Issues in sms.php (master) - Issues in master - fwolf/fwlib - Measure and Improve Code Quality continuously with Scrutinizer

Issues (1752)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

class/sms.php (1 issue)

Labels

Severity

Informational 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * @package		fwolflib
 * @subpackage	class
 * @copyright	Copyright © 2010, Fwolf
 * @author		Fwolf <[email protected]>
 * @since		2010-11-23
 */


require_once(dirname(__FILE__) . '/fwolflib.php');
require_once(FWOLFLIB . 'func/uuid.php');


/**
 * SMS treat and send.
 *
 * Using gammu daemon to send sms.
 *
 * @deprecated  Use Fwlib\Net\Sms\SmsSender
 * @package		fwolflib
 * @subpackage	class
 * @copyright	Copyright © 2010, Fwolf
 * @author		Fwolf <[email protected]>
 * @since		2010-11-23
 */
class Sms extends Fwolflib {

	/**
	 * Db object to connect sms stat db
	 * @var	object
	 */
	protected $oDb = null;


	/**
	 * construct
	 *
	 * @param	object	$o_db
	 */
	public function __construct ($o_db = null) {
		parent::__construct();

		if (!is_null($o_db))
			$this->oDb = &$o_db;
	} // end of class __construct


	/**
	 * Count sms will split to N part to send
	 *
	 * If only ascii chars include, 140 chars for 1 sms part,
	 * if has chinese chars, 70 chars for 1 sms part only.
	 *
	 * 1 chinese char will count as 1 char.
	 *
	 * @param	string	$s_sms
	 * @return	integer
	 */
	public function CountPart ($s_sms = '') {
		// Is there chinese in sms ?
		if (mb_strlen($s_sms, 'utf-8') == strlen($s_sms)) {
			// No chinese, 140 chars per part
			return (ceil(strlen($s_sms) / 140));
		}
		else {
			// Convert chinese char to ascii, for count
			return (ceil(mb_strlen($s_sms, 'utf-8') / 70));
		}
	} // end of func CountPart


	/**
	 * Parse dest/phone number string.
	 *
	 * Do:
	 * 	Split phone number.
	 * 	Format phone number.
	 * 	Remove duplicate number.
	 *
	 * @param	mixed	$s_dest
	 * @return	array
	 */
	public function DestParse ($s_dest) {
		// If array given, still need convert to string
		// to format and validate phone number.
		if (is_array($s_dest))
			$s_dest = implode(',', $s_dest);

		// Replace all special chars to ','
		$s_dest = str_replace('，', ',', $s_dest);
		$s_dest = preg_replace('/[ ,;\r\n\t]{1,}/'
			, ',', $s_dest);
		$ar_dest = explode(',', $s_dest);

		// Remove +86, 0086
		foreach ($ar_dest as &$dest) {
			if ('+86' == substr($dest, 0, 3))
				$dest = substr($dest, 3);
			elseif ('0086' == substr($dest, 0, 4))
				$dest = substr($dest, 4);
		}

		// Remove duplicate
		$ar = array();
		foreach ($ar_dest as &$dest) {
			// Invalid length
			if (11 != strlen($dest) && '10' != substr($dest, 0, 2))
				continue;

			if (false == in_array($dest, $ar))

				$ar[] = $dest;
		}

		return $ar;
	} // end of func DestParse


	/**
	 * Write sent sms stat information.
	 *
	 * @param	array	$ar_dest
	 * @param	string	$s_sms
	 * @param	integer	$i_cat
	 */
	protected function DestStatSet ($ar_dest, $s_sms, $i_cat) {
		if (is_null($this->oDb)) {
			$this->Log('No db connection.', 5);
			return;
		}

		// Gen data array
		$ar_data = array();
		$ar_data['uuid']	= Uuid();
		$ar_data['st']		= date('Y-m-d H:i:s');
		$ar_data['cat']		= $i_cat;
		$ar_data['cnt']		= count($ar_dest);
		$ar_data['cnt_cm']	= 0;
		$ar_data['cnt_cu']	= 0;
		$ar_data['cnt_ct']	= 0;
		$ar_data['dest']	= implode(',', $ar_dest);
		$ar_data['cnt_part']= $this->CountPart($s_sms);
		$ar_data['sms']		= $s_sms;

