paginate(array $params, int $page, int $perPage, $values = null)
352		{
353		unset($params['limit'], $params['offset']);
354		$sql = QueryGenerator::select(static::getSource(), static::getDriver(), $params);
355
356		// Valores para consulta
357		if ($values !== null && !\is_array($values)) {
358		$values = \array_slice(func_get_args(), 3);
359		}
360
361		return new Paginator(static::class, $sql, $page, $perPage, $values);
362		}
363
364		/**
365		* Obtiene todos los registros de la consulta sql.
366		*
367		* @param string $sql
368		* @param string \| array $values
369		*
370		* @return array
371		*/
372	View Code Duplication	public static function allBySql($sql, $values = null)
373		{
374		if (!is_array($values)) {
375		$values = \array_slice(\func_get_args(), 1);
376		}
377
378		return parent::all($sql, $values);
		0 ignored issues – show Comprehensibility Bug introduced 2015-11-27 18:10 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like you call parent on a different method (`all()` instead of `allBySql()`). Are you sure this is correct? If so, you might want to change this to `$this->all()`. This check looks for a call to a parent method whose name is different than the method from which it is called. Consider the following code: class Daddy { protected function getFirstName() { return "Eidur"; } protected function getSurName() { return "Gudjohnsen"; } } class Son { public function getFirstName() { return parent::getSurname(); } } The `getFirstName()` method in the `Son` calls the wrong method in the parent class. Loading history...
379		}
380
381		/**
382		* Obtiene el primer registro de la consulta sql.
383		*
384		* @param string $sql
385		* @param string \| array $values
386		*
387		* @return array
388		*/
389	View Code Duplication	public static function firstBySql($sql, $values = null)
390		{
391		if (!is_array($values)) {
392		$values = \array_slice(\func_get_args(), 1);
393		}
394
395		return parent::first($sql, $values);
		0 ignored issues – show Comprehensibility Bug introduced 2015-11-27 18:10 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like you call parent on a different method (`first()` instead of `firstBySql()`). Are you sure this is correct? If so, you might want to change this to `$this->first()`. This check looks for a call to a parent method whose name is different than the method from which it is called. Consider the following code: class Daddy { protected function getFirstName() { return "Eidur"; } protected function getSurName() { return "Gudjohnsen"; } } class Son { public function getFirstName() { return parent::getSurname(); } } The `getFirstName()` method in the `Son` calls the wrong method in the parent class. Loading history...
396		}
397		}
398

KumbiaPHP / ActiveRecord

Issues (15)

Security Analysis no request data

ActiveRecord.php (2 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like