Issues in Pdo.php (master) - Issues in master - gyselroth/micro - Measure and Improve Code Quality continuously with Scrutinizer

Issues (69)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/Db/Wrapper/Pdo.php (10 issues)

Labels

Severity

Major 10

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
declare(strict_types = 1);

/**
 * Micro
 *
 * @author    Raffael Sahli <[email protected]>
 * @copyright Copyright (c) 2017 gyselroth GmbH (https://gyselroth.com)
 * @license   MIT https://opensource.org/licenses/MIT
 */

namespace Micro\Db\Wrapper;

use \Psr\Log\LoggerInterface;
use \Pdo as PdoServer;
use \PDOStatement;

class Pdo
{
    /**
     * Logger
     *
     * @var Logger
     */
    protected $logger;


    /**
     * Dsn
     *
     * @var string
     */
    protected $dsn = 'mysql:host=localhost;dbname=mysql';


    /**
     * Username
     *
     * @var string
     */
    protected $username = 'root';


    /**
     * Password
     *
     * @var string
     */
    protected $password = '';


    /**
     * Driver specific options
     *
     * @var array
     */
    protected $options = [];


    /**
     * Connection resource
     *
     * @var resource
     */
    protected $connection;


    /**
     * Last inserted id
     *
     * @var array
     */
    protected $last_inserted_ids;


    /**
     * construct
     *
     * @param   Iterable $config
     * @param   LoggerInterface   $logger
     */
    public function __construct(? Iterable $config, LoggerInterface $logger)
    {
        $this->setOptions($config);
        $this->logger = $logger;

    }


    /**
     * Connect
     *
     * @return Pdo
     */
    public function connect(): Pdo
    {
        $this->connection = new PdoServer($this->dsn, $this->username, $this->password, $this->options);

        $this->logger->info('connection to db server ['.$this->dsn.'] using pdo was succesful', [
            'category' => get_class($this),
        ]);

        return $this;
    }


    /**
     * Forward calls
     *
     * @param  array $method
     * @param  array $arguments
     * @return mixed
     */
    public function __call(string $method, array $arguments = [])
    {
        return call_user_func_array([&$this->connection, $method], $arguments);
    }


    /**
     * Set options
     *
     * @param  Iterable $config
     * @return Pdo
     */
    public function setOptions(? Iterable $config = null) : Pdo
    {
        if ($config === null) {
            return $this;
        }

        foreach ($config as $option => $value) {
            switch ($option) {
                case 'dsn':
                    $this->dsn = (string)$value;
                    break;
                case 'username':
                    $this->username = (string)$value;
                    break;
                case 'password':
                    $this->password = (string)$value;
                    break;
                case 'options':
                    foreach ($value as $opt => $val) {
                        $this->options[$opt] = (string)$val;
                    }
                    break;
                default:
                    throw new Exception('invalid option '.$option.' given');
            }
        }

        return $this;
    }


    /**
     * Get connection
     *
     * @return resource
     */
    public function getResource()
    {
        if ($this->connection === null) {
            $this->connect();
        }

        return $this->connection;
    }


    /**
     * Query
     *
     * @param  string $query
     * @return PDOStatement
     */
    public function select(string $query): PDOStatement
    {
        $this->logger->debug('execute sql query ['.$query.']', [
            'category' => get_class($this),
        ]);

        $link   = $this->getResource();
        $result = $link->query($query);


        if ($result === false) {
            throw new Exception('failed to execute sql query with error '.$link->errorInfo()[2].' ('.$link->errorCode().')');

        }

        return $result;
    }


    /**
     * Select query
     *
     * @param  string $query
     * @return bool
     */
    public function query(string $query): bool
    {
        $this->logger->debug('execute sql query ['.$query.']', [
            'category' => get_class($this),
        ]);

        $link   = $this->getResource();
        $result = $link->exec($query);


        if ($result === false) {
            throw new Exception('failed to execute sql query with error '.$link->errorInfo().' ('.$link->errorCode().')');

        } else {
            $this->logger->debug('sql query affected ['.$result.'] rows', [
                'category' => get_class($this),
            ]);
        }

        return true;
    }


    /**
     * Prepare query
     *
     * @param  string $query
     * @param  Iterable $values
     * @return mysqli_stmt
     */
    public function prepare(string $query, Iterable $values): mysqli_stmt
    {
        $this->logger->debug('prepare and execute mysql query ['.$query.'] with values [{values}]', [
            'category' => get_class($this),
            'values'   => $values
        ]);

        $link  = $this->getResource();
        $stmt  = $link->prepare($query);


        if (!($stmt instanceof mysqli_stmt)) {
if ($x instanceof DoesNotExist) {
    // Do something.
}
            throw new Exception('failed to prepare mysql query with error '.$link->error.' ('.$link->errno.')');
        }

        $types = '';
        foreach ($values as $attr => $value) {
            $types .= 's';
        }

