Issues in News.php (master) - Issues in master - allejo/bzion - Measure and Improve Code Quality continuously with Scrutinizer

Issues (273)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

models/News.php (1 issue)

Labels

Severity

Informational 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * This file contains functionality relating to the news articles admins can post
 *
 * @package    BZiON\Models
 * @license    https://github.com/allejo/bzion/blob/master/LICENSE.md GNU General Public License Version 3
 */

/**
 * A news article
 * @package    BZiON\Models
 */
class News extends UrlModel implements NamedModel
{
    /**
     * The category of the article
     * @var int
     */
    protected $category;

    /**
     * The subject of the news article
     * @var string
     */
    protected $subject;

    /**
     * The content of the news article
     * @var string
     */
    protected $content;

    /**
     * The creation date of the news article
     * @var TimeDate
     */
    protected $created;

    /**
     * The date the news article was last updated
     * @var TimeDate
     */
    protected $updated;

    /**
     * The ID of the author of the news article
     * @var int
     */
    protected $author;

    /**
     * The ID of the last person to edit the news article
     * @var int
     */
    protected $editor;

    const DEFAULT_STATUS = 'published';

    /**
     * The name of the database table used for queries
     */
    const TABLE = "news";

    const CREATE_PERMISSION = Permission::CREATE_NEWS;
    const EDIT_PERMISSION = Permission::EDIT_NEWS;
    const SOFT_DELETE_PERMISSION = Permission::SOFT_DELETE_NEWS;
    const HARD_DELETE_PERMISSION = Permission::HARD_DELETE_NEWS;

    /**
     * {@inheritdoc}
     */
    protected function assignResult($news)
    {
        $this->category = $news['category'];
        $this->subject = $news['subject'];
        $this->content = $news['content'];
        $this->created = TimeDate::fromMysql($news['created']);
        $this->updated = TimeDate::fromMysql($news['updated']);
        $this->author = $news['author'];
        $this->editor = $news['editor'];
        $this->status = $news['status'];
    }

    /**
     * Get the author of the news article
     * @return Player The author of the post
     */
    public function getAuthor()
    {
        return Player::get($this->author);
    }

    /**
     * Get the user ID of the author who wrote this article
     * @return int The author ID
     */
    public function getAuthorID()
    {
        return $this->author;
    }

    /**
     * Get the category of the news article
     * @return NewsCategory The category of the post
     */
    public function getCategory()
    {
        return NewsCategory::get($this->category);
    }

    /**
     * Get the database ID from the category the article belongs into
     * @return int The category ID
     */
    public function getCategoryID()
    {
        return $this->category;
    }

    /**
     * Get the content of the article
     * @return string The raw content of the article
     */
    public function getContent()
    {
        return $this->content;
    }

    /**
     * Get the time when the article was submitted
     *
     * @return TimeDate The article's creation time
     */
    public function getCreated()
    {
        return $this->created->copy();
    }

    /**
     * Get the time when the article was last updated
     *
     * @return TimeDate The article's last update time
     */
    public function getLastEdit()
    {
        return $this->updated->copy();
    }

    /**
     * Get the last editor of the post
     * @return Player A Player object of the last editor
     */
    public function getLastEditor()
    {
        return Player::get($this->editor);
    }

    /**
     * Get the ID of the person who last edited the article
     * @return int The ID of the last editor
     */
    public function getLastEditorID()
    {
        return $this->editor;
    }

    /**
     * Get the subject of the news article
     * @return string
     */
    public function getSubject()
    {
        return $this->subject;
    }

    /**
     * {@inheritdoc}
     */
    public function getName()
    {
        return $this->getSubject();
    }

    /**
     * {@inheritdoc}
     */
    public static function getParamName()
    {
        return "article";
    }

    /**
     * {@inheritdoc}
     */
    public static function getRouteName($action = 'show')
    {
        return "news_$action";
    }

    /**
     * Update the content of a post
     *
     * @param string $content The new content of the post
     *
     * @return self
     */
    public function updateContent($content)
    {
        return $this->updateProperty($this->content, 'content', $content);
    }

