Issues in baseObjectHandler.php (master) - Issues in master - XoopsModules25x/smartpartner - Measure and Improve Code Quality continuously with Scrutinizer

Issues (733)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

class/baseObjectHandler.php (4 issues)

Labels

Severity

Major 4

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

/**
 * smartpartnerBaseObjectHandler class
 *
 * @author  Nazar Aziz <[email protected]>
 * @access  public
 * @package xhelp
 */
class SmartpartnerBaseObjectHandler extends XoopsObjectHandler
{
    /**
     * Database connection
     *
     * @var object
     * @access    private
     */
    public $_db;

    /**
     * Autoincrementing DB fieldname
     * @var string
     * @access private
     */
    public $_idfield = 'id';

    /**
     * Constructor
     *
     * @param object|XoopsDatabase $db reference to a xoopsDB object
     */
    public function init(XoopsDatabase $db)
    {
        $this->_db = $db;
    }

    /**
     * create a new  object
     * @return object {@link smartpartnerBaseObject}
     * @access public
     */
    public function create()
    {
        return new $this->classname();
    }

    /**
     * retrieve an object from the database, based on. use in child classes
     * @param  int $id ID
     * @return mixed object if id exists, false if not
     * @access public
     */
    public function &get($id)
    {
        $id = (int)$id;
        if ($id > 0) {
            $sql = $this->_selectQuery(new Criteria($this->_idfield, $id));
            if (!$result = $this->_db->query($sql)) {
                return false;
            }
            $numrows = $this->_db->getRowsNum($result);
            if ($numrows == 1) {
                $obj = new $this->classname($this->_db->fetchArray($result));

                return $obj;
            }
        }

        return false;
    }

    /**
     * retrieve objects from the database
     *
     * @param  object $criteria  {@link CriteriaElement} conditions to be met
     * @param  bool   $id_as_key Should the department ID be used as array key
     * @return array  array of objects
     * @access  public
     */
    public function &getObjects($criteria = null, $id_as_key = false)
    {
        $ret   = array();
        $limit = $start = 0;
        $sql   = $this->_selectQuery($criteria);
        $id    = $this->_idfield;

        if (isset($criteria)) {
            $limit = $criteria->getLimit();
            $start = $criteria->getStart();
        }

        $result = $this->_db->query($sql, $limit, $start);
        // if no records from db, return empty array
        if (!$result) {
            return $ret;
        }

        // Add each returned record to the result array
        while ($myrow = $this->_db->fetchArray($result)) {
            $obj = new $this->classname($myrow);
            if (!$id_as_key) {
                $ret[] =& $obj;
            } else {
                $ret[$obj->getVar($id)] =& $obj;
            }
            unset($obj);
        }

        return $ret;
    }

    /**
     * @param  XoopsObject $obj
     * @param  bool        $force
     * @return bool
     */
    public function insert($obj, $force = false)
    {
        // Make sure object is of correct type
        if (strcasecmp($this->classname, get_class($obj)) != 0) {
            return false;
        }

        // Make sure object needs to be stored in DB
        if (!$obj->isDirty()) {
            return true;
        }

        // Make sure object fields are filled with valid values
        if (!$obj->cleanVars()) {
            return false;
        }

        // Create query for DB update
        if ($obj->isNew()) {
            // Determine next auto-gen ID for table
            $id  = $this->_db->genId($this->_db->prefix($this->_dbtable) . '_uid_seq');
            $sql = $this->_insertQuery($obj);
        } else {
            $sql = $this->_updateQuery($obj);
        }

        // Update DB
        if (false != $force) {
            $result = $this->_db->queryF($sql);
        } else {
            $result = $this->_db->query($sql);
        }

        if (!$result) {
            $obj->setErrors('The query returned an error. ' . $this->db->error());

            return false;
        }

        //Make sure auto-gen ID is stored correctly in object
        if ($obj->isNew()) {
            $obj->assignVar($this->_idfield, $this->_db->getInsertId());
        }

        return true;
    }

    /**
     * Create a "select" SQL query
     * @param  object $criteria {@link CriteriaElement} to match
     * @return string SQL query
     * @access private
     */
    public function _selectQuery($criteria = null)
    {
        $sql = sprintf('SELECT * FROM %s', $this->_db->prefix($this->_dbtable));
        if (isset($criteria) && is_subclass_of($criteria, 'criteriaelement')) {