        $stmt->bind_param($types, ...$values);
        $stmt->execute();

        return $stmt;
    }
}


Issues (69)

Security Analysis not enabled

src/Db/Wrapper/Pdo.php (10 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

1. Missing dependencies

2. Missing use statement

1			<?php
2			declare(strict_types = 1);
3
4			/**
5			* Micro
6			*
7			* @author Raffael Sahli <[email protected]>
8			* @copyright Copyright (c) 2017 gyselroth GmbH (https://gyselroth.com)
9			* @license MIT https://opensource.org/licenses/MIT
10			*/
11
12			namespace Micro\Db\Wrapper;
13
14			use \Psr\Log\LoggerInterface;
15			use \Pdo as PdoServer;
16			use \PDOStatement;
17
18			class Pdo
19			{
20			/**
21			* Logger
22			*
23			* @var Logger
24			*/
25			protected $logger;
26
27
28			/**
29			* Dsn
30			*
31			* @var string
32			*/
33			protected $dsn = 'mysql:host=localhost;dbname=mysql';
34
35
36			/**
37			* Username
38			*
39			* @var string
40			*/
41			protected $username = 'root';
42
43
44			/**
45			* Password
46			*
47			* @var string
48			*/
49			protected $password = '';
50
51
52			/**
53			* Driver specific options
54			*
55			* @var array
56			*/
57			protected $options = [];
58
59
60			/**
61			* Connection resource
62			*
63			* @var resource
64			*/
65			protected $connection;
66
67
68			/**
69			* Last inserted id
70			*
71			* @var array
72			*/
73			protected $last_inserted_ids;
74
75
76			/**
77			* construct
78			*
79			* @param Iterable $config
80			* @param LoggerInterface $logger
81			*/
82			public function __construct(? Iterable $config, LoggerInterface $logger)
83			{
84			$this->setOptions($config);
85			$this->logger = $logger;
			0 ignored issues – show Documentation Bug introduced 2017-11-06 16:24 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `$logger` of type `object<Psr\Log\LoggerInterface>` is incompatible with the declared type `object<Micro\Db\Wrapper\Logger>` of property `$logger`. Our type inference engine has found an assignment to a property that is incompatible with the declared type of that property. Either this assignment is in error or the assigned type should be added to the documentation/type hint for that property.. Loading history...
86			}
87
88
89			/**
90			* Connect
91			*
92			* @return Pdo
93			*/
94			public function connect(): Pdo
95			{
96			$this->connection = new PdoServer($this->dsn, $this->username, $this->password, $this->options);
			0 ignored issues – show Documentation Bug introduced 2017-06-21 11:15 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `new \Pdo($this->dsn, $th...ssword, $this->options)` of type `object<PDO>` is incompatible with the declared type `resource` of property `$connection`. Our type inference engine has found an assignment to a property that is incompatible with the declared type of that property. Either this assignment is in error or the assigned type should be added to the documentation/type hint for that property.. Loading history...
97			$this->logger->info('connection to db server ['.$this->dsn.'] using pdo was succesful', [
98			'category' => get_class($this),
99			]);
100
101			return $this;
102			}
103
104
105			/**
106			* Forward calls
107			*
108			* @param array $method
109			* @param array $arguments
110			* @return mixed
111			*/
112			public function __call(string $method, array $arguments = [])
113			{
114			return call_user_func_array([&$this->connection, $method], $arguments);
115			}
116
117
118			/**
119			* Set options
120			*
121			* @param Iterable $config
122			* @return Pdo
123			*/
124			public function setOptions(? Iterable $config = null) : Pdo
125			{
126			if ($config === null) {
127			return $this;
128			}
129
130			foreach ($config as $option => $value) {
131			switch ($option) {
132			case 'dsn':
133			$this->dsn = (string)$value;
134			break;
135			case 'username':
136			$this->username = (string)$value;
137			break;
138			case 'password':
139			$this->password = (string)$value;
140			break;
141			case 'options':
142			foreach ($value as $opt => $val) {
143			$this->options[$opt] = (string)$val;
144			}
145			break;
146			default:
147			throw new Exception('invalid option '.$option.' given');
148			}
149			}
150
151			return $this;
152			}
153
154
155			/**
156			* Get connection
157			*
158			* @return resource
159			*/
160			public function getResource()
161			{
162			if ($this->connection === null) {
163			$this->connect();
164			}
165
166			return $this->connection;
167			}
168
169
170			/**
171			* Query
172			*
173			* @param string $query
174			* @return PDOStatement
175			*/
176			public function select(string $query): PDOStatement
177			{
178			$this->logger->debug('execute sql query ['.$query.']', [
179			'category' => get_class($this),
180			]);
181
182			$link = $this->getResource();
183			$result = $link->query($query);
			0 ignored issues – show Bug introduced 2017-06-21 11:15 UTC by Report Bug Copy Issue Report Show Similar Issues like this The method `query` cannot be called on `$link` (of type `resource`). Methods can only be called on objects. This check looks for methods being called on variables that have been inferred to never be objects. Loading history...