    /**
     * Update the last edit timestamp
     * @return self
     */
    public function updateEditTimestamp()
    {
        return $this->updateProperty($this->updated, 'updated', TimeDate::now());
    }

    /**
     * Update the editor of the post
     *
     * @param  int  $editorID The ID of the editor
     * @return self
     */
    public function updateLastEditor($editorID)
    {
        return $this->updateProperty($this->editor, 'editor', $editorID);
    }

    /**
     * Update the category of the post
     *
     * @param  int  $categoryID The ID of the category
     * @return self
     */
    public function updateCategory($categoryID)
    {
        return $this->updateProperty($this->category, 'category', $categoryID);
    }

    /**
     * Update the status of a post
     *
     * @param  string $status The new status of a post
     * @return self
     */
    public function updateStatus($status = 'published')
    {
        return $this->updateProperty($this->status, 'status', $status);
    }

    /**
     * Update the subject of a post
     *
     * @param  string $subject The new subject of a post
     * @return self
     */
    public function updateSubject($subject)
    {
        return $this->updateProperty($this->subject, 'subject', $subject);
    }

    /**
     * {@inheritdoc}
     */
    public static function getActiveStatuses()
    {
        return array('published', 'revision');
    }

    /**
     * Add a new news article
     *
     * @param string $subject    The subject of the article
     * @param string $content    The content of the article
     * @param int    $authorID   The ID of the author
     * @param int    $categoryId The ID of the category this article will be published under
     * @param string $status     The status of the article: 'published', 'disabled', or 'deleted'
     *
     * @return News An object representing the article that was just created or false if the article was not created
     */
    public static function addNews($subject, $content, $authorID, $categoryId = 1, $status = 'published')
    {
        return self::create(array(
            'category' => $categoryId,
            'subject'  => $subject,
            'content'  => $content,
            'author'   => $authorID,
            'editor'   => $authorID,
            'status'   => $status,
        ), array('created', 'updated'));
    }

    /**
     * Get all the news entries in the database that aren't disabled or deleted
     *
     * @param int  $start     The offset used when fetching matches, i.e. the starting point
     * @param int  $limit     The amount of matches to be retrieved
     * @param bool $getDrafts Whether or not to fetch drafts
     *
     * @return News[] An array of news objects
     */
    public static function getNews($start = 0, $limit = 5, $getDrafts = false)
    {
        $ignoredStatuses[] = "deleted";
foreach ($collection as $item) {
    $myArray['foo'] = $item->getFoo();

    if ($item->hasBar()) {
        $myArray['bar'] = $item->getBar();
    }

    // do something with $myArray
}

        if (!$getDrafts) {
            $ignoredStatuses[] = "draft";
        }

        return self::arrayIdToModel(
            self::fetchIdsFrom(
                "status", $ignoredStatuses, true,
                "ORDER BY created DESC LIMIT $limit OFFSET $start"
            )
        );
    }

    /**
     * Get a query builder for news
     * @return QueryBuilder
     */
    public static function getQueryBuilder()
    {
        return new QueryBuilder('News', array(
            'columns' => array(
                'subject'  => 'subject',
                'category' => 'category',
                'created'  => 'created',
                'status'   => 'status'
            ),
            'name' => 'subject'
        ));
    }
}


