cookie::set() - Code Metrics - Inspection of "Merge pull request #393 from teiling88/dev-refacto..." - OpencachingDeutschland/oc-server3 - Measure and Improve Code Quality continuously with Scrutinizer

Passed

Push — development ( 032ead...866be2 )

by Mirco

created 2016-09-21 19:42 UTC

cookie::set() A

↳ Parent: cookie

Complexity

Conditions	3
Paths	2

Size

Total Lines	7
Code Lines	4

Duplication

Lines	0
Ratio	0 %

Importance

Changes

Metric	Value
cc	3
eloc	4
c	0
b	0
f	0
nc	2
nop	2
dl	0
loc	7
rs	9.4285

<?php

/***************************************************************************
 *    For license information see doc/license.txt
 *
 *  Unicode Reminder メモ
 *
 *  Cookie handling
 ***************************************************************************/

$cookie = new cookie();

class cookie
namespace YourVendor;

class YourClass { }
{
    public $changed = false;
    public $values = array();

    public function __construct()
// Bad
class Router
{
    public function generate($path)
    {
        return $_SERVER['HOST'].$path;
    }
}

// Better
class Router
{
    private $host;

    public function __construct($host)
    {
        $this->host = $host;
    }

    public function generate($path)
    {
        return $this->host.$path;
    }
}

class Controller
{
    public function myAction(Request $request)
    {
        // Instead of
        $page = isset($_GET['page']) ? intval($_GET['page']) : 1;

        // Better (assuming you use the Symfony2 request)
        $page = $request->query->get('page', 1);
    }
}
    {
        global $opt;

        if (isset($_COOKIE[$opt['cookie']['name'] . 'data'])) {
            //get the cookievars-array
            $decoded = base64_decode($_COOKIE[$opt['cookie']['name'] . 'data']);

            if ($decoded !== false) {
                $this->values = @unserialize($decoded);
if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) {
    throw new \InvalidArgumentException('This input is not allowed.');
}
                if (!is_array($this->values)) {
                    $this->values = array();
                }
            } else {
                $this->values = array();
            }
        }
    }

    public function set($name, $value)
    {
        if (!isset($this->values[$name]) || $this->values[$name] != $value) {
            $this->values[$name] = $value;
            $this->changed = true;
        }
    }

    public function get($name)
    {
        return isset($this->values[$name]) ? $this->values[$name] : '';
    }

    public function is_set($name)
    {
        return isset($this->values[$name]);
    }

    public function un_set($name)

    {
        if (isset($this->values[$name])) {
            unset($this->values[$name]);
            $this->changed = true;
        }
    }

    public function header()
    {
        global $opt;

        if ($this->changed == true) {

            if (count($this->values) == 0) {
                setcookie(
                    $opt['cookie']['name'] . 'data',
                    false,
                    time() + 31536000,
                    $opt['cookie']['path'],
                    $opt['cookie']['domain'],
                    0
                );
            } else {
                setcookie(
                    $opt['cookie']['name'] . 'data',
                    base64_encode(serialize($this->values)),
                    time() + 31536000,
                    $opt['cookie']['path'],
                    $opt['cookie']['domain'],
                    0
                );
            }
        }
    }

    public function debug()
    {
        print_r($this->values);
        exit;

