Issues in search.php (master) - Issues in master - XoopsModules25x/lexikon - Measure and Improve Code Quality continuously with Scrutinizer

Issues (330)

Security Analysis not enabled

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

Header Injection

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

search.php (1 issue)

Severity

Unknown 1

<?php
/**
 * Module: Lexikon -  glossary module
 * Author: hsalazar
 * Licence: GNU
 */

#$xoopsOption['pagetype'] = "search";

use Xmf\Request;
use XoopsModules\Lexikon\{
    Helper,
    Utility
};
/** @var Helper $helper */

$GLOBALS['xoopsOption']['template_main'] = 'lx_search.tpl';
require __DIR__ . '/header.php';
require XOOPS_ROOT_PATH . '/header.php';

$helper = Helper::getInstance();

global $xoTheme, $xoopsDB, $xoopsModule, $xoopsModuleConfig, $searchtype;
$myts = \MyTextSanitizer::getInstance();
// -- options
require_once XOOPS_ROOT_PATH . '/modules/lexikon/include/common.inc.php';
$highlight      = false;
$highlight      = (1 == $helper->getConfig('config_highlighter')) ? 1 : 0;
$hightlight_key = '';

require_once XOOPS_ROOT_PATH . '/class/pagenav.php';

// Check if search is enabled site-wide
/** @var \XoopsConfigHandler $configHandler */
$configHandler     = xoops_getHandler('config');
$xoopsConfigSearch = $configHandler->getConfigsByCat(XOOPS_CONF_SEARCH);
if (1 != $xoopsConfigSearch['enable_search']) {
    header('location: ' . XOOPS_URL . '/modules/' . $xoopsModule->dirname() . '/index.php');
    exit();
}

// permissions
/** @var \XoopsGroupPermHandler $grouppermHandler */
$grouppermHandler = xoops_getHandler('groupperm');
$groups           = is_object($xoopsUser) ? $xoopsUser->getGroups() : XOOPS_GROUP_ANONYMOUS;
$module_id        = $xoopsModule->getVar('mid');
$allowed_cats     = $grouppermHandler->getItemIds('lexikon_view', $groups, $module_id);
$catids           = implode(',', $allowed_cats);

//extract($_GET);
//extract($_POST, EXTR_OVERWRITE);

$action     = Request::getCmd('action', 'search'); //isset($action) ? trim($action) : 'search';
$query      = Request::getString('term', ''); //isset($term) ? trim($term) : '';
$start      = Request::getInt('start', 0); //isset($start) ? (int)$start : 0;
$categoryID = Request::getInt('categoryID', 0); //isset($categoryID) ? (int)$categoryID : 0;
$type       = Request::getInt('type', 3); //isset($type) ? (int)$type : 3;
$queries    = [];

if (1 == $helper->getConfig('multicats')) {
    $xoopsTpl->assign('multicats', 1);
    $totalcats = $utility::countCats();
    $xoopsTpl->assign('totalcats', $totalcats);
} else {
    $xoopsTpl->assign('multicats', 0);
}

// Configure search parameters according to selector
$query = stripslashes($query);
if (1 == $type) {
    $searchtype = "( w.term LIKE '%$query%' )";
}
if (2 == $type) {
    $searchtype = "( definition LIKE '%$query%' )";
}
if (3 == $type) {
    $searchtype = "(( term LIKE '%$query%' OR definition LIKE '%$query%' OR ref LIKE '%$query%' ))";
}

if (1 == $helper->getConfig('multicats')) {
    // If the search is in a particular category
    if ($categoryID > 0) {
        $andcatid = "AND categoryID = '$categoryID' ";
    } else {
        $andcatid = '';
    }
} else {
    $andcatid = '';
}

// Counter
$publishedwords = $utility::countWords();
$xoopsTpl->assign('publishedwords', $publishedwords);

