Issues in update_function.php (master) - Issues in master - XoopsModules25x/news - Measure and Improve Code Quality continuously with Scrutinizer

Issues (384)

Security Analysis not enabled

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

Header Injection

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

include/update_function.php (1 issue)

Labels

Unused Code 1

Severity

Minor 1

<?php declare(strict_types=1);

/**
 * News functions
 *
 * You may not change or alter any portion of this comment or credits
 * of supporting developers from this source code or any supporting source code
 * which is considered copyrighted (c) material of the original comment or credit authors.
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
 *
 * @copyright   {@link https://xoops.org/ XOOPS Project}
 * @license     GNU GPL 2 (https://www.gnu.org/licenses/old-licenses/gpl-2.0.html)
 * @author      Voltan
 */

use XoopsModules\News;

/**
 * @return bool
 */
function xoops_module_update_news()
{
    global $xoopsDB;
    $errors = 0;

    //0) Rename all tables

    if (News\Utility::existTable($xoopsDB->prefix('stories_files'))) {
        $sql    = 'ALTER TABLE ' . $xoopsDB->prefix('stories_files') . ' RENAME ' . $xoopsDB->prefix('news_stories_files');
        $result = $xoopsDB->queryF($sql);
        if (!$result) {
            echo '<br>' . _AM_NEWS_UPGRADEFAILED . ' ' . _AM_NEWS_UPGRADEFAILED2;
            ++$errors;
        }
    } elseif (!News\Utility::existTable($xoopsDB->prefix('news_stories_files'))) {
        // 1) Create, if it does not exists, the stories_files table
        $sql = 'CREATE TABLE ' . $xoopsDB->prefix('news_stories_files') . " (
              fileid INT(8) UNSIGNED NOT NULL AUTO_INCREMENT,
              filerealname VARCHAR(255) NOT NULL DEFAULT '',
              storyid INT(8) UNSIGNED NOT NULL DEFAULT '0',
              date INT(10) NOT NULL DEFAULT '0',
              mimetype VARCHAR(64) NOT NULL DEFAULT '',
              downloadname VARCHAR(255) NOT NULL DEFAULT '',
              counter INT(8) UNSIGNED NOT NULL DEFAULT '0',
              PRIMARY KEY  (fileid),
              KEY storyid (storyid)
            ) ENGINE=MyISAM;";
        if (!$xoopsDB->queryF($sql)) {
            echo '<br>' . _AM_NEWS_UPGRADEFAILED . ' ' . _AM_NEWS_UPGRADEFAILED1;
            ++$errors;
        }
    }

    if (News\Utility::existTable($xoopsDB->prefix('stories'))) {
        $sql    = 'ALTER TABLE ' . $xoopsDB->prefix('stories') . ' RENAME ' . $xoopsDB->prefix('news_stories');
        $result = $xoopsDB->queryF($sql);
        if (!$result) {
            echo '<br>' . _AM_NEWS_UPGRADEFAILED . ' ' . _AM_NEWS_UPGRADEFAILED2;
            ++$errors;
        }
    }

    if (News\Utility::existTable($xoopsDB->prefix('topics'))) {
        $sql    = 'ALTER TABLE ' . $xoopsDB->prefix('topics') . ' RENAME ' . $xoopsDB->prefix('news_topics');
        $result = $xoopsDB->queryF($sql);
        if (!$result) {
            echo '<br>' . _AM_NEWS_UPGRADEFAILED . ' ' . _AM_NEWS_UPGRADEFAILED2;
            ++$errors;
        }
    }

    if (News\Utility::existTable($xoopsDB->prefix('stories_files'))) {
        $sql    = 'ALTER TABLE ' . $xoopsDB->prefix('stories_files') . ' RENAME ' . $xoopsDB->prefix('news_stories_files');
        $result = $xoopsDB->queryF($sql);
        if (!$result) {
            echo '<br>' . _AM_NEWS_UPGRADEFAILED . ' ' . _AM_NEWS_UPGRADEFAILED2;
            ++$errors;
        }
    }