    }
}


1		<?php
		1 ignored issue – show Coding Style Compatibility introduced 2016-05-24 20:56 UTC by Report Bug Copy Issue Report For compatibility and reusability of your code, PSR1 recommends that a file should introduce either new symbols (like classes, functions, etc.) or have side-effects (like outputting something, or including other files), but not both at the same time. The first symbol is defined on line 12 and the first side effect is on line 10. The PSR-1: Basic Coding Standard recommends that a file should either introduce new symbols, that is classes, functions, constants or similar, or have side effects. Side effects are anything that executes logic, like for example printing output, changing ini settings or writing to a file. The idea behind this recommendation is that merely auto-loading a class should not change the state of an application. It also promotes a cleaner style of programming and makes your code less prone to errors, because the logic is not spread out all over the place. To learn more about the PSR-1, please see the PHP-FIG site on the PSR-1. Loading history...
2		/***************************************************************************
3		* For license information see doc/license.txt
4		*
5		* Unicode Reminder メモ
6		*
7		* Cookie handling
8		***************************************************************************/
9
10		$cookie = new cookie();
11
12		class cookie
		0 ignored issues – show Coding Style Compatibility introduced 2016-05-24 20:56 UTC by Report Bug Copy Issue Report PSR1 recommends that each class must be in a namespace of at least one level to avoid collisions. You can fix this by adding a namespace to your class: namespace YourVendor; class YourClass { } When choosing a vendor namespace, try to pick something that is not too generic to avoid conflicts with other libraries. Loading history...
13		{
14		public $changed = false;
15		public $values = array();
16
17	View Code Duplication	public function __construct()
		0 ignored issues – show Coding Style introduced 2016-05-26 19:39 UTC by Report Bug Copy Issue Report `__construct` uses the super-global variable `$_COOKIE` which is generally not recommended. Instead of super-globals, we recommend to explicitly inject the dependencies of your class. This makes your code less dependent on global state and it becomes generally more testable: // Bad class Router { public function generate($path) { return $_SERVER['HOST'].$path; } } // Better class Router { private $host; public function __construct($host) { $this->host = $host; } public function generate($path) { return $this->host.$path; } } class Controller { public function myAction(Request $request) { // Instead of $page = isset($_GET['page']) ? intval($_GET['page']) : 1; // Better (assuming you use the Symfony2 request) $page = $request->query->get('page', 1); } } Loading history... Duplication introduced 2016-08-15 11:59 UTC by Report Bug Copy Issue Report This method seems to be duplicated in your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
18		{
19		global $opt;
20
21		if (isset($_COOKIE[$opt['cookie']['name'] . 'data'])) {
22		//get the cookievars-array
23		$decoded = base64_decode($_COOKIE[$opt['cookie']['name'] . 'data']);
24
25		if ($decoded !== false) {
26		$this->values = @unserialize($decoded);
		0 ignored issues – show Security Object Injection introduced 2016-07-05 21:12 UTC by Report Bug Copy Issue Report `$decoded` can contain request data and is used in unserialized context(s) leading to a potential security vulnerability. 1 path for user data to reach this point Read from `$_COOKIE,` and `$_COOKIE[$opt['cookie']['name'] . 'data']` is decoded by base64_decode(), and `$decoded` is assigned in htdocs/lib/cookie.class.php on line 23 Preventing Object Injection Attacks If you pass raw user-data to `unserialize()` for example, this can be used to create an object of any class that is available in your local filesystem. For an attacker, classes that have magic methods like `__destruct` or `__wakeup` are particularly interesting in such a case, as they can be exploited very easily. We recommend to not pass user data to such a function. In case of `unserialize`, better use `JSON` to transfer data. General Strategies to prevent injection In general, it is advisable to prevent any user-data to reach this point. This can be done by white-listing certain values: if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) { throw new \InvalidArgumentException('This input is not allowed.'); } For numeric data, we recommend to explicitly cast the data: $sanitized = (integer) $tainted; Loading history...
27		if (!is_array($this->values)) {
28		$this->values = array();
29		}
30		} else {
31		$this->values = array();
32		}
33		}
34		}
35
36		public function set($name, $value)
37		{
38		if (!isset($this->values[$name]) \|\| $this->values[$name] != $value) {
39		$this->values[$name] = $value;
40		$this->changed = true;
41		}
42		}
43
44		public function get($name)
45		{
46		return isset($this->values[$name]) ? $this->values[$name] : '';
47		}
48
49		public function is_set($name)
50		{
51		return isset($this->values[$name]);
52		}
53
54	View Code Duplication	public function un_set($name)
		0 ignored issues – show Duplication introduced 2016-08-15 11:59 UTC by Report Bug Copy Issue Report This method seems to be duplicated in your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
55		{
56		if (isset($this->values[$name])) {
57		unset($this->values[$name]);
58		$this->changed = true;
59		}
60		}
61
62		public function header()
63		{
64		global $opt;
65
66		if ($this->changed == true) {
		0 ignored issues – show Coding Style Best Practice introduced 2016-05-24 20:17 UTC by Report Bug Copy Issue Report It seems like you are loosely comparing two booleans. Considering using the strict comparison `===` instead. When comparing two booleans, it is generally considered safer to use the strict comparison operator. Loading history...
67		if (count($this->values) == 0) {
68		setcookie(
69		$opt['cookie']['name'] . 'data',
70		false,
71		time() + 31536000,
72		$opt['cookie']['path'],
73		$opt['cookie']['domain'],
74		0
75		);
76		} else {
77		setcookie(
78		$opt['cookie']['name'] . 'data',
79		base64_encode(serialize($this->values)),
80		time() + 31536000,
81		$opt['cookie']['path'],
82		$opt['cookie']['domain'],
83		0
84		);
85		}
86		}
87		}
88
89		public function debug()
90		{
91		print_r($this->values);
92		exit;
		0 ignored issues – show Coding Style Compatibility introduced 2016-05-26 19:39 UTC by Report Bug Copy Issue Report The method `debug()` contains an exit expression. An exit expression should only be used in rare cases. For example, if you write a short command line script. In most cases however, using an `exit` expression makes the code untestable and often causes incompatibilities with other libraries. Thus, unless you are absolutely sure it is required here, we recommend to refactor your code to avoid its usage. Loading history...
93		}
94		}
95

OpencachingDeutschland / oc-server3

Push — development ( 032ead...866be2 )

cookie::set() A

Complexity

Size

Duplication

Importance

1 path for user data to reach this point

Preventing Object Injection Attacks

General Strategies to prevent injection

Duplication Side-by-Side

Filter issues like