Issues in Field.php (master) - Issues in master - OpenBuildings/jam - Measure and Improve Code Quality continuously with Scrutinizer

Issues (279)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

classes/Kohana/Jam/Field.php (5 issues)

Labels

Severity

Minor 5

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php defined('SYSPATH') OR die('No direct script access.');
/**
 * Core class that all fields must extend
 *
 * @package    Jam
 * @category   Fields
 * @author     Jonathan Geiger
 * @copyright  (c) 2010-2011 Jonathan Geiger
 * @license    http://www.opensource.org/licenses/isc-license.txt
 */
abstract class Kohana_Jam_Field extends Jam_Attribute {

	/**
	 * @var  string  the model's name
	 */
	public $model;

	/**
	 * @var  string  the column's name in the database
	 */
	public $column;

	/**
	 * @var  string  a pretty name for the field
	 */
	public $label;

	/**
	 * @var  string  the field's name in the form
	 */
	public $name;

	/**
	* @var  boolean  a primary key field.
	*/
	public $primary = FALSE;

	/**
	* @var  boolean  the column is present in the database table. Default: TRUE
	*/
	public $in_db = TRUE;

	/**
	* @var  mixed  default value
	*/
	public $default = NULL;

	/**
	 * @var  boolean  whether or not empty() values should be converted to NULL
	 */
	public $convert_empty = FALSE;

	/**
	 * @var  mixed  the value to convert empty values to. This is only used if convert_empty is TRUE
	 */
	public $empty_value = NULL;

	/**
	 * @var  boolean  whether or not NULL values are allowed
	 */
	public $allow_null = TRUE;

	/**
	* @var  array  filters are called whenever data is set on the field
	*/
	public $filters = array();

	/**
	 * Sets all options.
	 *
	 * @param  array  $options
	 */
	public function __construct($options = array())
	{
		// Assume it's the column name
		if (is_string($options))
		{
			$this->column = $options;
		}
		elseif (is_array($options))
		{
			// Just throw them into the class as public variables
			foreach ($options as $name => $value)
			{
				$this->$name = $value;
			}
		}
		elseif ($options !== NULL)
		{
			throw new Kohana_Exception("Jam_Field options must be either string or an array of options");
		}

		// See if we need to allow_null values because of convert_empty
		if ($this->convert_empty AND $this->empty_value === NULL)
		{
			$this->allow_null = TRUE;
		}

		// Default value is going to be NULL if null is true
		// to mimic the SQL defaults.
		if ( ! array_key_exists('default', (array) $options) AND $this->allow_null)
		{
			$this->default = NULL;
		}

		// Default the empty value to NULL when allow_null is TRUE, but be careful not
		// to override a programmer-configured empty_value.
		if ( ! empty($options['allow_null']) AND ! array_key_exists('empty_value', (array) $options))
		{
			$this->empty_value = NULL;
		}

		if ( ! empty($options['filters']))
		{
			$this->filters = $options['filters'];
		}
	}

	/**
	 * This is called after construction so that fields can finish
	 * constructing themselves with a copy of the column it represents.
	 *
	 * @param   string  $model
/**
 * @param array $germany
 * @param array $island
 * @param array $italy
 */
function finale($germany, $island) {
    return "2:1";
}
	 * @param   string  $column
/**
 * @param array $germany
 * @param array $island
 * @param array $italy
 */
function finale($germany, $island) {
    return "2:1";
}
	 * @return  void
	 **/
	public function initialize(Jam_Meta $meta, $name)
	{
		parent::initialize($meta, $name);

		if ( ! $this->column)
		{
			$this->column = $name;
		}
	}

	/**
	 * Sets a particular value processed according
	 * to the class's standards.
	 *
	 * @param   mixed  $value
	 * @return  mixed
	 **/
	public function set(Jam_Validated $model, $value, $is_changed)
	{
		list($value, $return) = $this->_default($model, $value);
<?php

function returnThreeValues() {
    return array('a', 'b', 'c');
}

list($a, $b, $c) = returnThreeValues();

print $a . " - " . $c;

		return $value;
	}

	/**
	 * Returns a particular value processed according
	 * to the class's standards.
	 *
	 * @param   Jam_Model  $model
	 * @param   mixed        $value
	 * @return  mixed
	 **/
	public function get(Jam_Validated $model, $value, $is_changed)
	{
		return $value;
	}