    // 2) Change the topic title's length, in the topics table
    $sql    = 'ALTER TABLE ' . $xoopsDB->prefix('news_topics') . ' CHANGE topic_title topic_title VARCHAR( 255 ) NOT NULL;';
    $result = $xoopsDB->queryF($sql);
    if (!$result) {
        echo '<br>' . _AM_NEWS_UPGRADEFAILED . ' ' . _AM_NEWS_UPGRADEFAILED2;
        ++$errors;
    }

    // 2.0a) change column size for IP address from varchar(16) to varchar(45) for IPv6
    $sql    = 'ALTER TABLE ' . $xoopsDB->prefix('news_stories') . ' MODIFY hostname VARCHAR( 45 ) NOT NULL DEFAULT \'\';';
    $result = $xoopsDB->queryF($sql);
    if (!$result) {
        echo '<br>' . _AM_NEWS_UPGRADEFAILED . ' ' . _AM_NEWS_UPGRADEFAILED2;
        ++$errors;
    }

    // 2.0b)  change column size for Picture from varchar(50) to varchar(255) for SEO
    $sql    = 'ALTER TABLE ' . $xoopsDB->prefix('news_stories') . ' MODIFY picture VARCHAR( 255 ) NOT NULL DEFAULT \'\';';
    $result = $xoopsDB->queryF($sql);
    if (!$result) {
        echo '<br>' . _AM_NEWS_UPGRADEFAILED . ' ' . _AM_NEWS_UPGRADEFAILED2;
        ++$errors;
    }


    // 2.1) Add the new fields to the topic table
    if (!News\Utility::existField('menu', $xoopsDB->prefix('news_topics'))) {
        News\Utility::addField("menu TINYINT( 1 ) DEFAULT '0' NOT NULL", $xoopsDB->prefix('news_topics'));
    }
    if (!News\Utility::existField('topic_frontpage', $xoopsDB->prefix('news_topics'))) {
        News\Utility::addField("topic_frontpage TINYINT( 1 ) DEFAULT '1' NOT NULL", $xoopsDB->prefix('news_topics'));
    }
    if (!News\Utility::existField('topic_rssurl', $xoopsDB->prefix('news_topics'))) {
        News\Utility::addField('topic_rssurl VARCHAR( 255 ) NOT NULL', $xoopsDB->prefix('news_topics'));
    }
    if (!News\Utility::existField('topic_description', $xoopsDB->prefix('news_topics'))) {
        News\Utility::addField('topic_description TEXT NOT NULL', $xoopsDB->prefix('news_topics'));
    }
    if (!News\Utility::existField('topic_color', $xoopsDB->prefix('news_topics'))) {
        News\Utility::addField("topic_color varchar(6) NOT NULL default '000000'", $xoopsDB->prefix('news_topics'));
    }

    // 3) If it does not exists, create the table stories_votedata
    if (!News\Utility::existTable($xoopsDB->prefix('news_stories_votedata'))) {
        $sql = 'CREATE TABLE ' . $xoopsDB->prefix('news_stories_votedata') . " (
              ratingid INT(11) UNSIGNED NOT NULL AUTO_INCREMENT,
              storyid INT(8) UNSIGNED NOT NULL DEFAULT '0',
              ratinguser INT(11) NOT NULL DEFAULT '0',
              rating TINYINT(3) UNSIGNED NOT NULL DEFAULT '0',
              ratinghostname VARCHAR(60) NOT NULL DEFAULT '',
              ratingtimestamp INT(10) NOT NULL DEFAULT '0',
              PRIMARY KEY  (ratingid),
              KEY ratinguser (ratinguser),
              KEY ratinghostname (ratinghostname),
              KEY storyid (storyid)
            ) ENGINE=MyISAM;";
        if (!$xoopsDB->queryF($sql)) {
            echo '<br>' . _AM_NEWS_UPGRADEFAILED . ' ' . _AM_NEWS_UPGRADEFAILED3;
            ++$errors;
        }
    }

