Issues in url.php (master) - Issues in master - fwolf/fwlib - Measure and Improve Code Quality continuously with Scrutinizer

Issues (1752)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

func/url.php (1 issue)

Labels

Severity

Minor 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * @package		fwolflib
 * @subpackage	func
 * @copyright	Copyright 2003-2010, Fwolf
 * @author		Fwolf <[email protected]>
 * @since		2003 someday
 */


require_once(dirname(__FILE__) . '/../fwolflib.php');


/**
* 将数组转换为URL地址
*
* 要进行转换的源数组必须是{@link UrlToArray()}结果的格式，即数组的第一个元素为文件地址，其余为各参数
* @access   public
* @see      UrlToArray()
* @param    array   $ar 数组
* @return   string
*/
function ArrayToUrl(&$ar)
{
    $i = count($ar);
    $s_url = '';
    if (0 < $i)
    {
        $s_url .= $ar[0][0] . '?';
        for ($j = 1; $j < $i; $j++)
        {
            foreach ($ar[$j] as $key=>$val)
            {
                $s_url .= $val . '=';
            }
            $s_url = substr($s_url, 0, strlen($s_url) - 1);
            $s_url .= '&';
        }
        $s_url = substr($s_url, 0, strlen($s_url) - 1);
    }
    //去掉URL尾端的无效字符
    $s_url = str_replace('&=', '', $s_url);
//    $s_url = ereg_replace ('[&]+$', '', $s_url);
    $s_url = preg_replace ('/[&]+$/', '', $s_url);
    return($s_url);
} // end function ArrayToUrl


/**
* 增加或设置/更改URL参数
* @access   public
* @see      UnsetUrlParam()
* @param    string  $urlStr     要进行处理的URL地址
* @param    string  $strName    要添加的参数等号左边，参数名
* @param    string  $strValue   要添加的参数等号右边，参数值
* @return   string
*/
function SetUrlParam($urlStr, $strName, $strValue = '')
{
    if (empty($strName) && empty($strValue)) {
        return($urlStr);
    }
    $ar = UrlToArray($urlStr);
    $i = 1;
    $is_found = 0;
    while (count($ar) > $i)
    {
        if ($strName == $ar[$i][0])
        {
            //已经有同名的参数了
            $ar[$i][1] = $strValue;
            $is_found ++;
        }
        $i++;
    }
    if (1 > $is_found)
    {
        //没有找到同名的参数
        array_push($ar, array($strName, $strValue));
    }
    return(ArrayToUrl($ar));
} // end function SetUrlParam


/**
 * 为指定的文字内容按照指定的规则格式化成一个链接的HTML代码，返回该HTML字符串
 * @access  public
 * @param   string  $str            要进行格式化的内容
 * @param   string  $linkAddress    链接地址
 * @param   string  $targetWindow   链接的目标窗口
 * @param   string  $paramStr       其他参数字符串，按照原样加到链接代码中
 * @return  string
 */
function ToLink($str, $linkAddress, $targetWindow = '', $paramStr = '')
{
    $s_url = '';
    $s_url .= '<a href="' . $linkAddress . '" ';
    if (!empty($targetWindow))
    {
        $s_url .= 'target="' . $targetWindow . '" ';
    }
    if (!empty($paramStr))
    {
        $s_url .= $paramStr;
    }
    $s_url .= '>' . $str . '</a>';
    return($s_url);
}


/**
* 去掉URL参数
* @access   public
* @see      SetUrlParam()
* @param    string  $urlStr     要进行处理的URL地址
* @param    string  $strName    要删除的参数名
* @return   string
*/
function UnsetUrlParam($urlStr, $strName)
{
    if (empty($strName))
    {
        return($urlStr);
    }
    $ar = UrlToArray($urlStr);
    $ar2 = array();
    foreach ($ar as $key=>$val)
    {
        if ($strName == $val[0])
        {
            //找到指定的参数了，因为要删除他，所有就不复制，什么都不作
        }
        else
        {
            array_push($ar2, $val);
        }
    }
    return(ArrayToUrl($ar2));
} // end function UnsetUrlParam


