These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more
1 | <?php |
||
0 ignored issues
–
show
|
|||
2 | $defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1; |
||
3 | |||
4 | /** |
||
5 | * Helper class for our API |
||
6 | **/ |
||
7 | class Api extends Base { |
||
0 ignored issues
–
show
PSR1 recommends that each class must be in a namespace of at least one level to avoid collisions.
You can fix this by adding a namespace to your class: namespace YourVendor;
class YourClass { }
When choosing a vendor namespace, try to pick something that is not too generic to avoid conflicts with other libraries.
Loading history...
|
|||
8 | private $api_version = '1.0.0'; |
||
9 | |||
10 | function setStartTime($dStartTime) { |
||
0 ignored issues
–
show
|
|||
11 | $this->dStartTime = $dStartTime; |
||
0 ignored issues
–
show
The property
dStartTime does not exist. Did you maybe forget to declare it?
In PHP it is possible to write to properties without declaring them. For example, the following is perfectly valid PHP code: class MyClass { }
$x = new MyClass();
$x->foo = true;
Generally, it is a good practice to explictly declare properties to avoid accidental typos and provide IDE auto-completion: class MyClass {
public $foo;
}
$x = new MyClass();
$x->foo = true;
Loading history...
|
|||
12 | } |
||
13 | function isActive($error=true) { |
||
0 ignored issues
–
show
isActive uses the super-global variable $_SESSION which is generally not recommended.
Instead of super-globals, we recommend to explicitly inject the dependencies of your class. This makes your code less dependent on global state and it becomes generally more testable: // Bad
class Router
{
public function generate($path)
{
return $_SERVER['HOST'].$path;
}
}
// Better
class Router
{
private $host;
public function __construct($host)
{
$this->host = $host;
}
public function generate($path)
{
return $this->host.$path;
}
}
class Controller
{
public function myAction(Request $request)
{
// Instead of
$page = isset($_GET['page']) ? intval($_GET['page']) : 1;
// Better (assuming you use the Symfony2 request)
$page = $request->query->get('page', 1);
}
}
Loading history...
|
|||
14 | if (!$this->setting->getValue('disable_api')) { |
||
0 ignored issues
–
show
The property
setting does not exist. Did you maybe forget to declare it?
In PHP it is possible to write to properties without declaring them. For example, the following is perfectly valid PHP code: class MyClass { }
$x = new MyClass();
$x->foo = true;
Generally, it is a good practice to explictly declare properties to avoid accidental typos and provide IDE auto-completion: class MyClass {
public $foo;
}
$x = new MyClass();
$x->foo = true;
Loading history...
|
|||
15 | return true; |
||
16 | } else { |
||
17 | if ($error == true) { |
||
0 ignored issues
–
show
|
|||
18 | unset($_SESSION['POPUP']); |
||
19 | header('HTTP/1.1 501 Not implemented'); |
||
20 | die('501 Not implemented'); |
||
0 ignored issues
–
show
The method
isActive() contains an exit expression.
An exit expression should only be used in rare cases. For example, if you write a short command line script. In most cases however, using an
Loading history...
|
|||
21 | } |
||
22 | } |
||
23 | } |
||
24 | |||
25 | /** |
||
26 | * Create API json object from input array |
||
27 | * @param data Array data to create JSON for |
||
28 | * @param force bool Enforce a JSON object |
||
29 | * @return string JSON object |
||
30 | **/ |
||
31 | function get_json($data, $force=false) { |
||
0 ignored issues
–
show
get_json uses the super-global variable $_REQUEST which is generally not recommended.
Instead of super-globals, we recommend to explicitly inject the dependencies of your class. This makes your code less dependent on global state and it becomes generally more testable: // Bad
class Router
{
public function generate($path)
{
return $_SERVER['HOST'].$path;
}
}
// Better
class Router
{
private $host;
public function __construct($host)
{
$this->host = $host;
}
public function generate($path)
{
return $this->host.$path;
}
}
class Controller
{
public function myAction(Request $request)
{
// Instead of
$page = isset($_GET['page']) ? intval($_GET['page']) : 1;
// Better (assuming you use the Symfony2 request)
$page = $request->query->get('page', 1);
}
}
Loading history...
