Issues in list-table.php (master) - Issues in master - fwolf/fwlib - Measure and Improve Code Quality continuously with Scrutinizer

Issues (1752)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

demo/list-table.php (4 issues)

Labels

Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * @deprecated  Use demo/list-view/list-view.php instead.
 *
 * Will remove with ListTable, list-table.tpl,
 */

$pathToRoot = '../';
require __DIR__ . "/{$pathToRoot}config.default.php";

use Fwlib\Bridge\Smarty;
use Fwlib\Config\GlobalConfig;
use Fwlib\Html\ListTable;
.
|-- OtherDir
|   |-- Bar.php
|   `-- Foo.php
`-- SomeDir
    `-- Foo.php
use Fwlib\Test\AbstractDbRelateTest;
use Fwlib\Test\Benchmark\Benchmark;
.
|-- OtherDir
|   |-- Bar.php
|   `-- Foo.php
`-- SomeDir
    `-- Foo.php
use FwlibTest\Aide\TestServiceContainer;

/***************************************
 * Prepare benchmark
 **************************************/
$bm = new Benchmark();
$bm->start('ListTable Benchmark');


/***************************************
 * Prepare ListTable instance
 **************************************/
$globalConfig = GlobalConfig::getInstance();
$tpl = new Smarty;
$tpl->compile_dir = $globalConfig->get('smarty.compileDir');
$tpl->template_dir = __DIR__ . "/{$pathToRoot}Fwlib/Html/";
$tpl->cache_dir = $globalConfig->get('smarty.cacheDir');

$configs = [
    'pageSize'  => 3,
    'tdAdd'     => [
        'title'     => 'nowrap="nowrap"',
        'joindate'  => 'nowrap="nowrap"',
    ],
];
$listTable = new ListTable($tpl, $configs);

$bm->mark('ListTable object prepared');


/***************************************
 * Prepare db and test table
 **************************************/
$db = TestServiceContainer::getInstance()->getDb();

$ref = new \ReflectionProperty(AbstractDbRelateTest::class, 'tableUser');
$ref->setAccessible(true);
$tableUser = $ref->getValue(AbstractDbRelateTest::class);

$ref = new \ReflectionMethod(AbstractDbRelateTest::class, 'createTable');
$ref->setAccessible(true);
$ref->invokeArgs(null, [$db]);

$bm->mark('Db prepared and test table created');


/***************************************
 * Use person from phpcredits() as fake name
 **************************************/
ob_start();
phpcredits();
$credits = ob_get_contents();
ob_end_clean();

$name = [];
// Part1, name take a full row(3: PHP Group, Language design, QA)
preg_match_all('/<tr><td class="e">([^<]+)<\/td><\/tr>/', $credits, $ar);
foreach ($ar[1] as $v) {
    $name = array_merge($name, explode(',', $v));
}
// Part2, name take right column of output table
// 1 special line is excluded, which is describe end with '. '
preg_match_all('/<td class="v">([^<\(]+\w {0,2})<\/td>/', $credits, $ar);
foreach ($ar[1] as $v) {
    $name = array_merge($name, explode(',', $v));
}

// Clean fake name array
$name = array_map('trim', $name);
$name = array_unique($name);

// Reorder index
$name = array_merge($name, []);
$nameCount = count($name);

$bm->mark('Fake name grabbed');


/***************************************
 * Prepare dummy data, write to db
 **************************************/
$title = [
    'uuid'     => 'UUID',
    'title'    => 'Name',
    'age'      => 'Age',
    'credit'   => 'Money',
    'joindate' => 'Join Date',
];
$data = [];
$rows = $nameCount;
// Casual algorithm, but solid result
$seed = 42;
for ($j = 0; $j < $rows; $j++) {

    $seed = round((100 + $seed) / 100);
    $seed = 101 + $seed * ($j + 2);
    $data[$j] = [
        'uuid'  => $j,
        'title' => $name[$j],
        'age'   => $seed % 40 + 20,
        'credit'    => $seed,
        'joindate'  => date(
            'Y-m-d H:i:s',
            strtotime(
                '-' . ($seed % 30) . ' days -' . ($seed % 12) . ' hours'
            )
        )
    ];
}

// Write data to db
$db->write($tableUser, $data);
$bm->mark('Fake data written to db');



