Issues in DB.php (master) - Issues in master - caoym/phpboot - Measure and Improve Code Quality continuously with Scrutinizer

Issues (164)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/DB/DB.php (3 issues)

Labels

Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
namespace PhpBoot\DB;

use PhpBoot\Application;
use PhpBoot\DB\rules\select\SelectRule;
use PhpBoot\DB\rules\insert\InsertRule;
use PhpBoot\DB\rules\update\UpdateRule;
use PhpBoot\DB\rules\delete\DeleteRule;
use PhpBoot\DB\rules\replace\ReplaceIntoRule;
use PhpBoot\Utils\Logger;

/**
 * 
 * How-to-use:
 * 
 * $db = new DB(...);
 * // 1. select
 * $res = $db->select('a, b')
 *      ->from('table')
 *      ->leftJoin('table1')->on('table.id=table1.id')
 *      ->where('a=?',1)
 *      ->groupBy('b')->having('sum(b)=?', 2)
 *      ->orderBy('c', Sql::ORDER_BY_ASC)
 *      ->limit(0,1)
 *      ->forUpdate()->of('d')
 *      ->get();
 * 
 * // 2. update
 * $rows = $db->update('table')
 *      ->set('a', 1)
 *      ->where('b=?', 2)
 *      ->orderBy('c', Sql::ORDER_BY_ASC)
 *      ->limit(1)
 *      ->exec($db)
 *      ->rows
 *      
 * // 3. insert
 * $newId = $db->insertInto('table')
 *      ->values(['a'=>1])
 *      ->exec($db)
 *      ->lastInsertId()
 *      
 * //4. delete
 * $rows = $db->deleteFrom('table')
 *      ->where('b=?', 2)
 *      ->orderBy('c', Sql::ORDER_BY_ASC)
 *      ->limit(1)
 *      ->exec($db)
 *      ->rows
 *      
 * @author caoym <[email protected]>
 */
class DB{

    /**
     * DB constructor.
     * @param Application $app
     * @param string $dsn @see \PDO
     * @param string $username @see \PDO
     * @param string $password @see \PDO
     * @param array $options @see \PDO
     */

    static public function connect(Application $app,
                                   $dsn,
                                  $username,
                                  $password,
                                  $options = [])
    {
        $options += [
            \PDO::ATTR_ERRMODE =>\PDO::ERRMODE_EXCEPTION,
            \PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES'utf8';",
            \PDO::MYSQL_ATTR_FOUND_ROWS => true
        ];

        $connection = new \PDO($dsn, $username, $password, $options);
        return new DB($app, $connection);
    }

    public function __construct(Application $app, $connection)
    {
        $this->app = $app;
        $this->connection = $connection;
    }

    /**
     * select('column0', 'column1') => "SELECT column0,column1"
     * select(['column0', 'column1']) => "SELECT column0,column1"
     *
     * @param string $column0
     * @return \PhpBoot\DB\rules\select\FromRule
     */
    function select($column0=null, $_=null){

        $obj = new SelectRule(new Context($this->connection));
        if($column0 == null){

            $args = ['*'];
        }elseif(is_array($column0)){
            $args = $column0;
        }else{
            $args = func_get_args();
        }
        foreach ($args as &$arg){
            $arg = DB::wrap($arg);
            if($arg == '*'){
                continue;
            }
        }
        return $obj->select(implode(',', $args));
    }
    /** 
     * insertInto('table') => "INSERT INTO table"
     * 
     * @param string $table
     * @return \PhpBoot\DB\rules\insert\ValuesRule
     */
    public function insertInto($table) {
        $obj = new InsertRule(new Context($this->connection));
        return $obj->insertInto($table);
    }
    /**
     * update('table') => "UPDATE table"
     * @param string $table
     * @return \PhpBoot\DB\rules\update\UpdateSetRule
     */
    public function update($table) {
        $obj = new UpdateRule(new Context($this->connection));
        return $obj->update($table);
    }
    
    /**
     * deleteFrom('table') => "DELETE FROM table"
     * @param string $table
     * @return \PhpBoot\DB\rules\basic\WhereRule
     */
    public function deleteFrom($table){
        $obj  =  new DeleteRule(new Context($this->connection));
        return $obj->deleteFrom($table);
    }
    /**
     * replaceInto('table') => "REPLACE INTO table"
     * @param string $table
     * @return \PhpBoot\DB\rules\replace\ValuesRule
     */
    public function replaceInto($table){
        $obj  =  new ReplaceIntoRule(new Context($this->connection));
        return $obj->replaceInto($table);
    }