    // 4) Create the four new fields for the votes in the story table
    if (!News\Utility::existField('rating', $xoopsDB->prefix('news_stories'))) {
        News\Utility::addField("rating DOUBLE( 6, 4 ) DEFAULT '0.0000' NOT NULL", $xoopsDB->prefix('news_stories'));
    }
    if (!News\Utility::existField('votes', $xoopsDB->prefix('news_stories'))) {
        News\Utility::addField("votes INT( 11 ) UNSIGNED DEFAULT '0' NOT NULL", $xoopsDB->prefix('news_stories'));
    }
    if (!News\Utility::existField('keywords', $xoopsDB->prefix('news_stories'))) {
        News\Utility::addField('keywords VARCHAR(255) NOT NULL', $xoopsDB->prefix('news_stories'));
    }
    if (!News\Utility::existField('description', $xoopsDB->prefix('news_stories'))) {
        News\Utility::addField('description VARCHAR(255) NOT NULL', $xoopsDB->prefix('news_stories'));
    }
    if (!News\Utility::existField('pictureinfo', $xoopsDB->prefix('news_stories'))) {
        News\Utility::addField('pictureinfo VARCHAR(255) NOT NULL', $xoopsDB->prefix('news_stories'));
    }
    if (!News\Utility::existField('subtitle', $xoopsDB->prefix('news_stories'))) {
        News\Utility::addField('subtitle VARCHAR(255) NOT NULL', $xoopsDB->prefix('news_stories'));
    }

    // 5) Add some indexes to the topics table
    $sql    = 'ALTER TABLE ' . $xoopsDB->prefix('news_topics') . ' ADD INDEX ( `topic_title` );';
    $result = $xoopsDB->queryF($sql);

    $sql    = 'ALTER TABLE ' . $xoopsDB->prefix('news_topics') . ' ADD INDEX ( `menu` );';
    $result = $xoopsDB->queryF($sql);

    // 6) Make files and folders
    $dir = XOOPS_ROOT_PATH . '/uploads/news';
    if (!@mkdir($dir) && !is_dir($dir)) {
        throw new \RuntimeException('The directory ' . $dir . ' could not be created.');
    }
    if (!is_writable($dir)) {
        chmod($dir, 0777);
    }

    $dir = XOOPS_ROOT_PATH . '/uploads/news/file';
    if (!@mkdir($dir) && !is_dir($dir)) {
        throw new \RuntimeException('The directory ' . $dir . ' could not be created.');
    }
    if (!is_writable($dir)) {
        chmod($dir, 0777);
    }

    $dir = XOOPS_ROOT_PATH . '/uploads/news/image';
    if (!@mkdir($dir) && !is_dir($dir)) {
        throw new \RuntimeException('The directory ' . $dir . ' could not be created.');
    }
    if (!is_writable($dir)) {
        chmod($dir, 0777);
    }

    // Copy index.html files on uploads folders
    $indexFile = XOOPS_ROOT_PATH . '/modules/news/include/index.php';
    copy($indexFile, XOOPS_ROOT_PATH . '/uploads/news/index.php');
    copy($indexFile, XOOPS_ROOT_PATH . '/uploads/news/file/index.php');
    copy($indexFile, XOOPS_ROOT_PATH . '/uploads/news/image/index.php');