/***************************************
 * Show list table 1
 **************************************/
$listTable->setData($data, $title, true);

$html1 = $listTable->getHtml();
$bm->mark('List1 generated');


/***************************************
 * Show list table 2, with query data from db
 **************************************/
$listTable->setId(2);
// Set sort able column
$listTable->setConfig(
    'orderByColumn',
    [
        ['age', 'DESC'],
        ['credit', 'ASC'],
    ]
);
// Set current sort order
//$listTable->setOrderBy(2, 'ASC');
//$listTable->setOrderBy(2);

// Query data from db
$config = [
    'SELECT'    => [
        'uuid', 'title', 'age', 'credit', 'joindate',
    ],
    'FROM'      => $tableUser,
    'WHERE'     => [
        'age > 30',
    ],
];

// Update totalRows
$listTable->setTotalRows(
    $db->execute(
        array_merge($config, ['SELECT' => 'COUNT(1) as c'])
    )->fields['c']
);

// Fetch real data and set
$config = array_merge($config, $listTable->getSqlConfig(true));
$rs = $db->execute($config);
$listTable->setData($rs->GetArray(), $title);

$html2 = $listTable->getHtml();
$bm->mark('List2 generated');


/***************************************
 * Show list table 3, Use inner db query
 **************************************/
$config = [
    'SELECT'    => [
        'uuid', 'title', 'age', 'credit', 'joindate',
    ],
    'FROM'      => $tableUser,
    'WHERE'     => [
        'age > 30',
    ],
];

$listTable->setId(3)
->setConfig(
    'orderByColumn',
    [
        ['age', 'ASC'],
        ['credit', 'DESC'],
    ]
)

// Title still need manual set
->setTitle($title)

// Set db query, and set data format closure function
->setDbQuery($db, $config)

// Format list data
->formatData(function (&$row) {
    $row['credit'] = number_format(round($row['credit']));
});

$html3 = $listTable->getHtml();
$bm->mark('List3 generated');


/***************************************
 * Cleanup test db
 **************************************/
$ref = new \ReflectionMethod(AbstractDbRelateTest::class, 'dropTable');
$ref->setAccessible(true);
$ref->invokeArgs(null, [$db]);

$bm->mark('Cleanup, test table dropped');
?>

<!DOCTYPE HTML>
<html lang='en'>
<head>
  <meta charset='utf-8' />
  <title>ListTable Demo</title>

  <link rel='stylesheet' href='<?php echo $pathToRoot; ?>css/reset.css'
    type='text/css' media='all' />
  <link rel='stylesheet' href='<?php echo $pathToRoot; ?>css/default.css'
    type='text/css' media='all' />

  <style type='text/css' media='all'>
  /* Write CSS below */
  .list-table {
    border: 0px solid red;
    margin: auto;
    width: 70%;
  }
  .list-table form {
    display: inline-block;
  }
  .list-table table {
    margin: auto;
    width: 100%;
  }
  .list-table table, .list-table td, .list-table th {
    border: 1px solid black;
    border-collapse: collapse;
  }
  pre {
    text-align: left;
  }
  </style>


  <script type="text/javascript"
    src="<?php echo $globalConfig->get('lib.path.jquery'); ?>">
  </script>


</head>
<body>

<?php
echo "<h2>Simple list</h2>\n";
echo $html1;

echo "<hr />\n";


echo "<h2>Query data from db</h2>\n";
echo $html2;


echo "<hr />\n";


echo "<h2>Use inner db query</h2>\n";
echo $html3;


echo "<hr />\n";

/*
echo '<pre>
$listTable::getSqlConfig()
' . var_export($listTable->getSqlConfig(), true) . '
</pre>
';
 */


$bm->display();
?>


  <!-- Below js MUST place after html of list table -->
  <script type="text/javascript">
  <!--
  // Assign width for col n

  // If "table-layout: fixed;" is assigned also,
  // then td width is assigned + fixed_for_left,
  // content width exceed limit will auto wrap,
  // but overflow content can also been seen.
  $(".list-table table").css("table-layout", "fixed");
  // * include th & td here
  $(".list-table tr > td:nth-child(2)").css("background-color", "green");
  $(".list-table tr > *:nth-child(2)").css("width", "20em");
  //$(".list-table tr > *:nth-child(2)").css("width", "3em");