	/**
	 * Called just before saving.
	 *
	 * If $in_db, it is expected to return a value suitable for insertion
	 * into the database.
	 *
	 * @param   Jam_Model  $model
	 * @param   mixed        $value
	 * @param   bool         $loaded
/**
 * @param array $germany
 * @param array $ireland
 */
function finale($germany, $island) {
    return "2:1";
}
	 * @return  mixed
	 */
	public function convert(Jam_Validated $model, $value, $is_loaded)

	{
		return $value;
	}

	/**
	 * Shortcut for setting a filter
	 * @param  string $filter_name
	 * @param  array $values    values, defaults to array(':value')
	 * @return Jam_Field            $this
	 */
	public function filter($filter_name, $values = NULL)
	{
		$this->filters[] = array($filter_name, $values);
		return $this;
	}

	/**
	 * Potentially converts the value to NULL or default depending on
	 * the fields configuration. An array is returned with the first
	 * element being the new value and the second being a boolean
	 * as to whether the field should return the value provided or
	 * continue processing it.
	 *
	 * @param   mixed  $value
	 * @return  array
	 */
	protected function _default(Jam_Validated $model, $value)
	{
		$return = FALSE;

		$value = $this->run_filters($model, $value);

		// Convert empty values to NULL, if needed
		if ($this->convert_empty AND empty($value))
		{
			$value  = $this->empty_value;
			$return = TRUE;
		}

		// Allow NULL values to pass through untouched by the field
		if ($this->allow_null AND $value === NULL)
		{
			$value  = NULL;
			$return = TRUE;
		}


		return array($value, $return);
	}

	public function is_empty($value)
	{
		if ($this->convert_empty AND $this->empty_value !== NULL)
			return $value === $this->empty_value;

		return ($value === NULL OR $value === $this->default);
	}

	public function run_filters(Jam_Validated $model, $value)
	{
		if ( ! empty($this->filters))
		{
			foreach ($this->filters as $filter => $arguments)
			{
				if (is_numeric($filter))
				{
					$filter = $arguments;
					$arguments = array();
				}

				$value = $this->run_filter($model, $value, $filter, $arguments);
			}
		}
		return $value;
	}

	public function run_filter(Jam_Validated $model, $value, $filter, array $arguments = array())
	{
		$bound = array(
			':model' => $model,
			':field' => $this->name,
			':value' => $value,
		);

		$arguments = $arguments ? $arguments : array(':value');

		foreach ($arguments as & $argument)
		{
			if (is_string($argument) AND array_key_exists($argument, $bound))
			{
				// Replace with bound value
				$argument = $bound[$argument];
			}
		}

		$value = call_user_func_array($filter, $arguments);