// If there's no term here (calling directly search page)
if (!$query) {
    // Display message saying there's no term and explaining how to search
    $xoopsTpl->assign('intro', _MD_LEXIKON_NOSEARCHTERM);
    // Display search form
    $searchform = $utility::getFormSearch($type, $categoryID, $query);
    $xoopsTpl->assign('searchform', $searchform->render());
} else {
    // Security Check
    if (!$GLOBALS['xoopsSecurity']->check()) {
        //\redirect_header('index.php', 3, \implode(',', $GLOBALS['xoopsSecurity']->getErrors()));
    }
    $searchform = $utility::getFormSearch($type, $categoryID, $query);
    // IF results, count number
    $catrestrict = " categoryID IN ($catids) ";
    $searchquery = $xoopsDB->query('SELECT COUNT(*) as nrows FROM ' . $xoopsDB->prefix('lxentries') . " w WHERE offline='0' AND " . $catrestrict . ' ' . $andcatid . " AND $searchtype   ORDER BY term DESC");
    [$results] = $xoopsDB->fetchRow($searchquery);

    if (0 == $results) {
        // There's been no correspondences with the searched terms
        $xoopsTpl->assign('intro', _MD_LEXIKON_NORESULTS);

        // Display search form
        $xoopsTpl->assign('searchform', $searchform->render());
        // $results > 0 -> there were search results
    } else {
        // Show paginated list of results
        // We'll put the results in an array
        $resultset = [];

        // -- highlighter
        if (is_array($resultset)) {

            if ($highlight) {
                $xoopsTpl->assign('highlight', true);
                $hightlight_key = '&amp;keywords=' . urlencode(trim($query));
            } else {
                $xoopsTpl->assign('highlight', false);
            }
        }

        // How many results will we show in this page?
        if (1 == $helper->getConfig('multicats')) {
            // If the search is in a particular category
            if ($categoryID > 0) {
                $andcatid2 = "AND w.categoryID = '$categoryID' ";
            } else {
                $andcatid2 = '';
            }
        } else {
            $andcatid2 = '';
        }
        $catsallow = " w.categoryID IN ($catids) ";
        $queryA    = 'SELECT w.entryID, w.categoryID, w.term, w.init, w.definition, w.datesub, w.ref, c.name AS catname FROM '
                     . $xoopsDB->prefix('lxentries')
                     . ' w LEFT JOIN '
                     . $xoopsDB->prefix('lxcategories')
                     . " c ON w.categoryID = c.categoryID WHERE w.offline = '0' AND "
                     . $catsallow
                     . ' '
                     . $andcatid2
                     . ' AND '
                     . $searchtype
                     . ' ';
        $queryA    .= '  ORDER BY w.term ASC';
        $resultA   = $xoopsDB->query($queryA, $helper->getConfig('indexperpage'), $start);

        while (list($entryID, $categoryID, $term, $init, $definition, $datesub, $ref, $catname) = $xoopsDB->fetchRow($resultA)) {
            $eachresult               = [];
            $xoopsModule              = XoopsModule::getByDirname('lexikon');
            $eachresult['dir']        = $xoopsModule->dirname();
            $eachresult['id']         = $entryID;
            $eachresult['categoryID'] = $categoryID;
            $eachresult['term']       = ucfirst(htmlspecialchars($term, ENT_QUOTES | ENT_HTML5));
            $eachresult['date']       = formatTimestamp($datesub, $helper->getConfig('dateformat'));
            $eachresult['ref']        = $utility::getHTMLHighlight($query, htmlspecialchars($ref, ENT_QUOTES | ENT_HTML5), '<b style="background-color: #FFFF80; ">', '</b>');
            $eachresult['catname']    = htmlspecialchars($catname, ENT_QUOTES | ENT_HTML5);
            $tempdef                  = $myts->displayTarea($definition, 1, 1, 1, 1, 1);
            $eachresult['definition'] = $utility::getHTMLHighlight($query, $tempdef, '<b style="background-color: #FFFF80; ">', '</b>');
            if ($highlight) {
                $eachresult['keywords'] = $hightlight_key;
            }
            // Functional links
            $microlinks               = $utility::getServiceLinks($eachresult);
            $eachresult['microlinks'] = $microlinks;
            $resultset['match'][]     = $eachresult;
        }

