protect.inc.php ➔ getSanitizedValue() - Code Metrics - Inspection of "phpDoc" - evolution-cms/evolution - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Pull Request — develop (#537)

by Agel_Nash

created 2018-02-25 17:00 UTC

protect.inc.php ➔ getSanitizedValue() B

↳ Parent: Project

Complexity

Conditions	4
Paths	4

Size

Total Lines	22
Code Lines	14

Duplication

Lines	0
Ratio	0 %

Importance

Changes

Metric	Value
cc	4
eloc	14
nc	4
nop	1
dl	0
loc	22
rs	8.9197
c	0
b	0
f	0

<?php
/**
 *    Protect against some common security flaws
 */

error_reporting(E_ALL & ~E_NOTICE & ~E_STRICT & ~E_DEPRECATED);

// Null is evil
if (isset($_SERVER['QUERY_STRING']) && strpos(urldecode($_SERVER['QUERY_STRING']), chr(0)) !== false) {
    die();
}

global $sanitize_seed;
function myFunction($a, $b) {
    // Do something
}
$sanitize_seed = 'sanitize_seed_' . base_convert(md5(__FILE__), 16, 36);

// sanitize array
if (!function_exists('modx_sanitize_gpc')) {
    /**
     * @param array|string $values
     * @param int $depth
     * @return array|string
     */
    function modx_sanitize_gpc(& $values, $depth = 0)

    {
        if (200 < $depth) {
            exit('GPC Array nested too deep!');

        }
        if (is_array($values)) {
            $depth++;
            foreach ($values as $key => $value) {
                if (is_array($value)) {
                    modx_sanitize_gpc($value, $depth);
                } else {
                    $values[$key] = getSanitizedValue($value);
                }
            }
        } else {
            $values = getSanitizedValue($values);
        }

        return $values;
    }
}

/**
 * @param string $value
 * @return string

 */
function getSanitizedValue($value = '')
{
    global $sanitize_seed;
function myFunction($a, $b) {
    // Do something
}

    if (empty($value)) {
        return $value;
    }

    $brackets = explode(' ', '[[ ]] [! !] [* *] [( )] {{ }} [+ +] [~ ~] [^ ^]');
    foreach ($brackets as $bracket) {
        if (strpos($value, $bracket) === false) {
            continue;
        }
        $sanitizedBracket = str_replace('#', $sanitize_seed,
            sprintf('#%s#%s#', substr($bracket, 0, 1), substr($bracket, 1, 1)));
        $value = str_replace($bracket, $sanitizedBracket, $value);
    }
    $value = str_ireplace('<script', 'sanitized_by_modx<s cript', $value);
    $value = preg_replace('/&#(\d+);/', 'sanitized_by_modx& #$1', $value);

    return $value;
}

modx_sanitize_gpc($_GET);
if (!defined('IN_MANAGER_MODE') || IN_MANAGER_MODE !== true) {
    modx_sanitize_gpc($_POST);
}
modx_sanitize_gpc($_COOKIE);
modx_sanitize_gpc($_REQUEST);

foreach (array('PHP_SELF', 'HTTP_USER_AGENT', 'HTTP_REFERER', 'QUERY_STRING') as $key) {
    $_SERVER[$key] = isset ($_SERVER[$key]) ? htmlspecialchars($_SERVER[$key], ENT_QUOTES) : null;
}

// Unset vars
unset ($key, $value);