    return true;
}


1			<?php declare(strict_types=1);
2
3			/**
4			* News functions
5			*
6			* You may not change or alter any portion of this comment or credits
7			* of supporting developers from this source code or any supporting source code
8			* which is considered copyrighted (c) material of the original comment or credit authors.
9			* This program is distributed in the hope that it will be useful,
10			* but WITHOUT ANY WARRANTY; without even the implied warranty of
11			* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
12			*
13			* @copyright {@link https://xoops.org/ XOOPS Project}
14			* @license GNU GPL 2 (https://www.gnu.org/licenses/old-licenses/gpl-2.0.html)
15			* @author Voltan
16			*/
17
18			use XoopsModules\News;
19
20			/**
21			* @return bool
22			*/
23			function xoops_module_update_news()
24			{
25			global $xoopsDB;
26			$errors = 0;
27
28			//0) Rename all tables
29
30			if (News\Utility::existTable($xoopsDB->prefix('stories_files'))) {
31			$sql = 'ALTER TABLE ' . $xoopsDB->prefix('stories_files') . ' RENAME ' . $xoopsDB->prefix('news_stories_files');
32			$result = $xoopsDB->queryF($sql);
33			if (!$result) {
34			echo '<br>' . _AM_NEWS_UPGRADEFAILED . ' ' . _AM_NEWS_UPGRADEFAILED2;
35			++$errors;
36			}
37			} elseif (!News\Utility::existTable($xoopsDB->prefix('news_stories_files'))) {
38			// 1) Create, if it does not exists, the stories_files table
39			$sql = 'CREATE TABLE ' . $xoopsDB->prefix('news_stories_files') . " (
40			fileid INT(8) UNSIGNED NOT NULL AUTO_INCREMENT,
41			filerealname VARCHAR(255) NOT NULL DEFAULT '',
42			storyid INT(8) UNSIGNED NOT NULL DEFAULT '0',
43			date INT(10) NOT NULL DEFAULT '0',
44			mimetype VARCHAR(64) NOT NULL DEFAULT '',
45			downloadname VARCHAR(255) NOT NULL DEFAULT '',
46			counter INT(8) UNSIGNED NOT NULL DEFAULT '0',
47			PRIMARY KEY (fileid),
48			KEY storyid (storyid)
49			) ENGINE=MyISAM;";
50			if (!$xoopsDB->queryF($sql)) {
51			echo '<br>' . _AM_NEWS_UPGRADEFAILED . ' ' . _AM_NEWS_UPGRADEFAILED1;
52			++$errors;
53			}
54			}
55
56			if (News\Utility::existTable($xoopsDB->prefix('stories'))) {
57			$sql = 'ALTER TABLE ' . $xoopsDB->prefix('stories') . ' RENAME ' . $xoopsDB->prefix('news_stories');
58			$result = $xoopsDB->queryF($sql);
59			if (!$result) {
60			echo '<br>' . _AM_NEWS_UPGRADEFAILED . ' ' . _AM_NEWS_UPGRADEFAILED2;
61			++$errors;
62			}
63			}
64
65			if (News\Utility::existTable($xoopsDB->prefix('topics'))) {
66			$sql = 'ALTER TABLE ' . $xoopsDB->prefix('topics') . ' RENAME ' . $xoopsDB->prefix('news_topics');
67			$result = $xoopsDB->queryF($sql);
68			if (!$result) {
69			echo '<br>' . _AM_NEWS_UPGRADEFAILED . ' ' . _AM_NEWS_UPGRADEFAILED2;
70			++$errors;
71			}
72			}
73
74			if (News\Utility::existTable($xoopsDB->prefix('stories_files'))) {
75			$sql = 'ALTER TABLE ' . $xoopsDB->prefix('stories_files') . ' RENAME ' . $xoopsDB->prefix('news_stories_files');
76			$result = $xoopsDB->queryF($sql);
77			if (!$result) {
78			echo '<br>' . _AM_NEWS_UPGRADEFAILED . ' ' . _AM_NEWS_UPGRADEFAILED2;
79			++$errors;
80			}
81			}
82
