Issues in AbstractPdo.php (master) - Issues in master - frqnck/apix-cache - Measure and Improve Code Quality continuously with Scrutinizer

Issues (36)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/AbstractPdo.php (5 issues)

Labels

Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

/**
 *
 * This file is part of the Apix Project.
 *
 * (c) Franck Cassedanne <franck at ouarz.net>
 *
 * @license     http://opensource.org/licenses/BSD-3-Clause  New BSD License
 *
 */

namespace Apix\Cache;

/**
 * PDO cache wrapper with tag support.
 *
 * @author Franck Cassedanne <franck at ouarz.net>
 */
abstract class AbstractPdo extends AbstractCache
{

    /**
     * Holds the SQL definitions.
     * @var array
     */
    protected $sql_definitions;

    /**
     * Holds the array of TTLs.
     * @var array
     */
    protected $ttls = array();

    /**
     * Constructor.
     *
     * @param \PDO  $pdo     An instance of a PDO class.
     * @param array $options Array of options.
     */
    public function __construct(\PDO $pdo, array $options=null)
    {
        // default options
        $this->options['db_table']   = 'cache'; // table to hold the cache
        $this->options['serializer'] = 'php';   // null, php, igBinary, json

                                                // and msgpack
        $this->options['preflight']  = true;    // wether to preflight the DB
        $this->options['timestamp']  = 'Y-m-d H:i:s'; // timestamp db format

        $pdo->setAttribute(\PDO::ATTR_ERRMODE, \PDO::ERRMODE_EXCEPTION);

        parent::__construct($pdo, $options);
        $this->setSerializer($this->options['serializer']);

        if ($this->options['preflight']) {
            $this->initDb();
        }
    }

    /**
     * Initialises the database and its indexes (if required, non-destructive).
     *
     * @return self Provides a fluent interface
     */
    public function initDb()
    {
        $this->adapter->exec( $this->getSql('init') );

        $this->createIndexTable('key_idx');
        $this->createIndexTable('exp_idx');
        $this->createIndexTable('tag_idx');

        return $this;
    }

    /**
     * Creates the specified indexe table (if missing).
     *
     * @param  string  $index
     * @return boolean
     */
    public function createIndexTable($index)
    {
        if (!isset($this->sql_definitions[$index])) {
            return false;
        }
        $this->adapter->exec($this->getSql($index, $this->options['db_table']));

        return $this->adapter->errorCode() == '00000';
    }

    /**
     * {@inheritdoc}
     */
    public function loadKey($key)
    {
        $key = $this->mapKey($key);
        $sql = $this->getSql('loadKey');
        $values = array('key' => $key, 'now' => time());

        $cached = $this->exec($sql, $values)->fetch();

        // if (isset($cached['expire'])) {

            $this->ttls[$key] = $cached['expire'];
        // }

        if (null !== $cached['data'] && null !== $this->serializer) {
            return $this->serializer->unserialize($cached['data']);
        }

        return false === $cached ? null : $cached['data'];
    }

    /**
     * {@inheritdoc}
     */
    public function loadTag($tag)
    {
        $sql = $this->getSql('loadTag');
        // $tag = $this->mapTag($tag);

        $values = array('tag' => "%$tag%", 'now' => time());

        $items = $this->exec($sql, $values)->fetchAll();

        $keys = array();
        foreach ($items as $item) {
            $keys[] = $item['key'];
        }

        return empty($keys) ? null : $keys;
    }

    /**
     * {@inheritdoc}
     */
    public function save($data, $key, array $tags=null, $ttl=null)
    {
        $key = $this->mapKey($key);
        $values = array(
            'key'   => $key,
            'data'  => null !== $this->serializer
                        ? $this->serializer->serialize($data)
                        : $data,
            'exp'   => null !== $ttl && 0 !== $ttl ? time()+$ttl : null,
            'dated' => $this->getTimestamp()
        );

        $this->ttls[$key] = $values['exp'];

        $values['tags'] = $this->options['tag_enable'] && null !== $tags
                            ? implode(', ', $tags)
                            : null;

        // upsert
        $sql = $this->getSql('update');
        $nb = $this->exec($sql, $values)->rowCount();
        if ($nb == 0) {
            $sql = $this->getSql('insert');
            $nb = $this->exec($sql, $values)->rowCount();
        }

        return (boolean) $nb;
    }

    /**
     * {@inheritdoc}
     */
    public function delete($key)
    {
        $sql = $this->getSql('delete');
        $values = array($this->mapKey($key));

        return (boolean) $this->exec($sql, $values)->rowCount();
    }

    /**
     * {@inheritdoc}
     */
    public function clean(array $tags)
    {
        $values = array();
        foreach ($tags as $tag) {
            // $tag = $this->mapTag($tag);

