Issues (1752)

Security Analysis    not enabled

This project does not seem to handle request data directly as such no vulnerable execution paths were found.

  Cross-Site Scripting
Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.
  File Exposure
File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.
  File Manipulation
File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.
  Object Injection
Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.
  Code Injection
Code Injection enables an attacker to execute arbitrary code on the server.
  Response Splitting
Response Splitting can be used to send arbitrary responses.
  File Inclusion
File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.
  Command Injection
Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.
  SQL Injection
SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.
  XPath Injection
XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.
  LDAP Injection
LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.
  Header Injection
  Other Vulnerability
This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.
  Regex Injection
Regex Injection enables an attacker to execute arbitrary code in your PHP process.
  XML Injection
XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.
  Variable Injection
Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.
Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

class/dict.php (9 issues)

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

1
<?php
2
/**
3
 * @package		fwolflib
4
 * @subpackage	class
5
 * @copyright	Copyright 2011, Fwolf
6
 * @author		Fwolf <[email protected]>
7
 * @since		2011-07-15
8
 */
9
10
11
require_once(dirname(__FILE__) . '/fwolflib.php');
12
13
14
/**
15
 * Manipulate dict data, eg db code-name table.
16
 *
17
 * @deprecated  Use Fwlib\Db\CodeDictionary
18
 * @package		fwolflib
19
 * @subpackage	class
20
 * @copyright	Copyright 2011, Fwolf
21
 * @author		Fwolf <[email protected]>
22
 * @since		2011-07-15
23
 */
24
class Dict extends Fwolflib {
0 ignored issues
show
Deprecated Code introduced by
The class Fwolflib has been deprecated with message: Use classes in Fwlib namespace, see PSR-0/1/2

This class, trait or interface has been deprecated. The supplier of the file has supplied an explanatory message.

The explanatory message should give you some clue as to whether and when the type will be removed from the class and what other constant to use instead.

Loading history...
25
26
27
	/**
28
	 * Dict data array
29
	 * @var	array
30
	 */
31
	public $aData = array();
32
33
34
	/**
35
	 * Constructor
36
	 *
37
	 * @param	array	$ar_cfg
38
	 */
39
	public function __construct ($ar_cfg = array()) {
40
		parent::__construct($ar_cfg);
41
	} // end of func __construct
42
43
44
	/**
45
	 * Get relate value for given pk
46
	 *
47
	 * @param	mixed	$ar_pk	Array or string of pk.
48
	 * @param	mixed	$col	Array or string of cols for return.
49
	 * @return	mixed
50
	 */
51
	public function Get ($ar_pk, $col = '') {
52
		if (empty($ar_pk))
53
			return null;
54
55
		if (!is_array($ar_pk))
56
			$ar_pk = array($ar_pk);
57
58
		$ar_col = $this->GetCol($col);
59
60
		$ar = array();
61
		foreach ($ar_pk as $pk) {
62
			if (isset($this->aData[$pk]))
63
				$ar[$pk] = $this->GetColData($this->aData[$pk], $ar_col);
64
			else
65
				$ar[$pk] = null;
66
		}
67
68
		if (1 == count($ar))
69
			return array_shift($ar);
70
		else
71
			return $ar;
72
	} // end of func Get
73
74
75
	/**
76
	 * Get cols you want to query.
77
	 *
78
	 * If $col not assigned, assign as first col which is not pk.
79
	 * '*' means all cols.
80
	 * @param	mixed	$col	Array or string of cols.
81
	 * @return	mixed
82
	 */
83
	protected function GetCol ($col = '') {
84
		// Got currect cols
85
		$ar_col = array();
86
		if ('*' == $col)
87
			$ar_col = $this->aCfg['dict-cols'];
88
		elseif (empty($col)) {
89
			// Assign first col not pk
90
			$i = 0;
91
			while ($this->aCfg['dict-cols'][$i]
92
					== $this->aCfg['dict-cols-pk']
93
				&& $i < count($this->aCfg['dict-cols'])) {
94
				$i++;
95
			}
96
			$ar_col = array($this->aCfg['dict-cols'][$i]);
97
		} else {
98
			// Find valid cols
99
			if (is_string($col)) {
100
				$col = explode(',', $col);
101
				array_walk($col, 'trim');
102
			}
103
			foreach ($col as $v)
0 ignored issues
show
The expression $col of type object|integer|double|null|array|boolean is not guaranteed to be traversable. How about adding an additional type check?