    /**
     * @param callable $callback
     * @return mixed return
     * @throws \Exception
     */
    public function transaction(callable $callback)
    {
        if($this->inTransaction){
            return $callback($this);
        }
        $this->getConnection()->beginTransaction() or \PhpBoot\abort('beginTransaction failed');
        $this->inTransaction = true;
        try{
            $res = $callback($this);
            $this->getConnection()->commit() or \PhpBoot\abort('commit failed');
            return $res;
        }catch (\Exception $e){
            $this->getConnection()->rollBack();
            Logger::warning('commit failed with '.get_class($e).' '.$e->getMessage());
            throw $e;
        }
    }
    /**
     * @return \PDO
     */
    public function getConnection()
    {
        return $this->connection;
    }
    /**
	 * Splice sql use raw string(without escaping)
     * for example:
     * where('time>?', 'now()') => " WHERE time > 'now()' "
     * where('time>?', Sql::raw('now()')) => " WHERE time > now() "
     * @param string $str
     * @return Raw
     */
    static public function raw($str){
        return new Raw($str);
    }
    static public function wrap($value)
    {
        if($value instanceof Raw){
            return $value->get();
        }
        $value = trim($value);
        if ($value === '*') {
            return $value;
        }

        if(strpos($value, '.') !== false && !preg_match('/\\s+/', $value)){
            return $value;
        }
        return '`'.str_replace('`', '``', $value).'`';
    }

    /**
     * @return Application
     */
    public function getApp()
    {
        return $this->app;
    }
    const ORDER_BY_ASC ='ASC';
    const ORDER_BY_DESC ='DESC';

    /**
     * @var \PDO
     */
    protected $connection;

    /**
     * @var Application
     */
    protected $app;

    protected $inTransaction = false;
}


GitHub Access Token became invalid

Issues (164)