/**
* 将URL地址转换为数组
*
* {@source 4 21}
* @access   public
* @see      ArrayToUrl()
* @param    string  $urlStr URL地址
* @return   array
*/
function UrlToArray($urlStr) {
    /*
    示例：转换 'http://localhost/index.php?a=1&b=&c=d.php?e=5&f=6'的结果为
    Array(
        [0] => Array(
                [0] => http://localhost/working/hebca/source/test/index.php
                [1] =>)
        [1] => Array(
                [0] => a
                [1] => 1)
        [2] => Array(
                [0] => b
                [1] =>)
        [3] => Array(
                [0] => c
                [1] => d.php?e
                [2] => 5)
        [4] => Array(
                [0] => f
                [1] => 6) )
    */
    $ar = array();
    $str = $urlStr;
    $i = 0;
    //先寻找“?”
    $i = strpos($str, '?');
    if (1 > $i) {
        //URL中没有?，说明其没有参数
        array_push($ar, array($str, ''));
    }
    else {
        array_push($ar, array(substr($str, 0, $i), ''));
        $str = substr($str, $i + 1) . '&';
        //解析用&间隔的参数
        while (!empty($str)) {
            $i = strpos($str, '&');
            if (0 < $i) {
                $sub_str = substr($str, 0, $i);
                //分析$sub_str这个等式
                array_push($ar, preg_split('/[=]/', $sub_str));
                $str = substr($str, $i + 1);
            }
            elseif ('&' == $str[0]) {
				$str = substr($str, 1);
			}
			else {
                //剩下的不可识别字符
                array_push($ar, array(substr($str, 0, 1), ''));
                $str = substr($str, 1);
            }
        }
    }
    return($ar);
} // end function UrlToArray


/**
 * Find url plan from url
 *
 * eg: http://www.google.com/, plan = http
 *
 * Obsolete, changed to request.php::GetUrlPlan()
 * @param	string	$url
 * @return	string
 */
function UrlPlan($url) {
	$i = preg_match('/^(\w+):\/\//', $url, $ar);
	if (1 == $i)
		return $ar[1];
	else
		return '';
} // end of func UrlPlan