83			// 2) Change the topic title's length, in the topics table
84			$sql = 'ALTER TABLE ' . $xoopsDB->prefix('news_topics') . ' CHANGE topic_title topic_title VARCHAR( 255 ) NOT NULL;';
85			$result = $xoopsDB->queryF($sql);
86			if (!$result) {
87			echo '<br>' . _AM_NEWS_UPGRADEFAILED . ' ' . _AM_NEWS_UPGRADEFAILED2;
88			++$errors;
89			}
90
91			// 2.0a) change column size for IP address from varchar(16) to varchar(45) for IPv6
92			$sql = 'ALTER TABLE ' . $xoopsDB->prefix('news_stories') . ' MODIFY hostname VARCHAR( 45 ) NOT NULL DEFAULT \'\';';
93			$result = $xoopsDB->queryF($sql);
94			if (!$result) {
95			echo '<br>' . _AM_NEWS_UPGRADEFAILED . ' ' . _AM_NEWS_UPGRADEFAILED2;
96			++$errors;
97			}
98
99			// 2.0b) change column size for Picture from varchar(50) to varchar(255) for SEO
100			$sql = 'ALTER TABLE ' . $xoopsDB->prefix('news_stories') . ' MODIFY picture VARCHAR( 255 ) NOT NULL DEFAULT \'\';';
101			$result = $xoopsDB->queryF($sql);
102			if (!$result) {
103			echo '<br>' . _AM_NEWS_UPGRADEFAILED . ' ' . _AM_NEWS_UPGRADEFAILED2;
104			++$errors;
105			}
106
107
108			// 2.1) Add the new fields to the topic table
109			if (!News\Utility::existField('menu', $xoopsDB->prefix('news_topics'))) {
110			News\Utility::addField("menu TINYINT( 1 ) DEFAULT '0' NOT NULL", $xoopsDB->prefix('news_topics'));
111			}
112			if (!News\Utility::existField('topic_frontpage', $xoopsDB->prefix('news_topics'))) {
113			News\Utility::addField("topic_frontpage TINYINT( 1 ) DEFAULT '1' NOT NULL", $xoopsDB->prefix('news_topics'));
114			}
115			if (!News\Utility::existField('topic_rssurl', $xoopsDB->prefix('news_topics'))) {
116			News\Utility::addField('topic_rssurl VARCHAR( 255 ) NOT NULL', $xoopsDB->prefix('news_topics'));
117			}
118			if (!News\Utility::existField('topic_description', $xoopsDB->prefix('news_topics'))) {
119			News\Utility::addField('topic_description TEXT NOT NULL', $xoopsDB->prefix('news_topics'));
120			}
121			if (!News\Utility::existField('topic_color', $xoopsDB->prefix('news_topics'))) {
122			News\Utility::addField("topic_color varchar(6) NOT NULL default '000000'", $xoopsDB->prefix('news_topics'));
123			}
124
125			// 3) If it does not exists, create the table stories_votedata
126			if (!News\Utility::existTable($xoopsDB->prefix('news_stories_votedata'))) {
127			$sql = 'CREATE TABLE ' . $xoopsDB->prefix('news_stories_votedata') . " (
128			ratingid INT(11) UNSIGNED NOT NULL AUTO_INCREMENT,
129			storyid INT(8) UNSIGNED NOT NULL DEFAULT '0',
130			ratinguser INT(11) NOT NULL DEFAULT '0',
131			rating TINYINT(3) UNSIGNED NOT NULL DEFAULT '0',
132			ratinghostname VARCHAR(60) NOT NULL DEFAULT '',
133			ratingtimestamp INT(10) NOT NULL DEFAULT '0',
134			PRIMARY KEY (ratingid),
135			KEY ratinguser (ratinguser),
136			KEY ratinghostname (ratinghostname),
137			KEY storyid (storyid)
138			) ENGINE=MyISAM;";
139			if (!$xoopsDB->queryF($sql)) {
140			echo '<br>' . _AM_NEWS_UPGRADEFAILED . ' ' . _AM_NEWS_UPGRADEFAILED3;
141			++$errors;
142			}
143			}
144
145			// 4) Create the four new fields for the votes in the story table