		// Which company's number ?
		$ar_cm = array(134, 135, 136, 137, 138, 139, 147
			, 150, 151, 152, 157, 158, 159, 187, 188);
		$ar_cu = array(130, 131, 132, 155, 156, 185, 186);
		$ar_ct = array(133, 153, 180, 189);
		foreach ($ar_dest as $dest) {
			$i = intval(substr($dest, 0, 3));
			if (in_array($i, $ar_cm))
				$ar_data['cnt_cm'] ++;
			elseif (in_array($i, $ar_cu))
				$ar_data['cnt_cu'] ++;
			elseif (in_array($i, $ar_ct))
				$ar_data['cnt_ct'] ++;
		}

		// Save to db
		$this->oDb->Write('sms_stat', $ar_data, 'I');
	} // end of func DestStatSet


	/**
	 * Detect and set path of gammu smsd inject cmd
	 *
	 * @param	$s_path		Manual additional path
	 * @return	string
	 */
	public function GetPathGammuSmsdInject ($s_path = '') {
		$ar_path = $this->aCfg['path_bin'];

		if (!empty($s_path)) {
			// Add to array
			array_unshift($ar_path, $s_path);
		}

		// Find a usable path
		$b_found = false;
		while (!$b_found && !empty($ar_path)) {
			$s_cmd = $ar_path[0] . 'gammu-smsd-inject';
			if (is_executable($s_cmd)) {
				$b_found = true;
				break;
			}
			array_shift($ar_path);
		}
		if ($b_found) {
			$this->Log('Got gammu smsd inject execute file: '
				. $s_cmd, 1);
			$this->aCfg['path_gammu_smsd_inject'] = $s_cmd;
		}
		else {
			$this->Log('Can\' find gammu smsd inject execute file.', 5);
			exit();
		}

		return $this->aCfg['path_gammu_smsd_inject'];
	} // end of func GetPathGammuSmsdInject


	/**
	 * Init config vars, give default value.
	 *
	 * @return	this
	 */
	public function Init () {
		parent::Init();

		// Possible bin path
		$this->aCfg['path_bin'] = array(
			'/usr/bin/',
			'/usr/local/bin/',
			'/bin/',
		);

		// Path of gammu-smsd-inject
		$this->aCfg['path_gammu_smsd_inject'] = '';

		// Cmd template of gammu-smsd-inject cmd
		$this->aCfg['cmd_gammu_smsd_inject']
			= '[cmd] TEXT [dest] -autolen 600 -report -validity MAX -unicode -textutf8 "[sms]"';

		return $this;
	} // end of func Init


	/**
	 * Send sms using gammu smsd inject method.
	 *
	 * Notice: On webserver, need assign www-data to gammu group,
	 * 	and make /var/log/gammu-smsd.log g+w .
	 * 	Modem server need not, only conn to db is required.
	 *
	 * @param	mixed	$ar_dest	Dest phone number array
	 * 								or string split by ' ,;，\r\n'.
	 * @param	string	$s_sms		Msg to send.
	 * @param	integer	$i_cat		Category of sms, for stat.
	 * @return	integer				Actual valid phone number sent.
	 */
	public function SendUsingGammuSmsdInject ($ar_dest, $s_sms, $i_cat = 0) {
		if (empty($this->aCfg['path_gammu_smsd_inject']))
			$this->GetPathGammuSmsdInject();

		$ar_dest = $this->DestParse($ar_dest);
		if (1 > count($ar_dest)) {
			$this->Log('No valid number to sent.', 4);
			return 0;
		}
		$this->DestStatSet($ar_dest, $s_sms, $i_cat);

		// Prepare sms to sent
		$s_sms = str_replace(array('[cmd]', '[sms]')
			, array($this->aCfg['path_gammu_smsd_inject'], $s_sms)
			, $this->aCfg['cmd_gammu_smsd_inject']);
		$i = strpos($s_sms, '[dest]');
		if (1 > $i) {
			$this->Log('Something wrong with gammu smsd inject cmd template'
				, 5);
			exit();
		}
		$s_sms1 = substr($s_sms, 0, $i);
		$s_sms2 = substr($s_sms, $i + 6);	// 6 is length of '[dest]'