            $values[] = '%' . $tag . '%';
        }

        $sql = $this->getSql(
            'clean', implode(' OR ', array_fill(
                    0, count($tags), $this->getSql('clean_like')))
        );

        return (boolean) $this->exec($sql, $values)->rowCount();
    }

    /**
     * {@inheritdoc}
     */
    public function flush($all=false)
    {
        if (true === $all) {
            return false !== $this->adapter->exec($this->getSql('flush_all'));
        }

        return (boolean) $this->adapter->exec($this->getSql('flush'));
    }

    /**
     * Purges expired items.
     *
     * @param  integer|null $add Extra time in second to add.
     * @return boolean      Returns True on success or False on failure.
     */
    public function purge($add=null)
    {
        $time = null == $add ? time() : time()+$add;

        return (boolean) $this->adapter->exec($this->getSql('purge', $time));
    }

    /**
     * Gets the named SQL definition.
     *
     * @param  string         $key
     * @param  string|integer $value An additional value.
     * @return string
     */
    protected function getSql($key, $value=null)
    {
        return sprintf(
            $this->sql_definitions[$key],
            $this->options['db_table'],
            $value
        );
    }

    /**
     * Prepares and executes a SQL query.
     *
     * @param  string        $sql    The SQL to prepare.
     * @param  array         $values The values to execute.
     * @return \PDOStatement Provides a fluent interface
     */
    protected function exec($sql, array $values)
    {
        $prep = $this->adapter->prepare($sql);
        $prep->execute($values);

        return $prep;
    }

    /**
     * Returns the current driver's name.
     *
     * @param \PDO  $pdo     An instance of a PDO class.
     * @return string        Either 'Mysql', 'Pgsql', 'Sqlite' or 'Sql1999'.
     */
    public static function getDriverName(\PDO $pdo)
    {
        $name = $pdo->getAttribute(\PDO::ATTR_DRIVER_NAME);
        if (!in_array($name, array('sqlite', 'mysql', 'pgsql'))) {
        // @codeCoverageIgnoreStart
            // sql1999 specific tests are run on Sqlite.
            $name = 'sql1999';
        }
        // @codeCoverageIgnoreEnd

        return ucfirst($name);
    }

    /**
     * Returns a formated timestamp.
     *
     * @param integer|null $time If null, use the current time.
     */
    public function getTimestamp($time=null)
    {
        return date(
            $this->options['timestamp'],
            null != $time ? $time : time()
        );
    }

    /**
     * {@inheritdoc}
     */
    public function getTtl($key)
    {
        $mKey = $this->mapKey($key);

        return isset($this->ttls[$mKey])