		return $value;
	}
} // End Kohana_Jam_Field


1		<?php defined('SYSPATH') OR die('No direct script access.');
2		/**
3		* Core class that all fields must extend
4		*
5		* @package Jam
6		* @category Fields
7		* @author Jonathan Geiger
8		* @copyright (c) 2010-2011 Jonathan Geiger
9		* @license http://www.opensource.org/licenses/isc-license.txt
10		*/
11		abstract class Kohana_Jam_Field extends Jam_Attribute {
12
13		/**
14		* @var string the model's name
15		*/
16		public $model;
17
18		/**
19		* @var string the column's name in the database
20		*/
21		public $column;
22
23		/**
24		* @var string a pretty name for the field
25		*/
26		public $label;
27
28		/**
29		* @var string the field's name in the form
30		*/
31		public $name;
32
33		/**
34		* @var boolean a primary key field.
35		*/
36		public $primary = FALSE;
37
38		/**
39		* @var boolean the column is present in the database table. Default: TRUE
40		*/
41		public $in_db = TRUE;
42
43		/**
44		* @var mixed default value
45		*/
46		public $default = NULL;
47
48		/**
49		* @var boolean whether or not empty() values should be converted to NULL
50		*/
51		public $convert_empty = FALSE;
52
53		/**
54		* @var mixed the value to convert empty values to. This is only used if convert_empty is TRUE
55		*/
56		public $empty_value = NULL;
57
58		/**
59		* @var boolean whether or not NULL values are allowed
60		*/
61		public $allow_null = TRUE;
62
63		/**
64		* @var array filters are called whenever data is set on the field
65		*/
66		public $filters = array();
67
68		/**
69		* Sets all options.
70		*
71		* @param array $options
72		*/
73	58	public function __construct($options = array())
74		{
75		// Assume it's the column name
76	58	if (is_string($options))
77		{
78		$this->column = $options;
79		}
80	58	elseif (is_array($options))
81		{
82		// Just throw them into the class as public variables
83	58	foreach ($options as $name => $value)
84		{
85	58	$this->$name = $value;
86		}
87		}
88	6	elseif ($options !== NULL)
89		{
90		throw new Kohana_Exception("Jam_Field options must be either string or an array of options");
91		}
92
93		// See if we need to allow_null values because of convert_empty
94	58	if ($this->convert_empty AND $this->empty_value === NULL)
95		{
96	51	$this->allow_null = TRUE;
97		}
98
99		// Default value is going to be NULL if null is true
100		// to mimic the SQL defaults.
101	58	if ( ! array_key_exists('default', (array) $options) AND $this->allow_null)
102		{
103	32	$this->default = NULL;
104		}
105
106		// Default the empty value to NULL when allow_null is TRUE, but be careful not
107		// to override a programmer-configured empty_value.
108	58	if ( ! empty($options['allow_null']) AND ! array_key_exists('empty_value', (array) $options))
109		{
110	47	$this->empty_value = NULL;
111		}
112
113	58	if ( ! empty($options['filters']))
114		{
115		$this->filters = $options['filters'];
116		}
117	58	}
118
119		/**
120		* This is called after construction so that fields can finish
121		* constructing themselves with a copy of the column it represents.
122		*
123		* @param string $model
		0 ignored issues – show Bug introduced 2015-11-24 23:50 UTC by Report Bug Copy Issue Report Show Similar Issues like this There is no parameter named `$model`. Was it maybe removed? This check looks for PHPDoc comments describing methods or function parameters that do not exist on the corresponding method or function. Consider the following example. The parameter `$italy` is not defined by the method `finale(...)`. /** * @param array $germany * @param array $island * @param array $italy */ function finale($germany, $island) { return "2:1"; } The most likely cause is that the parameter was removed, but the annotation was not. Loading history...
124		* @param string $column
		0 ignored issues – show Bug introduced 2015-11-24 23:50 UTC by Report Bug Copy Issue Report Show Similar Issues like this There is no parameter named `$column`. Was it maybe removed? This check looks for PHPDoc comments describing methods or function parameters that do not exist on the corresponding method or function. Consider the following example. The parameter `$italy` is not defined by the method `finale(...)`. /** * @param array $germany * @param array $island * @param array $italy */ function finale($germany, $island) { return "2:1"; } The most likely cause is that the parameter was removed, but the annotation was not. Loading history...
125		* @return void
126		**/
127	7	public function initialize(Jam_Meta $meta, $name)
128		{
129	7	parent::initialize($meta, $name);
130
131	7	if ( ! $this->column)
132		{
133	7	$this->column = $name;
134		}
135	7	}
136
137		/**
138		* Sets a particular value processed according
139		* to the class's standards.
140		*
141		* @param mixed $value
142		* @return mixed
143		**/
144	7	public function set(Jam_Validated $model, $value, $is_changed)
145		{
146	7	list($value, $return) = $this->_default($model, $value);