		// Loop to sent
		foreach ($ar_dest as $dest) {
			$s_cmd = $s_sms1 . $dest . $s_sms2;
			//exec($s_cmd);
			$ar_output = array();
			$i_return = 0;
			exec($s_cmd, $ar_output, $i_return);
			if (0 != $i_return) {
				// Error occur
				$this->Log('Gammu inject error: ' . $ar_output[1], 5);
				return 0;
			}
		}

		return count($ar_dest);
	} // end of func SendUsingGammuSmsdInject


} // end of class Sms


/*
--
-- stat table
--
CREATE TABLE sms_stat (
	uuid				CHAR(36)			NOT NULL,
	-- Sent time
	st					DATETIME			NOT NULL,
	-- Cat of msg
	cat					INTEGER				NOT NULL DEFAULT 0,
	-- Total dest number count
	cnt					INTEGER				NOT NULL DEFAULT 0,
	-- Count of China Mobile
	cnt_cm				INTEGER				NOT NULL DEFAULT 0,
	-- Count of China Unicom
	cnt_cu				INTEGER				NOT NULL DEFAULT 0,
	-- Count of China Telecom
	cnt_ct				INTEGER				NOT NULL DEFAULT 0,
	-- Dest phone numbers
	dest				TEXT				NOT NULL,
	-- Will sms split to N part to send
	cnt_part			INTEGER				NOT NULL DEFAULT 0,
	-- Msg
	sms					TEXT				NOT NULL,
	ts TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
	PRIMARY KEY (uuid),
	INDEX idx_sms_stat_1 (st)
) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_general_ci;
*/
?>