  // If "table-layout: fixed;" is not assigned,
  // width limit will work, but overflow content
  // may make width raise.
  $("#list-table__2 tr > *:nth-child(2)").css("width", "30%");

  -->
  </script>


</body>
</html>


1		<?php
2		/**
3		* @deprecated Use demo/list-view/list-view.php instead.
4		*
5		* Will remove with ListTable, list-table.tpl,
6		*/
7
8		$pathToRoot = '../';
9		require __DIR__ . "/{$pathToRoot}config.default.php";
10
11		use Fwlib\Bridge\Smarty;
12		use Fwlib\Config\GlobalConfig;
13		use Fwlib\Html\ListTable;
		0 ignored issues – show Bug introduced 2016-06-01 06:17 UTC by Report Bug Copy Issue Report Show Similar Issues like this This use statement conflicts with another class in this namespace, `ListTable`. Let’s assume that you have a directory layout like this: . \|-- OtherDir \| \|-- Bar.php \| `-- Foo.php `-- SomeDir `-- Foo.php and let’s assume the following content of `Bar.php`: // Bar.php namespace OtherDir; use SomeDir\Foo; // This now conflicts the class OtherDir\Foo If both files `OtherDir/Foo.php` and `SomeDir/Foo.php` are loaded in the same runtime, you will see a PHP error such as the following: PHP Fatal error: Cannot use SomeDir\Foo as Foo because the name is already in use in OtherDir/Foo.php However, as `OtherDir/Foo.php` does not necessarily have to be loaded and the error is only triggered if it is loaded before `OtherDir/Bar.php`, this problem might go unnoticed for a while. In order to prevent this error from surfacing, you must import the namespace with a different alias: // Bar.php namespace OtherDir; use SomeDir\Foo as SomeDirFoo; // There is no conflict anymore. Loading history...
14		use Fwlib\Test\AbstractDbRelateTest;
15		use Fwlib\Test\Benchmark\Benchmark;
		0 ignored issues – show Bug introduced 2016-06-01 06:17 UTC by Report Bug Copy Issue Report Show Similar Issues like this This use statement conflicts with another class in this namespace, `Benchmark`. Let’s assume that you have a directory layout like this: . \|-- OtherDir \| \|-- Bar.php \| `-- Foo.php `-- SomeDir `-- Foo.php and let’s assume the following content of `Bar.php`: // Bar.php namespace OtherDir; use SomeDir\Foo; // This now conflicts the class OtherDir\Foo If both files `OtherDir/Foo.php` and `SomeDir/Foo.php` are loaded in the same runtime, you will see a PHP error such as the following: PHP Fatal error: Cannot use SomeDir\Foo as Foo because the name is already in use in OtherDir/Foo.php However, as `OtherDir/Foo.php` does not necessarily have to be loaded and the error is only triggered if it is loaded before `OtherDir/Bar.php`, this problem might go unnoticed for a while. In order to prevent this error from surfacing, you must import the namespace with a different alias: // Bar.php namespace OtherDir; use SomeDir\Foo as SomeDirFoo; // There is no conflict anymore. Loading history...
16		use FwlibTest\Aide\TestServiceContainer;
17
18		/***************************************
19		* Prepare benchmark
20		**************************************/
21		$bm = new Benchmark();
22		$bm->start('ListTable Benchmark');
23
24
25		/***************************************
26		* Prepare ListTable instance
27		**************************************/
28		$globalConfig = GlobalConfig::getInstance();
29		$tpl = new Smarty;
30		$tpl->compile_dir = $globalConfig->get('smarty.compileDir');
31		$tpl->template_dir = __DIR__ . "/{$pathToRoot}Fwlib/Html/";
32		$tpl->cache_dir = $globalConfig->get('smarty.cacheDir');
33
34		$configs = [
35		'pageSize' => 3,
36		'tdAdd' => [
37		'title' => 'nowrap="nowrap"',
38		'joindate' => 'nowrap="nowrap"',
39		],
40		];
41		$listTable = new ListTable($tpl, $configs);
		0 ignored issues – show Deprecated Code introduced 2016-06-01 06:17 UTC by Report Bug Copy Issue Report Show Similar Issues like this The class `Fwlib\Html\ListTable` has been deprecated with message: Use ListView instead This class, trait or interface has been deprecated. The supplier of the file has supplied an explanatory message. The explanatory message should give you some clue as to whether and when the type will be removed from the class and what other constant to use instead. Loading history...