                ? $this->ttls[$mKey]-time()
                : false;
    }

}


1			<?php
2
3			/**
4			*
5			* This file is part of the Apix Project.
6			*
7			* (c) Franck Cassedanne <franck at ouarz.net>
8			*
9			* @license http://opensource.org/licenses/BSD-3-Clause New BSD License
10			*
11			*/
12
13			namespace Apix\Cache;
14
15			/**
16			* PDO cache wrapper with tag support.
17			*
18			* @author Franck Cassedanne <franck at ouarz.net>
19			*/
20			abstract class AbstractPdo extends AbstractCache
21			{
22
23			/**
24			* Holds the SQL definitions.
25			* @var array
26			*/
27			protected $sql_definitions;
28
29			/**
30			* Holds the array of TTLs.
31			* @var array
32			*/
33			protected $ttls = array();
34
35			/**
36			* Constructor.
37			*
38			* @param \PDO $pdo An instance of a PDO class.
39			* @param array $options Array of options.
40			*/
41	155		public function __construct(\PDO $pdo, array $options=null)
42			{
43			// default options
44	155		$this->options['db_table'] = 'cache'; // table to hold the cache
45	155		$this->options['serializer'] = 'php'; // null, php, igBinary, json
			0 ignored issues – show Unused Code Comprehensibility introduced 2017-04-27 18:40 UTC by Report Bug Copy Issue Report Show Similar Issues like this `37%` of this comment could be valid code. Did you maybe forget this after debugging? Sometimes obsolete code just ends up commented out instead of removed. In this case it is better to remove the code once you have checked you do not need it. The code might also have been commented out for debugging purposes. In this case it is vital that someone uncomments it again or your project may behave in very unexpected ways in production. This check looks for comments that seem to be mostly valid code and reports them. Loading history...
46	155		// and msgpack
47	155		$this->options['preflight'] = true; // wether to preflight the DB
48			$this->options['timestamp'] = 'Y-m-d H:i:s'; // timestamp db format
49	155
50			$pdo->setAttribute(\PDO::ATTR_ERRMODE, \PDO::ERRMODE_EXCEPTION);
51	155
52	155		parent::__construct($pdo, $options);
53			$this->setSerializer($this->options['serializer']);
54	155
55	155		if ($this->options['preflight']) {
56	155		$this->initDb();
57	155		}
58			}
59
60			/**
61			* Initialises the database and its indexes (if required, non-destructive).
62			*
63			* @return self Provides a fluent interface
64	155		*/
65			public function initDb()
66	155		{
67			$this->adapter->exec( $this->getSql('init') );
68	155
69	155		$this->createIndexTable('key_idx');
70	155		$this->createIndexTable('exp_idx');
71			$this->createIndexTable('tag_idx');
72	155
73			return $this;
74			}
75
76			/**
77			* Creates the specified indexe table (if missing).
78			*
79			* @param string $index
80			* @return boolean
81	155		*/
82			public function createIndexTable($index)
83	155		{
84	50		if (!isset($this->sql_definitions[$index])) {
85			return false;
86	155		}
87			$this->adapter->exec($this->getSql($index, $this->options['db_table']));
88	155
89			return $this->adapter->errorCode() == '00000';
90			}
91
92			/**
93			* {@inheritdoc}
94	84		*/
95			public function loadKey($key)
96	84		{
97	84		$key = $this->mapKey($key);
98	84		$sql = $this->getSql('loadKey');
99			$values = array('key' => $key, 'now' => time());
100	84
101			$cached = $this->exec($sql, $values)->fetch();
102
103	78		// if (isset($cached['expire'])) {
			0 ignored issues – show Unused Code Comprehensibility introduced 2016-06-20 14:05 UTC by Report Bug Copy Issue Report Show Similar Issues like this `79%` of this comment could be valid code. Did you maybe forget this after debugging? Sometimes obsolete code just ends up commented out instead of removed. In this case it is better to remove the code once you have checked you do not need it. The code might also have been commented out for debugging purposes. In this case it is vital that someone uncomments it again or your project may behave in very unexpected ways in production. This check looks for comments that seem to be mostly valid code and reports them. Loading history...
104			$this->ttls[$key] = $cached['expire'];
105			// }
106	78
107	48		if (null !== $cached['data'] && null !== $this->serializer) {
108			return $this->serializer->unserialize($cached['data']);
109			}
110	48
111			return false === $cached ? null : $cached['data'];
112			}
113
114			/**
115			* {@inheritdoc}
116	48		*/
117			public function loadTag($tag)
118	48		{
119			$sql = $this->getSql('loadTag');
120	48		// $tag = $this->mapTag($tag);
			0 ignored issues – show Unused Code Comprehensibility introduced 2016-06-20 14:05 UTC by Report Bug Copy Issue Report Show Similar Issues like this `59%` of this comment could be valid code. Did you maybe forget this after debugging? Sometimes obsolete code just ends up commented out instead of removed. In this case it is better to remove the code once you have checked you do not need it. The code might also have been commented out for debugging purposes. In this case it is vital that someone uncomments it again or your project may behave in very unexpected ways in production. This check looks for comments that seem to be mostly valid code and reports them. Loading history...
121			$values = array('tag' => "%$tag%", 'now' => time());
122	48
123			$items = $this->exec($sql, $values)->fetchAll();
124	48
125	48		$keys = array();
126	24		foreach ($items as $item) {
127	48		$keys[] = $item['key'];
128			}
129	48
130			return empty($keys) ? null : $keys;
131			}