        // Msg: there's # results
        $xoopsTpl->assign('intro', sprintf(_MD_LEXIKON_THEREWERE, $results, $query));

        $linkstring          = 'term=' . $query . '&start';
        $pagenav             = new \XoopsPageNav($results, $helper->getConfig('indexperpage'), $start, $linkstring);
        $resultset['navbar'] = '<div style="text-align:right;">' . $pagenav->renderNav(6) . '</div>';

        $xoopsTpl->assign('resultset', $resultset);

        // Display search form
        $xoopsTpl->assign('searchform', $searchform->render());
    }
}
// Assign variables and close
$xoopsTpl->assign('lang_modulename', $xoopsModule->name());
$xoopsTpl->assign('lang_moduledirname', $xoopsModule->getVar('dirname'));

$xoopsTpl->assign('xoops_module_header', '<link rel="stylesheet" type="text/css" href="assets/css/style.css">');
$xoopsTpl->assign('xoops_pagetitle', _MD_LEXIKON_SEARCHENTRY . ' - ' . htmlspecialchars($xoopsModule->name(), ENT_QUOTES | ENT_HTML5));

// Meta data
$meta_description = _MD_LEXIKON_SEARCHENTRY . ' - ' . htmlspecialchars($xoopsModule->name(), ENT_QUOTES | ENT_HTML5);
if (isset($xoTheme) && is_object($xoTheme)) {
    $xoTheme->addMeta('meta', 'description', $meta_description);
} else {
    $xoopsTpl->assign('xoops_meta_description', $meta_description);
}

require XOOPS_ROOT_PATH . '/footer.php';