42		$bm->mark('ListTable object prepared');
43
44
45		/***************************************
46		* Prepare db and test table
47		**************************************/
48		$db = TestServiceContainer::getInstance()->getDb();
49
50		$ref = new \ReflectionProperty(AbstractDbRelateTest::class, 'tableUser');
51		$ref->setAccessible(true);
52		$tableUser = $ref->getValue(AbstractDbRelateTest::class);
53
54		$ref = new \ReflectionMethod(AbstractDbRelateTest::class, 'createTable');
55		$ref->setAccessible(true);
56		$ref->invokeArgs(null, [$db]);
57
58		$bm->mark('Db prepared and test table created');
59
60
61		/***************************************
62		* Use person from phpcredits() as fake name
63		**************************************/
64		ob_start();
65		phpcredits();
66		$credits = ob_get_contents();
67		ob_end_clean();
68
69		$name = [];
70		// Part1, name take a full row(3: PHP Group, Language design, QA)
71		preg_match_all('/<tr><td class="e">([^<]+)<\/td><\/tr>/', $credits, $ar);
72		foreach ($ar[1] as $v) {
73		$name = array_merge($name, explode(',', $v));
74		}
75		// Part2, name take right column of output table
76		// 1 special line is excluded, which is describe end with '. '
77		preg_match_all('/<td class="v">([^<\(]+\w {0,2})<\/td>/', $credits, $ar);
78		foreach ($ar[1] as $v) {
79		$name = array_merge($name, explode(',', $v));
80		}
81
82		// Clean fake name array
83		$name = array_map('trim', $name);
84		$name = array_unique($name);
85
86		// Reorder index
87		$name = array_merge($name, []);
88		$nameCount = count($name);
89
90		$bm->mark('Fake name grabbed');
91
92
93		/***************************************
94		* Prepare dummy data, write to db
95		**************************************/
96		$title = [
97		'uuid' => 'UUID',
98		'title' => 'Name',
99		'age' => 'Age',
100		'credit' => 'Money',
101		'joindate' => 'Join Date',
102		];
103		$data = [];
104		$rows = $nameCount;
105		// Casual algorithm, but solid result
106		$seed = 42;
107	View Code Duplication	for ($j = 0; $j < $rows; $j++) {
		0 ignored issues – show Duplication introduced 2016-06-01 06:17 UTC by Report Bug Copy Issue Report Show Similar Issues like this This code seems to be duplicated across your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
108		$seed = round((100 + $seed) / 100);
109		$seed = 101 + $seed * ($j + 2);
110		$data[$j] = [
111		'uuid' => $j,
112		'title' => $name[$j],
113		'age' => $seed % 40 + 20,
114		'credit' => $seed,
115		'joindate' => date(
116		'Y-m-d H:i:s',
117		strtotime(
118		'-' . ($seed % 30) . ' days -' . ($seed % 12) . ' hours'
119		)
120		)
121		];
122		}
123
124		// Write data to db
125		$db->write($tableUser, $data);
126		$bm->mark('Fake data written to db');
127
128
129
130		/***************************************
131		* Show list table 1
132		**************************************/
133		$listTable->setData($data, $title, true);
134
135		$html1 = $listTable->getHtml();
136		$bm->mark('List1 generated');
137
138
139		/***************************************
140		* Show list table 2, with query data from db
141		**************************************/
142		$listTable->setId(2);
143		// Set sort able column
144		$listTable->setConfig(
145		'orderByColumn',
146		[
147		['age', 'DESC'],
148		['credit', 'ASC'],
149		]
150		);
151		// Set current sort order
152		//$listTable->setOrderBy(2, 'ASC');
153		//$listTable->setOrderBy(2);
154
155		// Query data from db
156		$config = [
157		'SELECT' => [
158		'uuid', 'title', 'age', 'credit', 'joindate',
159		],
160		'FROM' => $tableUser,
161		'WHERE' => [
162		'age > 30',
163		],
164		];
165
166		// Update totalRows
167		$listTable->setTotalRows(
168		$db->execute(
169		array_merge($config, ['SELECT' => 'COUNT(1) as c'])