            $sql .= ' ' . $criteria->renderWhere();
            if ($criteria->getSort() != '') {
                $sql .= ' ORDER BY ' . $criteria->getSort() . '
                    ' . $criteria->getOrder();
            }
        }

        return $sql;
    }

    /**
     * count objects matching a criteria
     *
     * @param  object $criteria {@link CriteriaElement} to match
     * @return int    count of objects
     * @access public
     */
    public function getCount($criteria = null)
    {
        $sql = 'SELECT COUNT(*) FROM ' . $this->_db->prefix($this->_dbtable);
        if (isset($criteria) && is_subclass_of($criteria, 'criteriaelement')) {

            $sql .= ' ' . $criteria->renderWhere();
        }
        if (!$result = $this->_db->query($sql)) {
            return 0;
        }
        list($count) = $this->_db->fetchRow($result);

        return $count;
    }

    /**
     * delete object based on id
     *
     * @param  object $obj   {@link XoopsObject} to delete
     * @param  bool   $force override XOOPS delete protection
     * @return bool   deletion successful?
     * @access public
     */
    public function delete($obj, $force = false)
    {
        if (strcasecmp($this->classname, get_class($obj)) != 0) {
            return false;
        }

        $sql = $this->_deleteQuery($obj);

        if (false != $force) {
            $result = $this->_db->queryF($sql);
        } else {
            $result = $this->_db->query($sql);
        }
        if (!$result) {
            return false;
        }

        return true;
    }

    /**
     * delete department matching a set of conditions
     *
     * @param  object $criteria {@link CriteriaElement}
     * @return bool   FALSE if deletion failed
     * @access    public
     */
    public function deleteAll($criteria = null)
    {
        $sql = 'DELETE FROM ' . $this->_db->prefix($this->_dbtable);
        if (isset($criteria) && is_subclass_of($criteria, 'criteriaelement')) {

            $sql .= ' ' . $criteria->renderWhere();
        }
        if (!$result = $this->_db->query($sql)) {
            return false;
        }

        return true;
    }

    /**
     * Assign a value to 1 field for tickets matching a set of conditions
     *
     * @param         $fieldname
     * @param         $fieldvalue
     * @param  object $criteria {@link CriteriaElement}
     * @return bool   FALSE if update failed
     * @access    public
     */
    public function updateAll($fieldname, $fieldvalue, $criteria = null)
    {
        $set_clause = is_numeric($fieldvalue) ? $fieldname . ' = ' . $fieldvalue : $fieldname . ' = ' . $this->_db->quoteString($fieldvalue);
        $sql        = 'UPDATE ' . $this->_db->prefix($this->_dbtable) . ' SET ' . $set_clause;
        if (isset($criteria) && is_subclass_of($criteria, 'criteriaelement')) {

            $sql .= ' ' . $criteria->renderWhere();
        }
        if (!$result = $this->_db->query($sql)) {
            return false;
        }

        return true;
    }

    /**
     * @param $obj
     * @return bool
     */
    public function _insertQuery($obj)
    {
        return false;
    }

    /**
     * @param $obj
     * @return bool
     */
    public function _updateQuery($obj)
    {
        return false;
    }

    /**
     * @param $obj
     * @return bool
     */
    public function _deleteQuery($obj)
    {
        return false;
    }

    /**
     * Singleton - prevent multiple instances of this class
     *
     * @param  object|XoopsDatabase $db
     * @return object               <a href='psi_element://pagesCategoryHandler'>pagesCategoryHandler</a>
     * @access public
     */
    public function getInstance(XoopsDatabase $db)
    {
        static $instance;
        if (null === $instance) {
            $classname = $this->classname . 'Handler';
            $instance  = new $classname($db);
        }

