Issues (1752)

Security Analysis    not enabled

This project does not seem to handle request data directly as such no vulnerable execution paths were found.

  Cross-Site Scripting
Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.
  File Exposure
File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.
  File Manipulation
File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.
  Object Injection
Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.
  Code Injection
Code Injection enables an attacker to execute arbitrary code on the server.
  Response Splitting
Response Splitting can be used to send arbitrary responses.
  File Inclusion
File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.
  Command Injection
Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.
  SQL Injection
SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.
  XPath Injection
XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.
  LDAP Injection
LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.
  Header Injection
  Other Vulnerability
This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.
  Regex Injection
Regex Injection enables an attacker to execute arbitrary code in your PHP process.
  XML Injection
XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.
  Variable Injection
Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.
Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

class/sync-db-curl.php (1 issue)

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

1
<?php
2
/**
3
 * @package		fwolflib
4
 * @subpackage	class
5
 * @copyright	Copyright 2010, Fwolf
6
 * @author		Fwolf <[email protected]>
7
 * @since		2010-05-25
8
 */
9
10
11
require_once(dirname(__FILE__) . '/fwolflib.php');
12
require_once(FWOLFLIB . 'class/adodb.php');
13
require_once(FWOLFLIB . 'class/curl-comm.php');
14
15
16
/**
17
 * Sync db data via curl communication.
18
 *
19
 * Db schema of both side should be same,
20
 * Each data table should have timestamp and PK column.
21
 *
22
 *
23
 * If sync in two-way, that need server ID and write ID to every row,
24
 * which is 'functional' but not fast and need change many things
25
 * on app side, like readonly option.
26
 *
27
 * So I think make this a one-way sync tools, but it can do pull also
28
 * push, that is, for 1 table, it's one-way, but for the whole db,
29
 * it's somehow 'two-way' sync.
30
 *
31
 * Also I have some additional thought:
32
 * - Make app read and write to server/remote db through this.
33
 * - When write to server/remote db and remote side not accessable,
34
 * cache it and can call re-write later.
35
 *
36
 *
37
 * When act as server, make config vars as less as possible,
38
 * db param can passed in through POST,
39
 * but crypt key must be assigned.
40
 *
41
 * When act as client, can connect to multi server,
42
 * each have difference config, job, crypt etc,
43
 * client comm with them one by one.
44
 *
45
 *
46
 * Roadmap:
47
 *
48
 * 1.4	Cache for write to remote db, and re-call them.