There are different options of fixing this problem.

  1. If you want to be on the safe side, you can add an additional type-check:

    $collection = json_decode($data, true);
    if ( ! is_array($collection)) {
        throw new \RuntimeException('$collection must be an array.');
    }
    
    foreach ($collection as $item) { /** ... */ }
    
  2. If you are sure that the expression is traversable, you might want to add a doc comment cast to improve IDE auto-completion and static analysis:

    /** @var array $collection */
    $collection = json_decode($data, true);
    
    foreach ($collection as $item) { /** .. */ }
    
  3. Mark the issue as a false-positive: Just hover the remove button, in the top-right corner of this issue for more options.

Loading history...
104
				if (in_array($v, $this->aCfg['dict-cols']))
105
					$ar_col[] = $v;
106
		}
107
108
		if (1 == count($ar_col))
109
			return array_shift($ar_col);
110
		else
111
			return $ar_col;
112
	} // end of func GetCol
113
114
115
	/**
116
	 * Get data from array by assigned cols
117
	 *
118
	 * @param	array	$ar_data
119
	 * @param	mixed	$col
120
	 * @return	mixed
121
	 */
122
	protected function GetColData ($ar_data, $col) {
123
		if (empty($ar_data) || empty($col))
124
			return null;
125
		if (!is_array($col))
126
			$col = array($col);
127
128
		$ar = array();
129
		foreach ($col as $v) {
130
			if (isset($ar_data[$v]))
131
				$ar[$v] = $ar_data[$v];
132
		}
133
134
		if (1 == count($ar))
135
			return array_shift($ar);
136
		else
137
			return $ar;
138
	} // end of func GetColData
139
140
141
	/**
142
	 * Get data fit given condition
143
	 *
144
	 * In condition, use {col} and native php syntax.
145
	 * Delimiter can change in SetStruct().
146
	 * @param	string	$s_cond
147
	 * @param	string	$col		Wanted cols.
148
	 * @return	array	2-dim array of result.
149
	 * @see		SetStruct()
150
	 */
151
	public function GetList ($s_cond = '', $col = '*') {
152
		if (empty($s_cond))
153
			return $this->aData;
154
		if (empty($this->aData))
155
			return array();
156
		$col = $this->GetCol($col);
157
158
		$ar_cols = array();
159
		foreach ($this->aCfg['dict-cols'] as $v)
160
			$ar_cols[] = $this->aCfg['dict-list-cond-delimiter-left']
161
				. $v
162
				. $this->aCfg['dict-list-cond-delimiter-right'];
163
164
		// Loop check
165
		$ar_rs = array();
166
		$s_cond = '$b = (' . $s_cond . ');';
167
		foreach ($this->aData as $k => &$data) {
168
			$s_cond_t = str_replace($ar_cols, $data, $s_cond);
169
			eval($s_cond_t);
170
			if ($b)
0 ignored issues
show
The variable $b does not exist. Did you forget to declare it?

This check marks access to variables or properties that have not been declared yet. While PHP has no explicit notion of declaring a variable, accessing it before a value is assigned to it is most likely a bug.