1			<?php
2			/**
3			* This file contains functionality relating to the news articles admins can post
4			*
5			* @package BZiON\Models
6			* @license https://github.com/allejo/bzion/blob/master/LICENSE.md GNU General Public License Version 3
7			*/
8
9			/**
10			* A news article
11			* @package BZiON\Models
12			*/
13			class News extends UrlModel implements NamedModel
14			{
15			/**
16			* The category of the article
17			* @var int
18			*/
19			protected $category;
20
21			/**
22			* The subject of the news article
23			* @var string
24			*/
25			protected $subject;
26
27			/**
28			* The content of the news article
29			* @var string
30			*/
31			protected $content;
32
33			/**
34			* The creation date of the news article
35			* @var TimeDate
36			*/
37			protected $created;
38
39			/**
40			* The date the news article was last updated
41			* @var TimeDate
42			*/
43			protected $updated;
44
45			/**
46			* The ID of the author of the news article
47			* @var int
48			*/
49			protected $author;
50
51			/**
52			* The ID of the last person to edit the news article
53			* @var int
54			*/
55			protected $editor;
56
57			const DEFAULT_STATUS = 'published';
58
59			/**
60			* The name of the database table used for queries
61			*/
62			const TABLE = "news";
63
64			const CREATE_PERMISSION = Permission::CREATE_NEWS;
65			const EDIT_PERMISSION = Permission::EDIT_NEWS;
66			const SOFT_DELETE_PERMISSION = Permission::SOFT_DELETE_NEWS;
67			const HARD_DELETE_PERMISSION = Permission::HARD_DELETE_NEWS;
68
69			/**
70			* {@inheritdoc}
71			*/
72			protected function assignResult($news)
73			{
74			$this->category = $news['category'];
75			$this->subject = $news['subject'];
76	2		$this->content = $news['content'];
77			$this->created = TimeDate::fromMysql($news['created']);
78	2		$this->updated = TimeDate::fromMysql($news['updated']);
79	2		$this->author = $news['author'];
80	2		$this->editor = $news['editor'];
81	2		$this->status = $news['status'];
82	2		}
83	2
84	2		/**
85	2		* Get the author of the news article
86	2		* @return Player The author of the post
87			*/
88			public function getAuthor()
89			{
90			return Player::get($this->author);
91			}
92	1
93			/**
94	1		* Get the user ID of the author who wrote this article
95			* @return int The author ID
96			*/
97			public function getAuthorID()
98			{
99			return $this->author;
100			}
101
102			/**
103			* Get the category of the news article
104			* @return NewsCategory The category of the post
105			*/
106			public function getCategory()
107			{
108			return NewsCategory::get($this->category);
109			}
110
111			/**
112			* Get the database ID from the category the article belongs into
113			* @return int The category ID
114			*/
115			public function getCategoryID()
116			{
117			return $this->category;
118			}
119
120			/**
121			* Get the content of the article
122			* @return string The raw content of the article
123			*/
124			public function getContent()
125			{
126			return $this->content;
127			}
128
129			/**
130			* Get the time when the article was submitted
131			*
132			* @return TimeDate The article's creation time
133			*/
134			public function getCreated()
135			{
136			return $this->created->copy();
137			}
138	1
139			/**
140	1		* Get the time when the article was last updated
141			*
142			* @return TimeDate The article's last update time
143			*/
144			public function getLastEdit()
145			{
146			return $this->updated->copy();
147			}
148
149			/**
150			* Get the last editor of the post
151			* @return Player A Player object of the last editor
152			*/
153			public function getLastEditor()
154			{
155			return Player::get($this->editor);
156			}
157
158			/**
159			* Get the ID of the person who last edited the article
160			* @return int The ID of the last editor
161			*/
162			public function getLastEditorID()
163			{
164			return $this->editor;
165			}
166
167			/**
168			* Get the subject of the news article
169			* @return string
170			*/
171			public function getSubject()
172			{
173			return $this->subject;
174			}
175	1
176			/**
177	1		* {@inheritdoc}
178			*/
179			public function getName()
180			{
181			return $this->getSubject();
182			}
183	1
184			/**
185	1		* {@inheritdoc}
186			*/
187			public static function getParamName()
188			{
189			return "article";
190			}
191	1
192			/**
193	1		* {@inheritdoc}
194			*/
195			public static function getRouteName($action = 'show')
196			{
197			return "news_$action";
198			}
199	1
200			/**
201	1		* Update the content of a post
202			*
203			* @param string $content The new content of the post
204			*
205			* @return self
206			*/
207			public function updateContent($content)
208			{
209			return $this->updateProperty($this->content, 'content', $content);
210			}
211
212			/**
213			* Update the last edit timestamp
214			* @return self