146			if (!News\Utility::existField('rating', $xoopsDB->prefix('news_stories'))) {
147			News\Utility::addField("rating DOUBLE( 6, 4 ) DEFAULT '0.0000' NOT NULL", $xoopsDB->prefix('news_stories'));
148			}
149			if (!News\Utility::existField('votes', $xoopsDB->prefix('news_stories'))) {
150			News\Utility::addField("votes INT( 11 ) UNSIGNED DEFAULT '0' NOT NULL", $xoopsDB->prefix('news_stories'));
151			}
152			if (!News\Utility::existField('keywords', $xoopsDB->prefix('news_stories'))) {
153			News\Utility::addField('keywords VARCHAR(255) NOT NULL', $xoopsDB->prefix('news_stories'));
154			}
155			if (!News\Utility::existField('description', $xoopsDB->prefix('news_stories'))) {
156			News\Utility::addField('description VARCHAR(255) NOT NULL', $xoopsDB->prefix('news_stories'));
157			}
158			if (!News\Utility::existField('pictureinfo', $xoopsDB->prefix('news_stories'))) {
159			News\Utility::addField('pictureinfo VARCHAR(255) NOT NULL', $xoopsDB->prefix('news_stories'));
160			}
161			if (!News\Utility::existField('subtitle', $xoopsDB->prefix('news_stories'))) {
162			News\Utility::addField('subtitle VARCHAR(255) NOT NULL', $xoopsDB->prefix('news_stories'));
163			}
164
165			// 5) Add some indexes to the topics table
166			$sql = 'ALTER TABLE ' . $xoopsDB->prefix('news_topics') . ' ADD INDEX ( `topic_title` );';
167			$result = $xoopsDB->queryF($sql);
			0 ignored issues – show Unused Code introduced 2020-11-09 07:32 UTC by Report Bug Copy Issue Report Show Similar Issues like this The assignment to `$result` is dead and can be removed. Loading history...
168			$sql = 'ALTER TABLE ' . $xoopsDB->prefix('news_topics') . ' ADD INDEX ( `menu` );';
169			$result = $xoopsDB->queryF($sql);
170
171			// 6) Make files and folders
172			$dir = XOOPS_ROOT_PATH . '/uploads/news';
173			if (!@mkdir($dir) && !is_dir($dir)) {
174			throw new \RuntimeException('The directory ' . $dir . ' could not be created.');
175			}
176			if (!is_writable($dir)) {
177			chmod($dir, 0777);
178			}
179
180			$dir = XOOPS_ROOT_PATH . '/uploads/news/file';
181			if (!@mkdir($dir) && !is_dir($dir)) {
182			throw new \RuntimeException('The directory ' . $dir . ' could not be created.');
183			}
184			if (!is_writable($dir)) {
185			chmod($dir, 0777);
186			}
187
188			$dir = XOOPS_ROOT_PATH . '/uploads/news/image';
189			if (!@mkdir($dir) && !is_dir($dir)) {
190			throw new \RuntimeException('The directory ' . $dir . ' could not be created.');
191			}
192			if (!is_writable($dir)) {
193			chmod($dir, 0777);
194			}
195
196			// Copy index.html files on uploads folders
197			$indexFile = XOOPS_ROOT_PATH . '/modules/news/include/index.php';
198			copy($indexFile, XOOPS_ROOT_PATH . '/uploads/news/index.php');
199			copy($indexFile, XOOPS_ROOT_PATH . '/uploads/news/file/index.php');
200			copy($indexFile, XOOPS_ROOT_PATH . '/uploads/news/image/index.php');
201
202			return true;
203			}
204

XoopsModules25x / news

Issues (384)

Security Analysis not enabled

include/update_function.php (1 issue)

Labels

Severity

Introduced By

Duplication Side-by-Side

Filter issues like