1		<?php
2		/**
3		* @package fwolflib
4		* @subpackage class
5		* @copyright Copyright © 2010, Fwolf
6		* @author Fwolf <[email protected]>
7		* @since 2010-11-23
8		*/
9
10
11		require_once(dirname(__FILE__) . '/fwolflib.php');
12		require_once(FWOLFLIB . 'func/uuid.php');
13
14
15		/**
16		* SMS treat and send.
17		*
18		* Using gammu daemon to send sms.
19		*
20		* @deprecated Use Fwlib\Net\Sms\SmsSender
21		* @package fwolflib
22		* @subpackage class
23		* @copyright Copyright © 2010, Fwolf
24		* @author Fwolf <[email protected]>
25		* @since 2010-11-23
26		*/
27		class Sms extends Fwolflib {
28
29		/**
30		* Db object to connect sms stat db
31		* @var object
32		*/
33		protected $oDb = null;
34
35
36		/**
37		* construct
38		*
39		* @param object $o_db
40		*/
41		public function __construct ($o_db = null) {
42		parent::__construct();
43
44		if (!is_null($o_db))
45		$this->oDb = &$o_db;
46		} // end of class __construct
47
48
49		/**
50		* Count sms will split to N part to send
51		*
52		* If only ascii chars include, 140 chars for 1 sms part,
53		* if has chinese chars, 70 chars for 1 sms part only.
54		*
55		* 1 chinese char will count as 1 char.
56		*
57		* @param string $s_sms
58		* @return integer
59		*/
60		public function CountPart ($s_sms = '') {
61		// Is there chinese in sms ?
62	View Code Duplication	if (mb_strlen($s_sms, 'utf-8') == strlen($s_sms)) {
63		// No chinese, 140 chars per part
64		return (ceil(strlen($s_sms) / 140));
65		}
66		else {
67		// Convert chinese char to ascii, for count
68		return (ceil(mb_strlen($s_sms, 'utf-8') / 70));
69		}
70		} // end of func CountPart
71
72
73		/**
74		* Parse dest/phone number string.
75		*
76		* Do:
77		* Split phone number.
78		* Format phone number.
79		* Remove duplicate number.
80		*
81		* @param mixed $s_dest
82		* @return array
83		*/
84		public function DestParse ($s_dest) {
85		// If array given, still need convert to string
86		// to format and validate phone number.
87		if (is_array($s_dest))
88		$s_dest = implode(',', $s_dest);
89
90		// Replace all special chars to ','
91		$s_dest = str_replace('，', ',', $s_dest);
92		$s_dest = preg_replace('/[ ,;\r\n\t]{1,}/'
93		, ',', $s_dest);
94		$ar_dest = explode(',', $s_dest);
95
96		// Remove +86, 0086
97		foreach ($ar_dest as &$dest) {
98		if ('+86' == substr($dest, 0, 3))
99		$dest = substr($dest, 3);
100		elseif ('0086' == substr($dest, 0, 4))
101		$dest = substr($dest, 4);
102		}
103
104		// Remove duplicate
105		$ar = array();
106		foreach ($ar_dest as &$dest) {
107		// Invalid length
108		if (11 != strlen($dest) && '10' != substr($dest, 0, 2))
109		continue;
110
111		if (false == in_array($dest, $ar))
		0 ignored issues – show Coding Style Best Practice introduced 2016-06-01 06:17 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like you are loosely comparing two booleans. Considering using the strict comparison `===` instead. When comparing two booleans, it is generally considered safer to use the strict comparison operator. Loading history...
112		$ar[] = $dest;
113		}
114
115		return $ar;
116		} // end of func DestParse
117
118
119		/**
120		* Write sent sms stat information.
121		*
122		* @param array $ar_dest
123		* @param string $s_sms
124		* @param integer $i_cat
125		*/
126		protected function DestStatSet ($ar_dest, $s_sms, $i_cat) {
127		if (is_null($this->oDb)) {
128		$this->Log('No db connection.', 5);
129		return;
130		}
131
132		// Gen data array
133		$ar_data = array();
134		$ar_data['uuid'] = Uuid();
135		$ar_data['st'] = date('Y-m-d H:i:s');
136		$ar_data['cat'] = $i_cat;
137		$ar_data['cnt'] = count($ar_dest);
138		$ar_data['cnt_cm'] = 0;
139		$ar_data['cnt_cu'] = 0;
140		$ar_data['cnt_ct'] = 0;
141		$ar_data['dest'] = implode(',', $ar_dest);
142		$ar_data['cnt_part']= $this->CountPart($s_sms);
143		$ar_data['sms'] = $s_sms;
144
145		// Which company's number ?
146		$ar_cm = array(134, 135, 136, 137, 138, 139, 147
147		, 150, 151, 152, 157, 158, 159, 187, 188);
148		$ar_cu = array(130, 131, 132, 155, 156, 185, 186);
149		$ar_ct = array(133, 153, 180, 189);
150	View Code Duplication	foreach ($ar_dest as $dest) {
151		$i = intval(substr($dest, 0, 3));
152		if (in_array($i, $ar_cm))
153		$ar_data['cnt_cm'] ++;
154		elseif (in_array($i, $ar_cu))
155		$ar_data['cnt_cu'] ++;
156		elseif (in_array($i, $ar_ct))
157		$ar_data['cnt_ct'] ++;
158		}
159
160		// Save to db
161		$this->oDb->Write('sms_stat', $ar_data, 'I');