215			*/
216			public function updateEditTimestamp()
217			{
218			return $this->updateProperty($this->updated, 'updated', TimeDate::now());
219			}
220
221			/**
222			* Update the editor of the post
223			*
224			* @param int $editorID The ID of the editor
225			* @return self
226			*/
227			public function updateLastEditor($editorID)
228			{
229			return $this->updateProperty($this->editor, 'editor', $editorID);
230			}
231
232			/**
233			* Update the category of the post
234			*
235			* @param int $categoryID The ID of the category
236			* @return self
237			*/
238			public function updateCategory($categoryID)
239			{
240			return $this->updateProperty($this->category, 'category', $categoryID);
241			}
242
243			/**
244			* Update the status of a post
245			*
246			* @param string $status The new status of a post
247			* @return self
248			*/
249			public function updateStatus($status = 'published')
250			{
251			return $this->updateProperty($this->status, 'status', $status);
252			}
253
254			/**
255			* Update the subject of a post
256			*
257			* @param string $subject The new subject of a post
258			* @return self
259			*/
260			public function updateSubject($subject)
261			{
262			return $this->updateProperty($this->subject, 'subject', $subject);
263			}
264
265			/**
266			* {@inheritdoc}
267			*/
268			public static function getActiveStatuses()
269			{
270			return array('published', 'revision');
271			}
272	1
273			/**
274	1		* Add a new news article
275			*
276			* @param string $subject The subject of the article
277			* @param string $content The content of the article
278			* @param int $authorID The ID of the author
279			* @param int $categoryId The ID of the category this article will be published under
280			* @param string $status The status of the article: 'published', 'disabled', or 'deleted'
281			*
282			* @return News An object representing the article that was just created or false if the article was not created
283			*/
284		View Code Duplication	public static function addNews($subject, $content, $authorID, $categoryId = 1, $status = 'published')
285			{
286			return self::create(array(
287			'category' => $categoryId,
288	2		'subject' => $subject,
289			'content' => $content,
290	2		'author' => $authorID,
291	2		'editor' => $authorID,
292	2		'status' => $status,
293	2		), array('created', 'updated'));
294	2		}
295	2
296	2		/**
297	2		* Get all the news entries in the database that aren't disabled or deleted
298			*
299			* @param int $start The offset used when fetching matches, i.e. the starting point
300			* @param int $limit The amount of matches to be retrieved
301			* @param bool $getDrafts Whether or not to fetch drafts
302			*
303			* @return News[] An array of news objects
304			*/
305			public static function getNews($start = 0, $limit = 5, $getDrafts = false)
306			{
307			$ignoredStatuses[] = "deleted";
			0 ignored issues – show Coding Style Comprehensibility introduced 2015-12-02 06:58 UTC by Report Bug Copy Issue Report Show Similar Issues like this `$ignoredStatuses` was never initialized. Although not strictly required by PHP, it is generally a good practice to add `$ignoredStatuses = array();` before regardless. Adding an explicit array definition is generally preferable to implicit array definition as it guarantees a stable state of the code. Let’s take a look at an example: foreach ($collection as $item) { $myArray['foo'] = $item->getFoo(); if ($item->hasBar()) { $myArray['bar'] = $item->getBar(); } // do something with $myArray } As you can see in this example, the array `$myArray` is initialized the first time when the foreach loop is entered. You can also see that the value of the `bar` key is only written conditionally; thus, its value might result from a previous iteration. This might or might not be intended. To make your intention clear, your code more readible and to avoid accidental bugs, we recommend to add an explicit initialization `$myArray = array()` either outside or inside the foreach loop. Loading history...
308
309	1		if (!$getDrafts) {
310			$ignoredStatuses[] = "draft";
311	1		}
312
313	1		return self::arrayIdToModel(
314	1		self::fetchIdsFrom(
315			"status", $ignoredStatuses, true,
316			"ORDER BY created DESC LIMIT $limit OFFSET $start"
317	1		)
318	1		);
319	1		}
320	1
321			/**
322			* Get a query builder for news
323			* @return QueryBuilder
324			*/
325			public static function getQueryBuilder()
326			{
327			return new QueryBuilder('News', array(
328			'columns' => array(
329			'subject' => 'subject',
330			'category' => 'category',
331			'created' => 'created',
332			'status' => 'status'
333			),
334			'name' => 'subject'
335			));
336			}
337			}
338

allejo / bzion

Issues (273)

Security Analysis not enabled

models/News.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like