49
 * 1.3	Provide app read and write functional from/to remote db.
50
 * 1.2	Sync push to server.
51
 * 1.1	Auto call data convert func.
52
 * 1.0	[:TODO:] Sync pull from server.
53
 *
54
 * @package		fwolflib
55
 * @subpackage	class
56
 * @copyright	Copyright 2010, Fwolf
57
 * @author		Fwolf <[email protected]>
58
 * @since		2010-05-25
59
 * @version		0.0
60
 */
61
class SyncDbCurl extends CurlComm {
62
63
	/**
64
	 * Default value of config
65
	 * array(
66
	 * 	url,
67
	 * 	db_client	=> array(
68
	 * 		type, host, user, pass, name, lang
69
	 * 	),
70
	 * 	db_server	=> array(
71
	 * 		type, host, user, pass, name, lang
72
	 * 	),
73
	 * pull		=> '' or array(),
74
	 * push		=> '' or array(),
75
	 * )
76
	 * @var	array
77
	 */
78
	public $aCfgDefault = array();
79
80
	/**
81
	 * Config of all server, empty val will fill by $aCfgDefault.
82
	 * @see	$aCfgDefault
83
	 * @var	array
84
	 */
85
	public $aCfgServer = array();
86
87
	/**
88
	 * Db conn obj
89
	 * @var	object
90
	 */
91
	protected $oDb = null;
92
93
94
	/**
95
	 * Constructor
96
	 *
97
	 * @param	array	$ar_cfg
98
	 */
99
	public function __construct($ar_cfg = array()) {
100
		// For auto new obj
101
		unset($this->oDb);
102
103
		parent::__construct($ar_cfg);
104
105
		// Server will auto start, manual start client
106
		if (empty($_POST))
107
			$this->StartClient();
108
	} // end of func __construct
109
110
111
	/**
112
	 * At server, conn to db before call action func.
113
	 *
114
	 * @param	array	$ar_req
115
	 * @return	array
116
	 */
117
	protected function CommReturn($ar_req) {
118
		// Db, use posted db config first.
119
		if (isset($ar_req['db_server']))
120
			$ar_db_prof = $ar_req['db_server'];
121
		else
122
			// Using default config
123
			// Notice, there is no server config array on the server.
124
			// so we only read default config.
125
			$ar_db_prof = $this->aCfgDefault['db_server'];
126
		$this->oDb = $this->NewObjDb($ar_db_prof);
127
128
		return parent::CommReturn($ar_req);
129
	} // end of func CommReturn
130
131
132
	/**
133
	 * Test db conn @ server side.
134
	 *
135
	 * @see		TestDb()
136
	 * @see		CommReturn()	Db is connected here.
137
	 * @param	array	$ar_req	Request msg array
138
	 * @return	array
139
	 */
140
	protected function CommReturnTestDb($ar_req = array()) {
141
		$ar = array();
142
		if (empty($this->oDb)) {
143
			$ar['code'] = 1;
144
			$ar['msg'] = 'Test server db conn fail.';
145
		} else {
146
			$ar['code'] = 0;
147
			$ar['msg'] = 'Test server db conn ok.';
148
		}
149
		return $ar;
150
	} // end of func CommReturnTestDb
151
152
153
	/**
154
	 * New db conn obj
155
	 *
156
	 * @param	array	$db_prof
157
	 * @return	object
158
	 * @see	$oDb
159
	 */
160
	protected function NewObjDb($db_prof) {
161
		$obj = new Adodb($db_prof);
162
		if (false == $obj->Connect()) {
0 ignored issues
show
Coding Style Best Practice introduced by
It seems like you are loosely comparing two booleans. Considering using the strict comparison === instead.