		0 ignored issues – show Unused Code introduced 2015-11-24 23:50 UTC by Report Bug Copy Issue Report Show Similar Issues like this The assignment to `$return` is unused. Consider omitting it like so `list($first,,$third)`. This checks looks for assignemnts to variables using the `list(...)` function, where not all assigned variables are subsequently used. Consider the following code example. <?php function returnThreeValues() { return array('a', 'b', 'c'); } list($a, $b, $c) = returnThreeValues(); print $a . " - " . $c; Only the variables `$a` and `$c` are used. There was no need to assign `$b`. Instead, the list call could have been. list($a,, $c) = returnThreeValues(); Loading history...
147
148	7	return $value;
149		}
150
151		/**
152		* Returns a particular value processed according
153		* to the class's standards.
154		*
155		* @param Jam_Model $model
156		* @param mixed $value
157		* @return mixed
158		**/
159	207	public function get(Jam_Validated $model, $value, $is_changed)
160		{
161	207	return $value;
162		}
163
164		/**
165		* Called just before saving.
166		*
167		* If $in_db, it is expected to return a value suitable for insertion
168		* into the database.
169		*
170		* @param Jam_Model $model
171		* @param mixed $value
172		* @param bool $loaded
		0 ignored issues – show Documentation introduced 2015-11-24 23:50 UTC by Report Bug Copy Issue Report Show Similar Issues like this There is no parameter named `$loaded`. Did you maybe mean `$is_loaded`? This check looks for PHPDoc comments describing methods or function parameters that do not exist on the corresponding method or function. It has, however, found a similar but not annotated parameter which might be a good fit. Consider the following example. The parameter `$ireland` is not defined by the method `finale(...)`. /** * @param array $germany * @param array $ireland */ function finale($germany, $island) { return "2:1"; } The most likely cause is that the parameter was changed, but the annotation was not. Loading history...
173		* @return mixed
174		*/
175	18	public function convert(Jam_Validated $model, $value, $is_loaded)
		0 ignored issues – show Unused Code introduced 2017-08-02 09:40 UTC by Report Bug Copy Issue Report Show Similar Issues like this The parameter `$model` is not used and could be removed. This check looks from parameters that have been defined for a function or method, but which are not used in the method body. Loading history...
176		{
177	18	return $value;
178		}
179
180		/**
181		* Shortcut for setting a filter
182		* @param string $filter_name
183		* @param array $values values, defaults to array(':value')
184		* @return Jam_Field $this
185		*/
186		public function filter($filter_name, $values = NULL)
187		{
188		$this->filters[] = array($filter_name, $values);
189		return $this;
190		}
191
192		/**
193		* Potentially converts the value to NULL or default depending on
194		* the fields configuration. An array is returned with the first
195		* element being the new value and the second being a boolean
196		* as to whether the field should return the value provided or
197		* continue processing it.
198		*
199		* @param mixed $value
200		* @return array
201		*/
202	283	protected function _default(Jam_Validated $model, $value)
203		{
204	283	$return = FALSE;
205
206	283	$value = $this->run_filters($model, $value);
207
208		// Convert empty values to NULL, if needed
209	283	if ($this->convert_empty AND empty($value))
210		{
211	40	$value = $this->empty_value;
212	40	$return = TRUE;
213		}
214
215		// Allow NULL values to pass through untouched by the field
216	283	if ($this->allow_null AND $value === NULL)
217		{
218	47	$value = NULL;
219	47	$return = TRUE;
220		}
221
222
223	283	return array($value, $return);
224		}
225
226	11	public function is_empty($value)
227		{
228	11	if ($this->convert_empty AND $this->empty_value !== NULL)
229		return $value === $this->empty_value;
230
231	11	return ($value === NULL OR $value === $this->default);
232		}
233
234	283	public function run_filters(Jam_Validated $model, $value)
235		{
236	283	if ( ! empty($this->filters))
237		{
238	3	foreach ($this->filters as $filter => $arguments)
239		{
240	3	if (is_numeric($filter))
241		{
242	2	$filter = $arguments;
243	2	$arguments = array();
244		}
245
246	3	$value = $this->run_filter($model, $value, $filter, $arguments);
247		}
248		}
249	283	return $value;
250		}
251
252	3	public function run_filter(Jam_Validated $model, $value, $filter, array $arguments = array())
253		{
254		$bound = array(
255	3	':model' => $model,
256	3	':field' => $this->name,
257	3	':value' => $value,
258		);
259
260	3	$arguments = $arguments ? $arguments : array(':value');
261
262	3	foreach ($arguments as & $argument)
263		{
264	3	if (is_string($argument) AND array_key_exists($argument, $bound))
265		{
266		// Replace with bound value
267	3	$argument = $bound[$argument];
268		}
269		}
270
271	3	$value = call_user_func_array($filter, $arguments);
272
273
274	3	return $value;
275		}
276		} // End Kohana_Jam_Field
277

OpenBuildings / jam

Issues (279)

Security Analysis no request data

classes/Kohana/Jam/Field.php (5 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like