1			<?php
2			/**
3			* Module: Lexikon - glossary module
4			* Author: hsalazar
5			* Licence: GNU
6			*/
7
8			#$xoopsOption['pagetype'] = "search";
9
10			use Xmf\Request;
11			use XoopsModules\Lexikon\{
12			Helper,
13			Utility
14			};
15			/** @var Helper $helper */
16
17			$GLOBALS['xoopsOption']['template_main'] = 'lx_search.tpl';
18			require __DIR__ . '/header.php';
19			require XOOPS_ROOT_PATH . '/header.php';
20
21			$helper = Helper::getInstance();
22
23			global $xoTheme, $xoopsDB, $xoopsModule, $xoopsModuleConfig, $searchtype;
24			$myts = \MyTextSanitizer::getInstance();
25			// -- options
26			require_once XOOPS_ROOT_PATH . '/modules/lexikon/include/common.inc.php';
27			$highlight = false;
28			$highlight = (1 == $helper->getConfig('config_highlighter')) ? 1 : 0;
29			$hightlight_key = '';
30
31			require_once XOOPS_ROOT_PATH . '/class/pagenav.php';
32
33			// Check if search is enabled site-wide
34			/** @var \XoopsConfigHandler $configHandler */
35			$configHandler = xoops_getHandler('config');
36			$xoopsConfigSearch = $configHandler->getConfigsByCat(XOOPS_CONF_SEARCH);
37			if (1 != $xoopsConfigSearch['enable_search']) {
38			header('location: ' . XOOPS_URL . '/modules/' . $xoopsModule->dirname() . '/index.php');
39			exit();
40			}
41
42			// permissions
43			/** @var \XoopsGroupPermHandler $grouppermHandler */
44			$grouppermHandler = xoops_getHandler('groupperm');
45			$groups = is_object($xoopsUser) ? $xoopsUser->getGroups() : XOOPS_GROUP_ANONYMOUS;
46			$module_id = $xoopsModule->getVar('mid');
47			$allowed_cats = $grouppermHandler->getItemIds('lexikon_view', $groups, $module_id);
48			$catids = implode(',', $allowed_cats);
49
50			//extract($_GET);
51			//extract($_POST, EXTR_OVERWRITE);
52
53			$action = Request::getCmd('action', 'search'); //isset($action) ? trim($action) : 'search';
54			$query = Request::getString('term', ''); //isset($term) ? trim($term) : '';
55			$start = Request::getInt('start', 0); //isset($start) ? (int)$start : 0;
56			$categoryID = Request::getInt('categoryID', 0); //isset($categoryID) ? (int)$categoryID : 0;
57			$type = Request::getInt('type', 3); //isset($type) ? (int)$type : 3;
58			$queries = [];
59
60			if (1 == $helper->getConfig('multicats')) {
61			$xoopsTpl->assign('multicats', 1);
62			$totalcats = $utility::countCats();
63			$xoopsTpl->assign('totalcats', $totalcats);
64			} else {
65			$xoopsTpl->assign('multicats', 0);
66			}
67
68			// Configure search parameters according to selector
69			$query = stripslashes($query);
70			if (1 == $type) {
71			$searchtype = "( w.term LIKE '%$query%' )";
72			}
73			if (2 == $type) {
74			$searchtype = "( definition LIKE '%$query%' )";
75			}
76			if (3 == $type) {
77			$searchtype = "(( term LIKE '%$query%' OR definition LIKE '%$query%' OR ref LIKE '%$query%' ))";
78			}
79
80			if (1 == $helper->getConfig('multicats')) {
81			// If the search is in a particular category
82			if ($categoryID > 0) {
83			$andcatid = "AND categoryID = '$categoryID' ";
84			} else {
85			$andcatid = '';
86			}
87			} else {
88			$andcatid = '';
89			}
90
91			// Counter
92			$publishedwords = $utility::countWords();
93			$xoopsTpl->assign('publishedwords', $publishedwords);
94
95			// If there's no term here (calling directly search page)
96			if (!$query) {
97			// Display message saying there's no term and explaining how to search
98			$xoopsTpl->assign('intro', _MD_LEXIKON_NOSEARCHTERM);
99			// Display search form
100			$searchform = $utility::getFormSearch($type, $categoryID, $query);
101			$xoopsTpl->assign('searchform', $searchform->render());
102			} else {
103			// Security Check
104			if (!$GLOBALS['xoopsSecurity']->check()) {
105			//\redirect_header('index.php', 3, \implode(',', $GLOBALS['xoopsSecurity']->getErrors()));
106			}
107			$searchform = $utility::getFormSearch($type, $categoryID, $query);
108			// IF results, count number
109			$catrestrict = " categoryID IN ($catids) ";
110			$searchquery = $xoopsDB->query('SELECT COUNT(*) as nrows FROM ' . $xoopsDB->prefix('lxentries') . " w WHERE offline='0' AND " . $catrestrict . ' ' . $andcatid . " AND $searchtype ORDER BY term DESC");
111			[$results] = $xoopsDB->fetchRow($searchquery);
112
113			if (0 == $results) {
114			// There's been no correspondences with the searched terms
115			$xoopsTpl->assign('intro', _MD_LEXIKON_NORESULTS);
116
117			// Display search form