162		} // end of func DestStatSet
163
164
165		/**
166		* Detect and set path of gammu smsd inject cmd
167		*
168		* @param $s_path Manual additional path
169		* @return string
170		*/
171		public function GetPathGammuSmsdInject ($s_path = '') {
172		$ar_path = $this->aCfg['path_bin'];
173
174		if (!empty($s_path)) {
175		// Add to array
176		array_unshift($ar_path, $s_path);
177		}
178
179		// Find a usable path
180		$b_found = false;
181	View Code Duplication	while (!$b_found && !empty($ar_path)) {
182		$s_cmd = $ar_path[0] . 'gammu-smsd-inject';
183		if (is_executable($s_cmd)) {
184		$b_found = true;
185		break;
186		}
187		array_shift($ar_path);
188		}
189		if ($b_found) {
190		$this->Log('Got gammu smsd inject execute file: '
191		. $s_cmd, 1);
192		$this->aCfg['path_gammu_smsd_inject'] = $s_cmd;
193		}
194		else {
195		$this->Log('Can\' find gammu smsd inject execute file.', 5);
196		exit();
197		}
198
199		return $this->aCfg['path_gammu_smsd_inject'];
200		} // end of func GetPathGammuSmsdInject
201
202
203		/**
204		* Init config vars, give default value.
205		*
206		* @return this
207		*/
208		public function Init () {
209		parent::Init();
210
211		// Possible bin path
212		$this->aCfg['path_bin'] = array(
213		'/usr/bin/',
214		'/usr/local/bin/',
215		'/bin/',
216		);
217
218		// Path of gammu-smsd-inject
219		$this->aCfg['path_gammu_smsd_inject'] = '';
220
221		// Cmd template of gammu-smsd-inject cmd
222		$this->aCfg['cmd_gammu_smsd_inject']
223		= '[cmd] TEXT [dest] -autolen 600 -report -validity MAX -unicode -textutf8 "[sms]"';
224
225		return $this;
226		} // end of func Init
227
228
229		/**
230		* Send sms using gammu smsd inject method.
231		*
232		* Notice: On webserver, need assign www-data to gammu group,
233		* and make /var/log/gammu-smsd.log g+w .
234		* Modem server need not, only conn to db is required.
235		*
236		* @param mixed $ar_dest Dest phone number array
237		* or string split by ' ,;，\r\n'.
238		* @param string $s_sms Msg to send.
239		* @param integer $i_cat Category of sms, for stat.
240		* @return integer Actual valid phone number sent.
241		*/
242		public function SendUsingGammuSmsdInject ($ar_dest, $s_sms, $i_cat = 0) {
243		if (empty($this->aCfg['path_gammu_smsd_inject']))
244		$this->GetPathGammuSmsdInject();
245
246		$ar_dest = $this->DestParse($ar_dest);
247		if (1 > count($ar_dest)) {
248		$this->Log('No valid number to sent.', 4);
249		return 0;
250		}
251		$this->DestStatSet($ar_dest, $s_sms, $i_cat);
252
253		// Prepare sms to sent
254		$s_sms = str_replace(array('[cmd]', '[sms]')
255		, array($this->aCfg['path_gammu_smsd_inject'], $s_sms)
256		, $this->aCfg['cmd_gammu_smsd_inject']);
257		$i = strpos($s_sms, '[dest]');
258		if (1 > $i) {
259		$this->Log('Something wrong with gammu smsd inject cmd template'
260		, 5);
261		exit();
262		}
263		$s_sms1 = substr($s_sms, 0, $i);
264		$s_sms2 = substr($s_sms, $i + 6); // 6 is length of '[dest]'
265
266		// Loop to sent
267		foreach ($ar_dest as $dest) {
268		$s_cmd = $s_sms1 . $dest . $s_sms2;
269		//exec($s_cmd);
270		$ar_output = array();
271		$i_return = 0;
272		exec($s_cmd, $ar_output, $i_return);
273		if (0 != $i_return) {
274		// Error occur
275		$this->Log('Gammu inject error: ' . $ar_output[1], 5);
276		return 0;
277		}
278		}
279
280		return count($ar_dest);
281		} // end of func SendUsingGammuSmsdInject
282
283
284		} // end of class Sms
285
286
287		/*
288		--
289		-- stat table
290		--
291		CREATE TABLE sms_stat (
292		uuid CHAR(36) NOT NULL,
293		-- Sent time
294		st DATETIME NOT NULL,
295		-- Cat of msg
296		cat INTEGER NOT NULL DEFAULT 0,
297		-- Total dest number count
298		cnt INTEGER NOT NULL DEFAULT 0,
299		-- Count of China Mobile
300		cnt_cm INTEGER NOT NULL DEFAULT 0,
301		-- Count of China Unicom
302		cnt_cu INTEGER NOT NULL DEFAULT 0,
303		-- Count of China Telecom
304		cnt_ct INTEGER NOT NULL DEFAULT 0,
305		-- Dest phone numbers
306		dest TEXT NOT NULL,
307		-- Will sms split to N part to send
308		cnt_part INTEGER NOT NULL DEFAULT 0,
309		-- Msg
310		sms TEXT NOT NULL,
311		ts TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
312		PRIMARY KEY (uuid),
313		INDEX idx_sms_stat_1 (st)
314		) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_general_ci;
315		*/
316		?>
317

fwolf / fwlib

Issues (1752)

Security Analysis not enabled

class/sms.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like