|
|||
32 | $json = json_encode( |
||
33 | array( $_REQUEST['action'] => array( |
||
34 | 'version' => $this->api_version, |
||
35 | 'runtime' => (microtime(true) - $this->dStartTime) * 1000, |
||
36 | 'data' => $data |
||
37 | )), $force ? JSON_FORCE_OBJECT : 0 |
||
38 | ); |
||
39 | // JSONP support issue #1700 |
||
40 | if (isset($_REQUEST['callback']) && ctype_alpha($_REQUEST['callback'])) { |
||
41 | header('Content-type: application/json; charset=utf-8'); |
||
42 | return $_REQUEST['callback'] . '(' . $json . ');'; |
||
43 | } |
||
44 | return $json; |
||
45 | } |
||
46 | |||
47 | /** |
||
48 | * Check user access level to the API call |
||
49 | **/ |
||
50 | function checkAccess($user_id, $get_id=NULL) { |
||
0 ignored issues
–
show
checkAccess uses the super-global variable $_REQUEST which is generally not recommended.
Instead of super-globals, we recommend to explicitly inject the dependencies of your class. This makes your code less dependent on global state and it becomes generally more testable: // Bad
class Router
{
public function generate($path)
{
return $_SERVER['HOST'].$path;
}
}
// Better
class Router
{
private $host;
public function __construct($host)
{
$this->host = $host;
}
public function generate($path)
{
return $this->host.$path;
}
}
class Controller
{
public function myAction(Request $request)
{
// Instead of
$page = isset($_GET['page']) ? intval($_GET['page']) : 1;
// Better (assuming you use the Symfony2 request)
$page = $request->query->get('page', 1);
}
}
Loading history...
|
|||
51 | if (!empty($get_id) && is_array($get_id)) die("Access denied"); |
||
0 ignored issues
–
show
The method
checkAccess() contains an exit expression.
An exit expression should only be used in rare cases. For example, if you write a short command line script. In most cases however, using an
Loading history...
|
|||
52 | if (is_array($user_id)) die("Access denied"); |
||
0 ignored issues
–
show
The method
checkAccess() contains an exit expression.
An exit expression should only be used in rare cases. For example, if you write a short command line script. In most cases however, using an
Loading history...
|
|||
53 | if ( ! $this->user->isAdmin($user_id) && (!empty($get_id) && $get_id != $user_id || !is_int($user_id))) { |
||
54 | // User is NOT admin and tries to access an ID that is not their own |
||
55 | header("HTTP/1.1 401 Unauthorized"); |
||
56 | die("Access denied"); |
||
0 ignored issues
–
show
The method
checkAccess() contains an exit expression.
An exit expression should only be used in rare cases. For example, if you write a short command line script. In most cases however, using an
Loading history...
|
|||
57 | } else if ($this->user->isAdmin($user_id) && !empty($get_id)) { |
||
58 | // User is an admin and tries to fetch another users data |
||
59 | $id = $get_id; |
||
60 | // Is it a username or a user ID |
||
61 | ctype_digit($_REQUEST['id']) ? $id = $get_id : $id = $this->user->getUserId($get_id); |
||
0 ignored issues
–
show
The property
user does not exist. Did you maybe forget to declare it?
In PHP it is possible to write to properties without declaring them. For example, the following is perfectly valid PHP code: class MyClass { }
$x = new MyClass();
$x->foo = true;
Generally, it is a good practice to explictly declare properties to avoid accidental typos and provide IDE auto-completion: class MyClass {
public $foo;
}
$x = new MyClass();
$x->foo = true;
Loading history...
|
|||
62 | } else { |
||
63 | $id = $user_id; |
||
64 | } |
||
65 | return $id; |
||
66 | } |
||
67 | } |
||
68 | |||
69 | $api = new Api(); |
||
70 | $api->setConfig($config); |
||
71 | $api->setUser($user); |
||
72 | $api->setSetting($setting); |
||
73 | $api->setStartTime($dStartTime=microtime(true)); |
||
74 |
The PSR-1: Basic Coding Standard recommends that a file should either introduce new symbols, that is classes, functions, constants or similar, or have side effects. Side effects are anything that executes logic, like for example printing output, changing ini settings or writing to a file.
The idea behind this recommendation is that merely auto-loading a class should not change the state of an application. It also promotes a cleaner style of programming and makes your code less prone to errors, because the logic is not spread out all over the place.
To learn more about the PSR-1, please see the PHP-FIG site on the PSR-1.