Security Analysis not enabled

src/DB/DB.php (3 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

1		<?php
2		namespace PhpBoot\DB;
3
4		use PhpBoot\Application;
5		use PhpBoot\DB\rules\select\SelectRule;
6		use PhpBoot\DB\rules\insert\InsertRule;
7		use PhpBoot\DB\rules\update\UpdateRule;
8		use PhpBoot\DB\rules\delete\DeleteRule;
9		use PhpBoot\DB\rules\replace\ReplaceIntoRule;
10		use PhpBoot\Utils\Logger;
11
12		/**
13		*
14		* How-to-use:
15		*
16		* $db = new DB(...);
17		* // 1. select
18		* $res = $db->select('a, b')
19		* ->from('table')
20		* ->leftJoin('table1')->on('table.id=table1.id')
21		* ->where('a=?',1)
22		* ->groupBy('b')->having('sum(b)=?', 2)
23		* ->orderBy('c', Sql::ORDER_BY_ASC)
24		* ->limit(0,1)
25		* ->forUpdate()->of('d')
26		* ->get();
27		*
28		* // 2. update
29		* $rows = $db->update('table')
30		* ->set('a', 1)
31		* ->where('b=?', 2)
32		* ->orderBy('c', Sql::ORDER_BY_ASC)
33		* ->limit(1)
34		* ->exec($db)
35		* ->rows
36		*
37		* // 3. insert
38		* $newId = $db->insertInto('table')
39		* ->values(['a'=>1])
40		* ->exec($db)
41		* ->lastInsertId()
42		*
43		* //4. delete
44		* $rows = $db->deleteFrom('table')
45		* ->where('b=?', 2)
46		* ->orderBy('c', Sql::ORDER_BY_ASC)
47		* ->limit(1)
48		* ->exec($db)
49		* ->rows
50		*
51		* @author caoym <[email protected]>
52		*/
53		class DB{
54
55		/**
56		* DB constructor.
57		* @param Application $app
58		* @param string $dsn @see \PDO
59		* @param string $username @see \PDO
60		* @param string $password @see \PDO
61		* @param array $options @see \PDO
62		*/
63
64		static public function connect(Application $app,
65		$dsn,
66		$username,
67		$password,
68		$options = [])
69		{
70		$options += [
71		\PDO::ATTR_ERRMODE =>\PDO::ERRMODE_EXCEPTION,
72		\PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES'utf8';",
73		\PDO::MYSQL_ATTR_FOUND_ROWS => true
74		];
75
76		$connection = new \PDO($dsn, $username, $password, $options);
77		return new DB($app, $connection);
78		}
79
80	56	public function __construct(Application $app, $connection)
81		{
82	56	$this->app = $app;
83	56	$this->connection = $connection;
84	56	}
85
86		/**
87		* select('column0', 'column1') => "SELECT column0,column1"
88		* select(['column0', 'column1']) => "SELECT column0,column1"
89		*
90		* @param string $column0
91		* @return \PhpBoot\DB\rules\select\FromRule
92		*/
93	28	function select($column0=null, $_=null){
		0 ignored issues – show Unused Code introduced 2017-08-04 16:03 UTC by Report Bug Copy Issue Report Show Similar Issues like this The parameter `$_` is not used and could be removed. This check looks from parameters that have been defined for a function or method, but which are not used in the method body. Loading history... Best Practice introduced 2017-08-04 16:03 UTC by Report Bug Copy Issue Report Show Similar Issues like this It is generally recommended to explicitly declare the visibility for methods. Adding explicit visibility (`private`, `protected`, or `public`) is generally recommend to communicate to other developers how, and from where this method is intended to be used. Loading history...
94	28	$obj = new SelectRule(new Context($this->connection));
95	28	if($column0 == null){
		0 ignored issues – show Bug introduced 2017-08-04 16:03 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like you are loosely comparing `$column0` of type `string\|null` against `null`; this is ambiguous if the string can be empty. Consider using a strict comparison `===` instead. Loading history...
96	9	$args = ['*'];
97	28	}elseif(is_array($column0)){
98	3	$args = $column0;
99	3	}else{
100	17	$args = func_get_args();
101		}
102	28	foreach ($args as &$arg){
103	28	$arg = DB::wrap($arg);
104	28	if($arg == '*'){
105	16	continue;
106		}
107	28	}
108	28	return $obj->select(implode(',', $args));
109		}
110		/**
111		* insertInto('table') => "INSERT INTO table"
112		*
113		* @param string $table
114		* @return \PhpBoot\DB\rules\insert\ValuesRule
115		*/
116	8	public function insertInto($table) {
117	8	$obj = new InsertRule(new Context($this->connection));
118	8	return $obj->insertInto($table);
119		}
120		/**
121		* update('table') => "UPDATE table"
122		* @param string $table
123		* @return \PhpBoot\DB\rules\update\UpdateSetRule
124		*/
125	11	public function update($table) {
126	11	$obj = new UpdateRule(new Context($this->connection));
127	11	return $obj->update($table);
128		}
129
130		/**
131		* deleteFrom('table') => "DELETE FROM table"
132		* @param string $table
133		* @return \PhpBoot\DB\rules\basic\WhereRule
134		*/
135	7	public function deleteFrom($table){
136	7	$obj = new DeleteRule(new Context($this->connection));
137	7	return $obj->deleteFrom($table);
138		}
139		/**
140		* replaceInto('table') => "REPLACE INTO table"
141		* @param string $table
142		* @return \PhpBoot\DB\rules\replace\ValuesRule
143		*/
144	2	public function replaceInto($table){
145	2	$obj = new ReplaceIntoRule(new Context($this->connection));
146	2	return $obj->replaceInto($table);
147		}
148
149		/**
150		* @param callable $callback
151		* @return mixed return
152		* @throws \Exception
153		*/
154		public function transaction(callable $callback)
155		{
156		if($this->inTransaction){
157		return $callback($this);
158		}
159		$this->getConnection()->beginTransaction() or \PhpBoot\abort('beginTransaction failed');
160		$this->inTransaction = true;
161		try{
162		$res = $callback($this);
163		$this->getConnection()->commit() or \PhpBoot\abort('commit failed');
164		return $res;
165		}catch (\Exception $e){
166		$this->getConnection()->rollBack();
167		Logger::warning('commit failed with '.get_class($e).' '.$e->getMessage());
168		throw $e;
169		}
170		}
171		/**
172		* @return \PDO
173		*/
174		public function getConnection()
175		{
176		return $this->connection;
177		}
178		/**
179		* Splice sql use raw string(without escaping)
180		* for example:
181		* where('time>?', 'now()') => " WHERE time > 'now()' "
182		* where('time>?', Sql::raw('now()')) => " WHERE time > now() "
183		* @param string $str
184		* @return Raw
185		*/
186	13	static public function raw($str){
187	13	return new Raw($str);
188		}
189	57	static public function wrap($value)
190		{
191	57	if($value instanceof Raw){
192	4	return $value->get();
193		}
194	57	$value = trim($value);
195	57	if ($value === '*') {
196	16	return $value;
197		}
198
199	56	if(strpos($value, '.') !== false && !preg_match('/\\s+/', $value)){
200	1	return $value;
201		}
202	56	return '`'.str_replace('`', '``', $value).'`';
203		}
204
205		/**
206		* @return Application
207		*/
208	11	public function getApp()
209		{
210	11	return $this->app;
211		}
212		const ORDER_BY_ASC ='ASC';
213		const ORDER_BY_DESC ='DESC';
214
215		/**
216		* @var \PDO
217		*/
218		protected $connection;
219
220		/**
221		* @var Application
222		*/
223		protected $app;
224
225		protected $inTransaction = false;
226		}
227

caoym / phpboot

GitHub Access Token became invalid

Issues (164)

Security Analysis not enabled

src/DB/DB.php (3 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like