184
185			if ($result === false) {
186			throw new Exception('failed to execute sql query with error '.$link->errorInfo()[2].' ('.$link->errorCode().')');
			0 ignored issues – show Bug introduced 2017-06-21 11:15 UTC by Report Bug Copy Issue Report Show Similar Issues like this The method `errorInfo` cannot be called on `$link` (of type `resource`). Methods can only be called on objects. This check looks for methods being called on variables that have been inferred to never be objects. Loading history... Bug introduced 2017-06-21 11:15 UTC by Report Bug Copy Issue Report Show Similar Issues like this The method `errorCode` cannot be called on `$link` (of type `resource`). Methods can only be called on objects. This check looks for methods being called on variables that have been inferred to never be objects. Loading history...
187			}
188
189			return $result;
190			}
191
192
193			/**
194			* Select query
195			*
196			* @param string $query
197			* @return bool
198			*/
199			public function query(string $query): bool
200			{
201			$this->logger->debug('execute sql query ['.$query.']', [
202			'category' => get_class($this),
203			]);
204
205			$link = $this->getResource();
206			$result = $link->exec($query);
			0 ignored issues – show Bug introduced 2017-06-21 11:15 UTC by Report Bug Copy Issue Report Show Similar Issues like this The method `exec` cannot be called on `$link` (of type `resource`). Methods can only be called on objects. This check looks for methods being called on variables that have been inferred to never be objects. Loading history...
207
208			if ($result === false) {
209			throw new Exception('failed to execute sql query with error '.$link->errorInfo().' ('.$link->errorCode().')');
			0 ignored issues – show Bug introduced 2017-06-21 11:15 UTC by Report Bug Copy Issue Report Show Similar Issues like this The method `errorInfo` cannot be called on `$link` (of type `resource`). Methods can only be called on objects. This check looks for methods being called on variables that have been inferred to never be objects. Loading history... Bug introduced 2017-06-21 11:15 UTC by Report Bug Copy Issue Report Show Similar Issues like this The method `errorCode` cannot be called on `$link` (of type `resource`). Methods can only be called on objects. This check looks for methods being called on variables that have been inferred to never be objects. Loading history...
210			} else {
211			$this->logger->debug('sql query affected ['.$result.'] rows', [
212			'category' => get_class($this),
213			]);
214			}
215
216			return true;
217			}
218
219
220			/**
221			* Prepare query
222			*
223			* @param string $query
224			* @param Iterable $values
225			* @return mysqli_stmt
226			*/
227			public function prepare(string $query, Iterable $values): mysqli_stmt
228			{
229			$this->logger->debug('prepare and execute mysql query ['.$query.'] with values [{values}]', [
230			'category' => get_class($this),
231			'values' => $values
232			]);
233
234			$link = $this->getResource();
235			$stmt = $link->prepare($query);
			0 ignored issues – show Bug introduced 2017-06-21 11:15 UTC by Report Bug Copy Issue Report Show Similar Issues like this The method `prepare` cannot be called on `$link` (of type `resource`). Methods can only be called on objects. This check looks for methods being called on variables that have been inferred to never be objects. Loading history...
236
237			if (!($stmt instanceof mysqli_stmt)) {
			0 ignored issues – show Bug introduced 2017-06-21 11:15 UTC by Report Bug Copy Issue Report Show Similar Issues like this The class `Micro\Db\Wrapper\mysqli_stmt` does not exist. Did you forget a USE statement, or did you not list all dependencies? This error could be the result of: 1. Missing dependencies PHP Analyzer uses your `composer.json` file (if available) to determine the dependencies of your project and to determine all the available classes and functions. It expects the `composer.json` to be in the root folder of your repository. Are you sure this class is defined by one of your dependencies, or did you maybe not list a dependency in either the `require` or `require-dev` section? 2. Missing use statement PHP does not complain about undefined classes in `ìnstanceof` checks. For example, the following PHP code will work perfectly fine: if ($x instanceof DoesNotExist) { // Do something. } If you have not tested against this specific condition, such errors might go unnoticed. Loading history...
238			throw new Exception('failed to prepare mysql query with error '.$link->error.' ('.$link->errno.')');
239			}
240
241			$types = '';
242			foreach ($values as $attr => $value) {
243			$types .= 's';
244			}
245
246			$stmt->bind_param($types, ...$values);
247			$stmt->execute();
248
249			return $stmt;
250			}
251			}
252

gyselroth / micro

Issues (69)

Security Analysis not enabled

src/Db/Wrapper/Pdo.php (10 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

1. Missing dependencies

2. Missing use statement

Duplication Side-by-Side

Filter issues like