?>



1		<?php
2		/**
3		* @package fwolflib
4		* @subpackage func
5		* @copyright Copyright 2003-2010, Fwolf
6		* @author Fwolf <[email protected]>
7		* @since 2003 someday
8		*/
9
10
11		require_once(dirname(__FILE__) . '/../fwolflib.php');
12
13
14		/**
15		* 将数组转换为URL地址
16		*
17		* 要进行转换的源数组必须是{@link UrlToArray()}结果的格式，即数组的第一个元素为文件地址，其余为各参数
18		* @access public
19		* @see UrlToArray()
20		* @param array $ar 数组
21		* @return string
22		*/
23	View Code Duplication	function ArrayToUrl(&$ar)
24		{
25		$i = count($ar);
26		$s_url = '';
27		if (0 < $i)
28		{
29		$s_url .= $ar[0][0] . '?';
30		for ($j = 1; $j < $i; $j++)
31		{
32		foreach ($ar[$j] as $key=>$val)
33		{
34		$s_url .= $val . '=';
35		}
36		$s_url = substr($s_url, 0, strlen($s_url) - 1);
37		$s_url .= '&';
38		}
39		$s_url = substr($s_url, 0, strlen($s_url) - 1);
40		}
41		//去掉URL尾端的无效字符
42		$s_url = str_replace('&=', '', $s_url);
43		// $s_url = ereg_replace ('[&]+$', '', $s_url);
44		$s_url = preg_replace ('/[&]+$/', '', $s_url);
45		return($s_url);
46		} // end function ArrayToUrl
47
48
49		/**
50		* 增加或设置/更改URL参数
51		* @access public
52		* @see UnsetUrlParam()
53		* @param string $urlStr 要进行处理的URL地址
54		* @param string $strName 要添加的参数等号左边，参数名
55		* @param string $strValue 要添加的参数等号右边，参数值
56		* @return string
57		*/
58		function SetUrlParam($urlStr, $strName, $strValue = '')
59		{
60		if (empty($strName) && empty($strValue)) {
61		return($urlStr);
62		}
63		$ar = UrlToArray($urlStr);
64		$i = 1;
65		$is_found = 0;
66	View Code Duplication	while (count($ar) > $i)
67		{
68		if ($strName == $ar[$i][0])
69		{
70		//已经有同名的参数了
71		$ar[$i][1] = $strValue;
72		$is_found ++;
73		}
74		$i++;
75		}
76		if (1 > $is_found)
77		{
78		//没有找到同名的参数
79		array_push($ar, array($strName, $strValue));
80		}
81		return(ArrayToUrl($ar));
82		} // end function SetUrlParam
83
84
85		/**
86		* 为指定的文字内容按照指定的规则格式化成一个链接的HTML代码，返回该HTML字符串
87		* @access public
88		* @param string $str 要进行格式化的内容
89		* @param string $linkAddress 链接地址
90		* @param string $targetWindow 链接的目标窗口
91		* @param string $paramStr 其他参数字符串，按照原样加到链接代码中
92		* @return string
93		*/
94		function ToLink($str, $linkAddress, $targetWindow = '', $paramStr = '')
95		{
96		$s_url = '';
97		$s_url .= '<a href="' . $linkAddress . '" ';
98		if (!empty($targetWindow))
99		{
100		$s_url .= 'target="' . $targetWindow . '" ';
101		}
102		if (!empty($paramStr))
103		{
104		$s_url .= $paramStr;
105		}
106		$s_url .= '>' . $str . '</a>';
107		return($s_url);
108		}
109
110
111		/**
112		* 去掉URL参数
113		* @access public
114		* @see SetUrlParam()
115		* @param string $urlStr 要进行处理的URL地址
116		* @param string $strName 要删除的参数名
117		* @return string
118		*/
119		function UnsetUrlParam($urlStr, $strName)
120		{
121		if (empty($strName))
122		{
123		return($urlStr);
124		}
125		$ar = UrlToArray($urlStr);
126		$ar2 = array();
127		foreach ($ar as $key=>$val)
128		{
129		if ($strName == $val[0])
130		{
131		//找到指定的参数了，因为要删除他，所有就不复制，什么都不作
132		}
133		else
134		{
135		array_push($ar2, $val);
136		}
137		}
138		return(ArrayToUrl($ar2));
139		} // end function UnsetUrlParam
140
141
142		/**
143		* 将URL地址转换为数组
144		*
145		* {@source 4 21}
146		* @access public
147		* @see ArrayToUrl()
148		* @param string $urlStr URL地址
149		* @return array
150		*/
151		function UrlToArray($urlStr) {
152		/*
153		示例：转换 'http://localhost/index.php?a=1&b=&c=d.php?e=5&f=6'的结果为
154		Array(
155		[0] => Array(
156		[0] => http://localhost/working/hebca/source/test/index.php
157		[1] =>)
158		[1] => Array(
159		[0] => a
160		[1] => 1)
161		[2] => Array(
162		[0] => b
163		[1] =>)
164		[3] => Array(
165		[0] => c
166		[1] => d.php?e
167		[2] => 5)
168		[4] => Array(
169		[0] => f
170		[1] => 6) )
171		*/
172		$ar = array();
173		$str = $urlStr;
174		$i = 0;
175		//先寻找“?”
176		$i = strpos($str, '?');
177		if (1 > $i) {
178		//URL中没有?，说明其没有参数
179		array_push($ar, array($str, ''));
180		}
181		else {
182		array_push($ar, array(substr($str, 0, $i), ''));
183		$str = substr($str, $i + 1) . '&';
184		//解析用&间隔的参数
185		while (!empty($str)) {
186		$i = strpos($str, '&');
187		if (0 < $i) {
188		$sub_str = substr($str, 0, $i);
189		//分析$sub_str这个等式
190		array_push($ar, preg_split('/[=]/', $sub_str));
191		$str = substr($str, $i + 1);
192		}
193		elseif ('&' == $str[0]) {
194		$str = substr($str, 1);
195		}
196	View Code Duplication	else {
197		//剩下的不可识别字符
198		array_push($ar, array(substr($str, 0, 1), ''));
199		$str = substr($str, 1);
200		}
201		}
202		}
203		return($ar);
204		} // end function UrlToArray
205
206
207		/**
208		* Find url plan from url
209		*
210		* eg: http://www.google.com/, plan = http
211		*
212		* Obsolete, changed to request.php::GetUrlPlan()
213		* @param string $url
214		* @return string
215		*/
216		function UrlPlan($url) {
217		$i = preg_match('/^(\w+):\/\//', $url, $ar);
218		if (1 == $i)
219		return $ar[1];
220		else
221		return '';
222		} // end of func UrlPlan
223
224		?>
		0 ignored issues – show Best Practice introduced 2016-06-01 06:17 UTC by Report Bug Copy Issue Report Show Similar Issues like this It is not recommended to use PHP's closing tag `?>` in files other than templates. Using a closing tag in PHP files that only contain PHP code is not recommended as you might accidentally add whitespace after the closing tag which would then be output by PHP. This can cause severe problems, for example headers cannot be sent anymore. A simple precaution is to leave off the closing tag as it is not required, and it also has no negative effects whatsoever. Loading history...
225

fwolf / fwlib

Issues (1752)

Security Analysis not enabled

func/url.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like