1			<?php
2			/**
3			* Protect against some common security flaws
4			*/
5
6			error_reporting(E_ALL & ~E_NOTICE & ~E_STRICT & ~E_DEPRECATED);
7
8			// Null is evil
9			if (isset($_SERVER['QUERY_STRING']) && strpos(urldecode($_SERVER['QUERY_STRING']), chr(0)) !== false) {
10			die();
11			}
12
13			global $sanitize_seed;
			0 ignored issues – show Compatibility Best Practice introduced 2018-02-21 15:53 UTC by Report Bug Copy Issue Report Use of `global` functionality is not recommended; it makes your code harder to test, and less reusable. Instead of relying on `global` state, we recommend one of these alternatives: 1. Pass all data via parameters function myFunction($a, $b) { // Do something } 2. Create a class that maintains your state class MyClass { private $a; private $b; public function __construct($a, $b) { $this->a = $a; $this->b = $b; } public function myFunction() { // Do something } } Loading history...
14			$sanitize_seed = 'sanitize_seed_' . base_convert(md5(__FILE__), 16, 36);
15
16			// sanitize array
17			if (!function_exists('modx_sanitize_gpc')) {
18			/**
19			* @param array\|string $values
20			* @param int $depth
21			* @return array\|string
22			*/
23			function modx_sanitize_gpc(& $values, $depth = 0)
			0 ignored issues – show Coding Style introduced 2018-02-21 15:53 UTC by Report Bug Copy Issue Report As per coding-style, this function should be in camelCase. CamelCase (...) is the practice of writing compound words or phrases such that each word or abbreviation begins with a capital letter. Learn more about camelCase. Loading history...
24			{
25			if (200 < $depth) {
26			exit('GPC Array nested too deep!');
			0 ignored issues – show Coding Style Compatibility introduced 2018-02-25 17:05 UTC by Report Bug Copy Issue Report The function modx_sanitize_gpc() contains an exit expression. An exit expression should only be used in rare cases. For example, if you write a short command line script. In most cases however, using an `exit` expression makes the code untestable and often causes incompatibilities with other libraries. Thus, unless you are absolutely sure it is required here, we recommend to refactor your code to avoid its usage. Loading history...
27			}
28			if (is_array($values)) {
29			$depth++;
30			foreach ($values as $key => $value) {
31			if (is_array($value)) {
32			modx_sanitize_gpc($value, $depth);
33			} else {
34			$values[$key] = getSanitizedValue($value);
35			}
36			}
37			} else {
38			$values = getSanitizedValue($values);
39			}
40
41			return $values;
42			}
43			}
44
45			/**
46			* @param string $value
47			* @return string
			0 ignored issues – show Documentation introduced 2018-02-25 17:05 UTC by Report Bug Copy Issue Report Should the return type not be `string\|string[]`? This check compares the return type specified in the `@return` annotation of a function or method doc comment with the types returned by the function and raises an issue if they mismatch. Loading history...
48			*/
49			function getSanitizedValue($value = '')
50			{
51			global $sanitize_seed;
			0 ignored issues – show Compatibility Best Practice introduced 2018-02-21 15:53 UTC by Report Bug Copy Issue Report Use of `global` functionality is not recommended; it makes your code harder to test, and less reusable. Instead of relying on `global` state, we recommend one of these alternatives: 1. Pass all data via parameters function myFunction($a, $b) { // Do something } 2. Create a class that maintains your state class MyClass { private $a; private $b; public function __construct($a, $b) { $this->a = $a; $this->b = $b; } public function myFunction() { // Do something } } Loading history...
52
53			if (empty($value)) {
54			return $value;
55			}
56
57			$brackets = explode(' ', '[[ ]] [! !] [* *] [( )] {{ }} [+ +] [~ ~] [^ ^]');
58			foreach ($brackets as $bracket) {
59			if (strpos($value, $bracket) === false) {
60			continue;
61			}
62			$sanitizedBracket = str_replace('#', $sanitize_seed,
63			sprintf('#%s#%s#', substr($bracket, 0, 1), substr($bracket, 1, 1)));
64			$value = str_replace($bracket, $sanitizedBracket, $value);
65			}
66			$value = str_ireplace('<script', 'sanitized_by_modx<s cript', $value);
67			$value = preg_replace('/&#(\d+);/', 'sanitized_by_modx& #$1', $value);
68
69			return $value;
70			}
71
72			modx_sanitize_gpc($_GET);
73			if (!defined('IN_MANAGER_MODE') \|\| IN_MANAGER_MODE !== true) {
74			modx_sanitize_gpc($_POST);
75			}
76			modx_sanitize_gpc($_COOKIE);
77			modx_sanitize_gpc($_REQUEST);
78
79			foreach (array('PHP_SELF', 'HTTP_USER_AGENT', 'HTTP_REFERER', 'QUERY_STRING') as $key) {
80			$_SERVER[$key] = isset ($_SERVER[$key]) ? htmlspecialchars($_SERVER[$key], ENT_QUOTES) : null;
81			}
82
83			// Unset vars
84			unset ($key, $value);
85

evolution-cms / evolution

Pull Request — develop (#537)

protect.inc.php ➔ getSanitizedValue() B

Complexity

Size

Duplication

Importance

1. Pass all data via parameters

2. Create a class that maintains your state

1. Pass all data via parameters

2. Create a class that maintains your state

Duplication Side-by-Side

Filter issues like