        return $instance;
    }
}


1		<?php
2
3		/**
4		* smartpartnerBaseObjectHandler class
5		*
6		* @author Nazar Aziz <[email protected]>
7		* @access public
8		* @package xhelp
9		*/
10		class SmartpartnerBaseObjectHandler extends XoopsObjectHandler
11		{
12		/**
13		* Database connection
14		*
15		* @var object
16		* @access private
17		*/
18		public $_db;
19
20		/**
21		* Autoincrementing DB fieldname
22		* @var string
23		* @access private
24		*/
25		public $_idfield = 'id';
26
27		/**
28		* Constructor
29		*
30		* @param object\|XoopsDatabase $db reference to a xoopsDB object
31		*/
32		public function init(XoopsDatabase $db)
33		{
34		$this->_db = $db;
35		}
36
37		/**
38		* create a new object
39		* @return object {@link smartpartnerBaseObject}
40		* @access public
41		*/
42		public function create()
43		{
44		return new $this->classname();
45		}
46
47		/**
48		* retrieve an object from the database, based on. use in child classes
49		* @param int $id ID
50		* @return mixed object if id exists, false if not
51		* @access public
52		*/
53	View Code Duplication	public function &get($id)
54		{
55		$id = (int)$id;
56		if ($id > 0) {
57		$sql = $this->_selectQuery(new Criteria($this->_idfield, $id));
58		if (!$result = $this->_db->query($sql)) {
59		return false;
60		}
61		$numrows = $this->_db->getRowsNum($result);
62		if ($numrows == 1) {
63		$obj = new $this->classname($this->_db->fetchArray($result));
64
65		return $obj;
66		}
67		}
68
69		return false;
70		}
71
72		/**
73		* retrieve objects from the database
74		*
75		* @param object $criteria {@link CriteriaElement} conditions to be met
76		* @param bool $id_as_key Should the department ID be used as array key
77		* @return array array of objects
78		* @access public
79		*/
80		public function &getObjects($criteria = null, $id_as_key = false)
81		{
82		$ret = array();
83		$limit = $start = 0;
84		$sql = $this->_selectQuery($criteria);
85		$id = $this->_idfield;
86
87		if (isset($criteria)) {
88		$limit = $criteria->getLimit();
89		$start = $criteria->getStart();
90		}
91
92		$result = $this->_db->query($sql, $limit, $start);
93		// if no records from db, return empty array
94		if (!$result) {
95		return $ret;
96		}
97
98		// Add each returned record to the result array
99		while ($myrow = $this->_db->fetchArray($result)) {
100		$obj = new $this->classname($myrow);
101		if (!$id_as_key) {
102		$ret[] =& $obj;
103		} else {
104		$ret[$obj->getVar($id)] =& $obj;
105		}
106		unset($obj);
107		}
108
109		return $ret;
110		}
111
112		/**
113		* @param XoopsObject $obj
114		* @param bool $force
115		* @return bool
116		*/
117		public function insert($obj, $force = false)
118		{
119		// Make sure object is of correct type
120		if (strcasecmp($this->classname, get_class($obj)) != 0) {
121		return false;
122		}
123
124		// Make sure object needs to be stored in DB
125		if (!$obj->isDirty()) {
126		return true;
127		}
128
129		// Make sure object fields are filled with valid values
130		if (!$obj->cleanVars()) {
131		return false;
132		}
133
134		// Create query for DB update
135		if ($obj->isNew()) {
136		// Determine next auto-gen ID for table
137		$id = $this->_db->genId($this->_db->prefix($this->_dbtable) . '_uid_seq');
138		$sql = $this->_insertQuery($obj);
139		} else {
140		$sql = $this->_updateQuery($obj);
141		}
142
143		// Update DB
144	View Code Duplication	if (false != $force) {
145		$result = $this->_db->queryF($sql);
146		} else {
147		$result = $this->_db->query($sql);
148		}
149
150		if (!$result) {
151		$obj->setErrors('The query returned an error. ' . $this->db->error());
152
153		return false;
154		}
155
156		//Make sure auto-gen ID is stored correctly in object
157		if ($obj->isNew()) {
158		$obj->assignVar($this->_idfield, $this->_db->getInsertId());
159		}
160
161		return true;
162		}
163
164		/**
165		* Create a "select" SQL query
166		* @param object $criteria {@link CriteriaElement} to match
167		* @return string SQL query
168		* @access private
169		*/
170	View Code Duplication	public function _selectQuery($criteria = null)
171		{
172		$sql = sprintf('SELECT * FROM %s', $this->_db->prefix($this->_dbtable));
173		if (isset($criteria) && is_subclass_of($criteria, 'criteriaelement')) {
		0 ignored issues – show Bug introduced 2016-05-31 10:14 UTC by Report Bug Copy Issue Report Show Similar Issues like this Due to PHP Bug #53727, `is_subclass_of` returns inconsistent results on some PHP versions for interfaces; you could instead use `ReflectionClass::implementsInterface`. Loading history...
174		$sql .= ' ' . $criteria->renderWhere();
175		if ($criteria->getSort() != '') {
176		$sql .= ' ORDER BY ' . $criteria->getSort() . '
177		' . $criteria->getOrder();