118			$xoopsTpl->assign('searchform', $searchform->render());
119			// $results > 0 -> there were search results
120			} else {
121			// Show paginated list of results
122			// We'll put the results in an array
123			$resultset = [];
124
125			// -- highlighter
126			if (is_array($resultset)) {
			0 ignored issues – show introduced 2021-07-15 17:09 UTC by Report Bug Copy Issue Report Show Similar Issues like this The condition `is_array($resultset)` is always `true`. Loading history...
127			if ($highlight) {
128			$xoopsTpl->assign('highlight', true);
129			$hightlight_key = '&keywords=' . urlencode(trim($query));
130			} else {
131			$xoopsTpl->assign('highlight', false);
132			}
133			}
134
135			// How many results will we show in this page?
136			if (1 == $helper->getConfig('multicats')) {
137			// If the search is in a particular category
138			if ($categoryID > 0) {
139			$andcatid2 = "AND w.categoryID = '$categoryID' ";
140			} else {
141			$andcatid2 = '';
142			}
143			} else {
144			$andcatid2 = '';
145			}
146			$catsallow = " w.categoryID IN ($catids) ";
147			$queryA = 'SELECT w.entryID, w.categoryID, w.term, w.init, w.definition, w.datesub, w.ref, c.name AS catname FROM '
148			. $xoopsDB->prefix('lxentries')
149			. ' w LEFT JOIN '
150			. $xoopsDB->prefix('lxcategories')
151			. " c ON w.categoryID = c.categoryID WHERE w.offline = '0' AND "
152			. $catsallow
153			. ' '
154			. $andcatid2
155			. ' AND '
156			. $searchtype
157			. ' ';
158			$queryA .= ' ORDER BY w.term ASC';
159			$resultA = $xoopsDB->query($queryA, $helper->getConfig('indexperpage'), $start);
160
161			while (list($entryID, $categoryID, $term, $init, $definition, $datesub, $ref, $catname) = $xoopsDB->fetchRow($resultA)) {
162			$eachresult = [];
163			$xoopsModule = XoopsModule::getByDirname('lexikon');
164			$eachresult['dir'] = $xoopsModule->dirname();
165			$eachresult['id'] = $entryID;
166			$eachresult['categoryID'] = $categoryID;
167			$eachresult['term'] = ucfirst(htmlspecialchars($term, ENT_QUOTES \| ENT_HTML5));
168			$eachresult['date'] = formatTimestamp($datesub, $helper->getConfig('dateformat'));
169			$eachresult['ref'] = $utility::getHTMLHighlight($query, htmlspecialchars($ref, ENT_QUOTES \| ENT_HTML5), '<b style="background-color: #FFFF80; ">', '</b>');
170			$eachresult['catname'] = htmlspecialchars($catname, ENT_QUOTES \| ENT_HTML5);
171			$tempdef = $myts->displayTarea($definition, 1, 1, 1, 1, 1);
172			$eachresult['definition'] = $utility::getHTMLHighlight($query, $tempdef, '<b style="background-color: #FFFF80; ">', '</b>');
173			if ($highlight) {
174			$eachresult['keywords'] = $hightlight_key;
175			}
176			// Functional links
177			$microlinks = $utility::getServiceLinks($eachresult);
178			$eachresult['microlinks'] = $microlinks;
179			$resultset['match'][] = $eachresult;
180			}
181
182			// Msg: there's # results
183			$xoopsTpl->assign('intro', sprintf(_MD_LEXIKON_THEREWERE, $results, $query));
184
185			$linkstring = 'term=' . $query . '&start';
186			$pagenav = new \XoopsPageNav($results, $helper->getConfig('indexperpage'), $start, $linkstring);
187			$resultset['navbar'] = '<div style="text-align:right;">' . $pagenav->renderNav(6) . '</div>';
188
189			$xoopsTpl->assign('resultset', $resultset);
190
191			// Display search form
192			$xoopsTpl->assign('searchform', $searchform->render());
193			}
194			}
195			// Assign variables and close
196			$xoopsTpl->assign('lang_modulename', $xoopsModule->name());
197			$xoopsTpl->assign('lang_moduledirname', $xoopsModule->getVar('dirname'));
198
199			$xoopsTpl->assign('xoops_module_header', '<link rel="stylesheet" type="text/css" href="assets/css/style.css">');
200			$xoopsTpl->assign('xoops_pagetitle', _MD_LEXIKON_SEARCHENTRY . ' - ' . htmlspecialchars($xoopsModule->name(), ENT_QUOTES \| ENT_HTML5));
201
202			// Meta data
203			$meta_description = _MD_LEXIKON_SEARCHENTRY . ' - ' . htmlspecialchars($xoopsModule->name(), ENT_QUOTES \| ENT_HTML5);
204			if (isset($xoTheme) && is_object($xoTheme)) {
205			$xoTheme->addMeta('meta', 'description', $meta_description);
206			} else {
207			$xoopsTpl->assign('xoops_meta_description', $meta_description);
208			}
209
210			require XOOPS_ROOT_PATH . '/footer.php';
211

XoopsModules25x / lexikon

Issues (330)

Security Analysis not enabled

search.php (1 issue)

Severity

Introduced By

Duplication Side-by-Side

Filter issues like