Loading history...
171
				$ar_rs[$k] = $this->GetColData($data, $col);
172
		}
173
		return $ar_rs;
174
	} // end of func GetList
175
176
177
	/**
178
	 * Get SQL for write dict data to db
179
	 *
180
	 * @param	object	$o_db	Adodb conn object.
181
	 * @param	boolean	$b_truncate	With truncate part?
182
	 * @return	string
183
	 * @see		Adodb
184
	 */
185
	public function GetSql ($o_db, $b_truncate = true) {
186
		if (empty($o_db) || !$o_db->IsConnected()) {
187
			$this->Log('Db empty or not connected.', 4);
188
			return '';
189
		}
190
		if (empty($this->aCfg['dict-table'])) {
191
			$this->Log('Db dict table not set.', 4);
192
			return '';
193
		}
194
195
196
		// Result sql
197
		$s_sql = '';
198
199
		// Mysql set names
200
		if ($o_db->IsDbMysql()) {
201
			$s_sql .= 'SET NAMES \''
202
				. str_replace('utf-8', 'utf8', $o_db->aDbProfile['lang'])
203
				. '\'' . $o_db->GetSqlDelimiter();
204
		}
205
206
		// Truncate part ?
207
		if ($b_truncate)
208
			$s_sql .= $this->GetSqlTruncate($o_db);
209
210
		// Begin transaction
211
		$s_sql .= $o_db->GetSqlTransBegin();
212
213
		// Data
214
		if (!empty($this->aData))
215
			foreach ($this->aData as $k => $ar_row) {
216
// INSERT INTO table (col1, col2) VALUES (val1, 	val2)[DELIMITER]
217
				// Values part
218
				$ar_val = array();
219
				foreach ($ar_row as $key => $val)
220
					$ar_val[] = $o_db->QuoteValue($this->aCfg['dict-table']
221
						, $key, $val);
222
				// Join with column and other part
223
				$s_sql .= 'INSERT INTO ' . $this->aCfg['dict-table']
224
					. ' (' . implode(', ', $this->aCfg['dict-cols']) . ')'
225
					. ' VALUES (' . implode(",\t", $ar_val) . ')'
226
					. $o_db->GetSqlDelimiter();
227
			}
228
229
		// End transaction
230
		$s_sql .= $o_db->GetSqlTransCommit();
231
232
		return $s_sql;
233
	} // end of func GetSql
234
235
236
	/**
237
	 * Get SQL for write dict data to db, truncate part.
238
	 *
239
	 * @param	object	$o_db	Adodb conn object.
240
	 * @return	string
241
	 * @see		Adodb
242
	 */
243
	public function GetSqlTruncate ($o_db) {
244
		$s_sql = '';
245
246
		// Begin transaction
247
		if (!$o_db->IsDbSybase())
248
			$s_sql .= $o_db->GetSqlTransBegin();
249
250
		// TRUNCATE TABLE
251
		$s_sql .= 'TRUNCATE TABLE ' . $this->aCfg['dict-table']
252
			. $o_db->GetSqlDelimiter();
253
254
		// End transaction
255
		if (!$o_db->IsDbSybase())
256
			$s_sql .= $o_db->GetSqlTransCommit();
257
258
		return $s_sql;
259
	} // end GetSqlTruncate
260
261
262
	/**
263
	 * Init dict content
264
	 *
265
	 * @return	object
266
	 */
267
	public function Init () {
268
		parent::Init();
269
270
		$this->SetStruct();
271
		if (empty($this->aCfg['dict-cols']))
272
			$this->Log('Dict cols not defined.', 5);
273
274
		return $this;
275
	} // end of func Init
276
277
278
	/**
279
	 * Insert value to $this->aData
280
	 *
281
	 * @param	array	$ar_data	1 or 2-dim data array.
282
	 * @return	object
283
	 */
284
	public function Set ($ar_data) {
285
		if (empty($ar_data)) {
286
			$this->Log('Empty data given.', 4);
287
			return $this;
288
		}
289
		// Convert 1-dim to 2-dim
290
		if (!is_array($ar_data[array_rand($ar_data)]))
291
			$ar_data = array($ar_data);
292
293
		$this->SetData($ar_data);
294
		return $this;
295
	} // end of func Set
296
297
298
	/**
299
	 * Insert value to $this->aData
300
	 *
301
	 * @param	array	$ar_data	2-dim data array.
302
	 * @return	object
303
	 */
304
	protected function SetData ($ar_data) {
305
		if (empty($ar_data)) {
306
			$this->Log('Empty data given.', 4);
307
			return $this;
308
		}
309
		if (empty($this->aCfg['dict-cols'])) {
310
			$this->Log('Dict cols not defined', 5);
311
			return $this;
312
		}
313
314
		foreach ($ar_data as $ar) {
315
			$ar_t = array();
316
			foreach ($this->aCfg['dict-cols'] as $col) {
317
				if (!empty($ar))
318
					$ar_t[$col] = array_shift($ar);
319
			}
320
			// Single pk as array index
321
			if (!empty($this->aCfg['dict-cols-pk'])
322
				&& is_string($this->aCfg['dict-cols-pk'])) {
323
				if (!empty($ar_t[$this->aCfg['dict-cols-pk']]))
324
					$this->aData[$ar_t[$this->aCfg['dict-cols-pk']]]
325
						= $ar_t;
326
				else {
327
					$this->Log('Dict pk not set in data.', 4);
328
					$this->aData[] = $ar_t;
329
				}
330
			} else
331
				// Multi pk or no pk
332
				$this->aData[] = $ar_t;
333
		}
334
	} // end of func SetData
335
336
337
	/**
338
	 * Set data structure, usually override by sub class.
339
	 *
340
	 * @return	object
341
	 */
342
	public function SetStruct () {
343
		// Array of string.
344
		$this->SetCfg('dict-cols', array('code', 'title'));
0 ignored issues
show
'dict-cols' is of type string, but the function expects a array.