178		}
179		}
180
181		return $sql;
182		}
183
184		/**
185		* count objects matching a criteria
186		*
187		* @param object $criteria {@link CriteriaElement} to match
188		* @return int count of objects
189		* @access public
190		*/
191	View Code Duplication	public function getCount($criteria = null)
192		{
193		$sql = 'SELECT COUNT(*) FROM ' . $this->_db->prefix($this->_dbtable);
194		if (isset($criteria) && is_subclass_of($criteria, 'criteriaelement')) {
		0 ignored issues – show Bug introduced 2016-05-31 10:14 UTC by Report Bug Copy Issue Report Show Similar Issues like this Due to PHP Bug #53727, `is_subclass_of` returns inconsistent results on some PHP versions for interfaces; you could instead use `ReflectionClass::implementsInterface`. Loading history...
195		$sql .= ' ' . $criteria->renderWhere();
196		}
197		if (!$result = $this->_db->query($sql)) {
198		return 0;
199		}
200		list($count) = $this->_db->fetchRow($result);
201
202		return $count;
203		}
204
205		/**
206		* delete object based on id
207		*
208		* @param object $obj {@link XoopsObject} to delete
209		* @param bool $force override XOOPS delete protection
210		* @return bool deletion successful?
211		* @access public
212		*/
213		public function delete($obj, $force = false)
214		{
215		if (strcasecmp($this->classname, get_class($obj)) != 0) {
216		return false;
217		}
218
219		$sql = $this->_deleteQuery($obj);
220
221	View Code Duplication	if (false != $force) {
222		$result = $this->_db->queryF($sql);
223		} else {
224		$result = $this->_db->query($sql);
225		}
226		if (!$result) {
227		return false;
228		}
229
230		return true;
231		}
232
233		/**
234		* delete department matching a set of conditions
235		*
236		* @param object $criteria {@link CriteriaElement}
237		* @return bool FALSE if deletion failed
238		* @access public
239		*/
240	View Code Duplication	public function deleteAll($criteria = null)
241		{
242		$sql = 'DELETE FROM ' . $this->_db->prefix($this->_dbtable);
243		if (isset($criteria) && is_subclass_of($criteria, 'criteriaelement')) {
		0 ignored issues – show Bug introduced 2016-05-31 10:14 UTC by Report Bug Copy Issue Report Show Similar Issues like this Due to PHP Bug #53727, `is_subclass_of` returns inconsistent results on some PHP versions for interfaces; you could instead use `ReflectionClass::implementsInterface`. Loading history...
244		$sql .= ' ' . $criteria->renderWhere();
245		}
246		if (!$result = $this->_db->query($sql)) {
247		return false;
248		}
249
250		return true;
251		}
252
253		/**
254		* Assign a value to 1 field for tickets matching a set of conditions
255		*
256		* @param $fieldname
257		* @param $fieldvalue
258		* @param object $criteria {@link CriteriaElement}
259		* @return bool FALSE if update failed
260		* @access public
261		*/
262	View Code Duplication	public function updateAll($fieldname, $fieldvalue, $criteria = null)
263		{
264		$set_clause = is_numeric($fieldvalue) ? $fieldname . ' = ' . $fieldvalue : $fieldname . ' = ' . $this->_db->quoteString($fieldvalue);
265		$sql = 'UPDATE ' . $this->_db->prefix($this->_dbtable) . ' SET ' . $set_clause;
266		if (isset($criteria) && is_subclass_of($criteria, 'criteriaelement')) {
		0 ignored issues – show Bug introduced 2016-05-31 10:14 UTC by Report Bug Copy Issue Report Show Similar Issues like this Due to PHP Bug #53727, `is_subclass_of` returns inconsistent results on some PHP versions for interfaces; you could instead use `ReflectionClass::implementsInterface`. Loading history...
267		$sql .= ' ' . $criteria->renderWhere();
268		}
269		if (!$result = $this->_db->query($sql)) {
270		return false;
271		}
272
273		return true;
274		}
275
276		/**
277		* @param $obj
278		* @return bool
279		*/
280		public function _insertQuery($obj)
281		{
282		return false;
283		}
284
285		/**
286		* @param $obj
287		* @return bool
288		*/
289		public function _updateQuery($obj)
290		{
291		return false;
292		}
293
294		/**
295		* @param $obj
296		* @return bool
297		*/
298		public function _deleteQuery($obj)
299		{
300		return false;
301		}
302
303		/**
304		* Singleton - prevent multiple instances of this class
305		*
306		* @param object\|XoopsDatabase $db
307		* @return object <a href='psi_element://pagesCategoryHandler'>pagesCategoryHandler</a>
308		* @access public
309		*/
310		public function getInstance(XoopsDatabase $db)
311		{
312		static $instance;
313		if (null === $instance) {
314		$classname = $this->classname . 'Handler';
315		$instance = new $classname($db);
316		}
317
318		return $instance;
319		}
320		}
321

XoopsModules25x / smartpartner

Issues (733)

Security Analysis not enabled

class/baseObjectHandler.php (4 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like