170		)->fields['c']
171		);
172
173		// Fetch real data and set
174		$config = array_merge($config, $listTable->getSqlConfig(true));
175		$rs = $db->execute($config);
176		$listTable->setData($rs->GetArray(), $title);
177
178		$html2 = $listTable->getHtml();
179		$bm->mark('List2 generated');
180
181
182		/***************************************
183		* Show list table 3, Use inner db query
184		**************************************/
185		$config = [
186		'SELECT' => [
187		'uuid', 'title', 'age', 'credit', 'joindate',
188		],
189		'FROM' => $tableUser,
190		'WHERE' => [
191		'age > 30',
192		],
193		];
194
195		$listTable->setId(3)
196		->setConfig(
197		'orderByColumn',
198		[
199		['age', 'ASC'],
200		['credit', 'DESC'],
201		]
202		)
203
204		// Title still need manual set
205		->setTitle($title)
206
207		// Set db query, and set data format closure function
208		->setDbQuery($db, $config)
209
210		// Format list data
211		->formatData(function (&$row) {
212		$row['credit'] = number_format(round($row['credit']));
213		});
214
215		$html3 = $listTable->getHtml();
216		$bm->mark('List3 generated');
217
218
219		/***************************************
220		* Cleanup test db
221		**************************************/
222		$ref = new \ReflectionMethod(AbstractDbRelateTest::class, 'dropTable');
223		$ref->setAccessible(true);
224		$ref->invokeArgs(null, [$db]);
225
226		$bm->mark('Cleanup, test table dropped');
227		?>
228
229		<!DOCTYPE HTML>
230		<html lang='en'>
231		<head>
232		<meta charset='utf-8' />
233		<title>ListTable Demo</title>
234
235		<link rel='stylesheet' href='<?php echo $pathToRoot; ?>css/reset.css'
236		type='text/css' media='all' />
237		<link rel='stylesheet' href='<?php echo $pathToRoot; ?>css/default.css'
238		type='text/css' media='all' />
239
240		<style type='text/css' media='all'>
241		/* Write CSS below */
242		.list-table {
243		border: 0px solid red;
244		margin: auto;
245		width: 70%;
246		}
247		.list-table form {
248		display: inline-block;
249		}
250		.list-table table {
251		margin: auto;
252		width: 100%;
253		}
254		.list-table table, .list-table td, .list-table th {
255		border: 1px solid black;
256		border-collapse: collapse;
257		}
258		pre {
259		text-align: left;
260		}
261		</style>
262
263
264		<script type="text/javascript"
265		src="<?php echo $globalConfig->get('lib.path.jquery'); ?>">
266		</script>
267
268
269		</head>
270		<body>
271
272		<?php
273		echo "<h2>Simple list</h2>\n";
274		echo $html1;
275
276		echo "<hr />\n";
277
278
279		echo "<h2>Query data from db</h2>\n";
280		echo $html2;
281
282
283		echo "<hr />\n";
284
285
286		echo "<h2>Use inner db query</h2>\n";
287		echo $html3;
288
289
290		echo "<hr />\n";
291
292		/*
293		echo '<pre>
294		$listTable::getSqlConfig()
295		' . var_export($listTable->getSqlConfig(), true) . '
296		</pre>
297		';
298		*/
299
300
301		$bm->display();
302		?>
303
304
305		<!-- Below js MUST place after html of list table -->
306		<script type="text/javascript">
307		<!--
308		// Assign width for col n
309
310		// If "table-layout: fixed;" is assigned also,
311		// then td width is assigned + fixed_for_left,
312		// content width exceed limit will auto wrap,
313		// but overflow content can also been seen.
314		$(".list-table table").css("table-layout", "fixed");
315		// * include th & td here
316		$(".list-table tr > td:nth-child(2)").css("background-color", "green");
317		$(".list-table tr > *:nth-child(2)").css("width", "20em");
318		//$(".list-table tr > *:nth-child(2)").css("width", "3em");
319
320		// If "table-layout: fixed;" is not assigned,
321		// width limit will work, but overflow content
322		// may make width raise.
323		$("#list-table__2 tr > *:nth-child(2)").css("width", "30%");
324
325		-->
326		</script>
327
328
329		</body>
330		</html>
331

fwolf / fwlib

Issues (1752)

Security Analysis not enabled

demo/list-table.php (4 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like