132
133			/**
134			* {@inheritdoc}
135	108		*/
136			public function save($data, $key, array $tags=null, $ttl=null)
137	108		{
138			$key = $this->mapKey($key);
139	108		$values = array(
140	108		'key' => $key,
141	108		'data' => null !== $this->serializer
142	108		? $this->serializer->serialize($data)
143	108		: $data,
144	108		'exp' => null !== $ttl && 0 !== $ttl ? time()+$ttl : null,
145	108		'dated' => $this->getTimestamp()
146			);
147	108
148			$this->ttls[$key] = $values['exp'];
149	108
150	108		$values['tags'] = $this->options['tag_enable'] && null !== $tags
151	108		? implode(', ', $tags)
152			: null;
153
154	108		// upsert
155	108		$sql = $this->getSql('update');
156	108		$nb = $this->exec($sql, $values)->rowCount();
157	108		if ($nb == 0) {
158	108		$sql = $this->getSql('insert');
159	108		$nb = $this->exec($sql, $values)->rowCount();
160			}
161	108
162			return (boolean) $nb;
163			}
164
165			/**
166			* {@inheritdoc}
167	18		*/
168			public function delete($key)
169	18		{
170	18		$sql = $this->getSql('delete');
171			$values = array($this->mapKey($key));
172	18
173			return (boolean) $this->exec($sql, $values)->rowCount();
174			}
175
176			/**
177			* {@inheritdoc}
178	6		*/
179			public function clean(array $tags)
180	6		{
181	6		$values = array();
182			foreach ($tags as $tag) {
183	6		// $tag = $this->mapTag($tag);
			0 ignored issues – show Unused Code Comprehensibility introduced 2016-06-20 14:05 UTC by Report Bug Copy Issue Report Show Similar Issues like this `59%` of this comment could be valid code. Did you maybe forget this after debugging? Sometimes obsolete code just ends up commented out instead of removed. In this case it is better to remove the code once you have checked you do not need it. The code might also have been commented out for debugging purposes. In this case it is vital that someone uncomments it again or your project may behave in very unexpected ways in production. This check looks for comments that seem to be mostly valid code and reports them. Loading history...
184	6		$values[] = '%' . $tag . '%';
185			}
186	6
187	6		$sql = $this->getSql(
188	6		'clean', implode(' OR ', array_fill(
189	6		0, count($tags), $this->getSql('clean_like')))
190			);
191	6
192			return (boolean) $this->exec($sql, $values)->rowCount();
193			}
194
195			/**
196			* {@inheritdoc}
197	138		*/
198			public function flush($all=false)
199	138		{
200	138		if (true === $all) {
201			return false !== $this->adapter->exec($this->getSql('flush_all'));
202			}
203	6
204			return (boolean) $this->adapter->exec($this->getSql('flush'));
205			}
206
207			/**
208			* Purges expired items.
209			*
210			* @param integer\|null $add Extra time in second to add.
211			* @return boolean Returns True on success or False on failure.
212	6		*/
213			public function purge($add=null)
214	6		{
215			$time = null == $add ? time() : time()+$add;
216	6
217			return (boolean) $this->adapter->exec($this->getSql('purge', $time));
218			}
219
220			/**
221			* Gets the named SQL definition.
222			*
223			* @param string $key
224			* @param string\|integer $value An additional value.
225			* @return string
226	155		*/
227			protected function getSql($key, $value=null)
228	155		{
229	155		return sprintf(
230	155		$this->sql_definitions[$key],
231			$this->options['db_table'],
232	155		$value
233			);
234			}
235
236			/**
237			* Prepares and executes a SQL query.
238			*
239			* @param string $sql The SQL to prepare.
240			* @param array $values The values to execute.
241			* @return \PDOStatement Provides a fluent interface
242	126		*/
243			protected function exec($sql, array $values)
244	126		{
245	126		$prep = $this->adapter->prepare($sql);
246			$prep->execute($values);
247	126
248			return $prep;
249			}
250
251			/**
252			* Returns the current driver's name.
253			*
254			* @param \PDO $pdo An instance of a PDO class.
255			* @return string Either 'Mysql', 'Pgsql', 'Sqlite' or 'Sql1999'.
256	23		*/
257			public static function getDriverName(\PDO $pdo)
258	23		{
259	23		$name = $pdo->getAttribute(\PDO::ATTR_DRIVER_NAME);
260			if (!in_array($name, array('sqlite', 'mysql', 'pgsql'))) {
261			// @codeCoverageIgnoreStart
262			// sql1999 specific tests are run on Sqlite.
263			$name = 'sql1999';
264			}
265			// @codeCoverageIgnoreEnd
266	23
267			return ucfirst($name);
268			}
269
270			/**
271			* Returns a formated timestamp.
272			*
273			* @param integer\|null $time If null, use the current time.
274	108		*/
275			public function getTimestamp($time=null)
276	108		{
277	108		return date(
278	108		$this->options['timestamp'],
279	108		null != $time ? $time : time()
280			);
281			}
282
283			/**
284			* {@inheritdoc}
285	12		*/
286		View Code Duplication	public function getTtl($key)
287	12		{
288			$mKey = $this->mapKey($key);
289	12
290	12		return isset($this->ttls[$mKey])
			0 ignored issues – show Bug Compatibility introduced 2016-06-20 14:05 UTC by Report Bug Copy Issue Report Show Similar Issues like this The expression `isset($this->ttls[$mKey]...mKey] - time() : false;` of type `integer\|double\|false` adds the type `double` to the return on line 290 which is incompatible with the return type declared by the interface `Apix\Cache\Adapter::getTtl` of type `integer\|false`. Loading history...
291	12		? $this->ttls[$mKey]-time()
292			: false;
293			}
294
295			}
296

frqnck / apix-cache

Issues (36)

Security Analysis no request data

src/AbstractPdo.php (5 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like