When comparing two booleans, it is generally considered safer to use the strict comparison operator.

Loading history...
163
			$this->Log('Db conn fail.', 5);
164
			return null;
165
		}
166
		else {
167
			$this->Log('New obj db.', 1);
168
			return $obj;
169
		}
170
	} // end of func NewObjDb
171
172
173
	/**
174
	 * Read and set config
175
	 *
176
	 * @param	array	$ar_cfg
177
	 * @return	$this
178
	 */
179
	public function SetCfg($ar_cfg = array()) {
180
		parent::SetCfg($ar_cfg);
181
		if (!empty($ar_cfg)) {
182
			$this->aCfgDefault = ArrayRead($ar_cfg, 'default', array());
183
			$this->aCfgServer = ArrayRead($ar_cfg, 'server', array());
184
		}
185
		return $this;
186
	} // end of func SetCfg
187
188
189
	/**
190
	 * Fill server config using default
191
	 *
192
	 * @return	$this
193
	 */
194
	protected function SetCfgServer() {
195
		// These keys in cfg default can assign to server.
196
		$ar_keys = array('url', 'db_client', 'db_server'
197
			, 'pull', 'push');
198
199
		if (!empty($this->aCfgServer)) {
200
			foreach ($this->aCfgServer as $server => &$cfg) {
201
				foreach ($ar_keys as $key) {
202
					if (empty($cfg[$key])
203
						&& !empty($this->aCfgDefault[$key]))
204
						$cfg[$key] = $this->aCfgDefault[$key];
205
				}
206
				if (empty($cfg)) {
207
					// Invalid server config
208
					$this->Log('Invalid server config: ' . $server, 4);
209
				}
210
			}
211
		}
212
213
		$this->Log('Got ' . count($this->aCfgServer)
214
			. ' server todo.', 1);
215
216
		return $this;
217
	} // end of func SetCfgServer
218
219
220
	/**
221
	 * Act as client
222
	 *
223
	 * @return	$this
224
	 */
225
	public function StartClient() {
226
		// Fill server config using default
227
		$this->SetCfgServer();
228
229
		if (empty($this->aCfgServer)) {
230
			$this->Log('Got no valid server config.', 5);
231
			return $this;
232
		}
233
234
		foreach ($this->aCfgServer as $server => $cfg) {
235
			$this->Log('Treat server "' . $server . '".', 3);
236
			$this->sUrlRemote = $cfg['url'];
237
			if (!empty($cfg['db_server']))
238
				$this->aMsgExtra['db_server'] = $cfg['db_server'];
239
240
			// Test curl connection
241
			if (0 != $this->CommSendTest()) {
242
				$this->Log('Error conn to server "' . $server
243
					. '" ', 4);
244
				return $this;
245
			}
246
			// Test db connection
247
			if (0 != $this->TestDb($cfg)) {
248
				$this->Log('Error when test db.', 5);
249
				return $this;
250
			}
251
252
			// Begin pull and push
253
			if (!empty($cfg['pull']))
254
				$this->StartClientPull($cfg);
255
		}
256
257
		return $this;
258
	} // end of func StartClient
259
260
261
	/**
262
	 * Do pull of a single server
263
	 *
264
	 * @param	array	$cfg
265
	 */
266
	public function StartClientPull($cfg) {
267
		// Which tbl to pull ?
268
		$ar_tbl = $this->oDb->MetaTables('TABLES');
269
		if (!empty($ar_tbl)) {
270
			$ar_tbl = FilterWildcard($ar_tbl, $cfg['pull']);
271
			$this->Log('Got ' . count($ar_tbl) . ' tables to pull: '
272
				. implode(', ', $ar_tbl), 3);
273
274
			// Pull tables
275
			if (!empty($ar_tbl)) {
276
				foreach ($ar_tbl as $s_tbl) {
277
					$this->StartClientPullTbl($cfg, $s_tbl);
278
				}
279
			}
280
		}
281
		else {
282
			$this->Log('Pull fail: no tables on client side.', 4);
283
		}
284
	} // end of func StartClientPull
285
286
287
	/**
288
	 * Do pull of a single table
289
	 *
290
	 * @param	array	$cfg
291
	 * @param	string	$s_tbl
292
	 */
293
	public function StartClientPullTbl($cfg, $s_tbl) {
294
		if (empty($s_tbl)) {
295
			$this->Log('StartClientPullTbl: empty table name.', 5);
296
		}
297
		else
298
			$this->Log("StartClientPullTbl: $s_tbl");
299
	} // end of func StartClientPullTbl
300
301
302
	/**
303
	 * Test db connection
304
	 *
305
	 * @param	array	$cfg
306
	 * @return	int 0=ok, other=error.
307
	 */
308
	public function TestDb($cfg) {
309
		// Client db
310
		$this->oDb = $this->NewObjDb($cfg['db_client']);
311
		if (empty($this->oDb)) {
312
			$this->Log('Test client db conn fail.', 5);
313
			return 1;
314
		}
315
		$this->Log('Test local db conn ok.', 1);
316
317
		// Server db
318
		$ar = array('action' => 'test-db');
319
		$ar = $this->CommSend($ar);
320
		if (isset($ar['code'])) {
321
			if (0 == $ar['code']) {
322
				$this->Log('Test server db conn ok.', 1);
323
			} else {
324
				$this->Log('Test server db conn fail.', 5);
325
				return 2;
326
			}
327
		} else {
328
			$this->Log('Test server db conn fail, invalid response.', 5);
329
			return 3;
330
		}
331
332
333
		$this->Log('Db conn ok, both local and server.', 3);
334
		return 0;
335
	} // end of func TestDb
336
337
338
} // end of class SyncDbCurl
339
?>
340