It seems like the type of the argument is not accepted by the function/method which you are calling.

In some cases, in particular if PHP’s automatic type-juggling kicks in this might be fine. In other cases, however this might be a bug.

We suggest to add an explicit type cast like in the following example:

function acceptsInteger($int) { }

$x = '123'; // string "123"

// Instead of
acceptsInteger($x);

// we recommend to use
acceptsInteger((integer) $x);
Loading history...
345
		// Array for multi and string for single.
346
		$this->SetCfg('dict-cols-pk', 'code');
0 ignored issues
show
'dict-cols-pk' is of type string, but the function expects a array.

It seems like the type of the argument is not accepted by the function/method which you are calling.

In some cases, in particular if PHP’s automatic type-juggling kicks in this might be fine. In other cases, however this might be a bug.

We suggest to add an explicit type cast like in the following example:

function acceptsInteger($int) { }

$x = '123'; // string "123"

// Instead of
acceptsInteger($x);

// we recommend to use
acceptsInteger((integer) $x);
Loading history...
347
		$this->SetCfg('dict-table', 'code_i4');
0 ignored issues
show
'dict-table' is of type string, but the function expects a array.

It seems like the type of the argument is not accepted by the function/method which you are calling.

In some cases, in particular if PHP’s automatic type-juggling kicks in this might be fine. In other cases, however this might be a bug.

We suggest to add an explicit type cast like in the following example:

function acceptsInteger($int) { }

$x = '123'; // string "123"

// Instead of
acceptsInteger($x);

// we recommend to use
acceptsInteger((integer) $x);
Loading history...
348
349
		// Delimiter in get list condition
350
		$this->SetCfg('dict-list-cond-delimiter-left', '{');
0 ignored issues
show
'dict-list-cond-delimiter-left' is of type string, but the function expects a array.

It seems like the type of the argument is not accepted by the function/method which you are calling.

In some cases, in particular if PHP’s automatic type-juggling kicks in this might be fine. In other cases, however this might be a bug.

We suggest to add an explicit type cast like in the following example:

function acceptsInteger($int) { }

$x = '123'; // string "123"

// Instead of
acceptsInteger($x);

// we recommend to use
acceptsInteger((integer) $x);
Loading history...
351
		$this->SetCfg('dict-list-cond-delimiter-right', '}');
0 ignored issues
show
'dict-list-cond-delimiter-right' is of type string, but the function expects a array.

It seems like the type of the argument is not accepted by the function/method which you are calling.

In some cases, in particular if PHP’s automatic type-juggling kicks in this might be fine. In other cases, however this might be a bug.

We suggest to add an explicit type cast like in the following example:

function acceptsInteger($int) { }

$x = '123'; // string "123"

// Instead of
acceptsInteger($x);

// we recommend to use
acceptsInteger((integer) $x);
Loading history...
352
	} // end of func SetStruct
353
354
355
} // end of class Dict
356
?>
0 ignored issues
show
It is not recommended to use PHP's closing tag ?> in files other than templates.

Using a closing tag in PHP files that only contain PHP code is not recommended as you might accidentally add whitespace after the closing tag which would then be output by PHP. This can cause severe problems, for example headers cannot be sent anymore.

A simple precaution is to leave off the closing tag as it is not required, and it also has no negative effects whatsoever.

Loading history...
357