Issues in MeetingModel.php (master) - Issues in master - literat/srazvs - Measure and Improve Code Quality continuously with Scrutinizer

Issues (789)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

app/models/MeetingModel.php (8 issues)

Labels

Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

namespace App\Models;

use Nette\Database\Context;
use App\Models\ProgramModel;
use App\Models\BaseModel;

/**
 * Meeting
 *
 * class for handling meeting
 *
 * @created 2012-11-09
 * @author Tomas Litera <[email protected]>
 */
class MeetingModel extends BaseModel

{

	/**
	 * @var array
	 */
	private $weekendDays = [];

	/**
	 * @var array
	 */
	public $form_names = [];

	/**
	 * @var array
	 */
	public $dbColumns = [];

	/**
	 * @var DateTime
	 */
	public $regOpening = NULL;

	/**
	 * @var DateTime
	 */
	public $regClosing = NULL;

	/** @var string registration heading text */
	public $regHeading = '';

	public $eventId;
	public $courseId;

	private $configuration;


	private $program;
	private $httpEncoding;
	private $dbTable;

	protected $table = 'kk_meetings';

	/** Constructor */
	public function __construct(Context $database, ProgramModel $program)
	{
		$this->weekendDays = array("pátek", "sobota", "neděle");
		$this->form_names = array(
			"place",
			"start_date",
			"end_date",
			"open_reg",
			"close_reg",
			"contact",
			"email",
			"gsm",
			"cost",
			"advance",
			"numbering",
			'skautis_event_id',
			'skautis_course_id',
		);
		$this->dbColumns = array(
			"place",
			"start_date",
			"end_date",
			"open_reg",
			"close_reg",
			"contact",
			"email",
			"gsm",
			"cost",
			"advance",
			"numbering",
			'skautis_event_id',
			'skautis_course_id',
		);
		$this->dbTable = "kk_meetings";
		$this->setDatabase($database);
		$this->program = $program;
	}

	/**
	 * @param string $encoding
	 */
	public function setHttpEncoding($encoding)
	{
		$this->httpEncoding = $encoding;
	}

	/**
	 * Create new or return existing instance of class
	 *
	 * @return	mixed	instance of class
	 */
	public static function getInstance()
	{
		if(self::$instance === false) {
			self::$instance = new self();

		}
		return self::$instance;
	}

	/**
	 * @return Nette\Database\Table\IRow
	 */
	public function all()
	{
		return $this->getDatabase()
				->table($this->getTable())
				->where('deleted', '0')
				->fetchAll();
	}

	/**
	 * @param  int $id
	 * @return Nette\Database\Table\IRow
	 */
	public function find($id)
	{
		return $this->getDatabase()
				->table($this->getTable())
				->where('deleted ? AND id ?', '0', $id)
				->fetch();
	}

	/**
	 * Create a new record
	 *
	 * @param	mixed	array of data
	 * @return	boolean
	 */
	public function create(array $data)
	{
		$data['guid'] = md5(uniqid());
		$result = $this->getDatabase()->query('INSERT INTO ' . $this->getTable(), $data);

		return $result;
class Author {
    private $name;

    public function __construct($name) {
        $this->name = $name;
    }

    public function getName() {
        return $this->name;
    }
}

abstract class Post {
    public function getAuthor() {
        return 'Johannes';
    }
}

class BlogPost extends Post {
    public function getAuthor() {
        return new Author('Johannes');
    }
}

class ForumPost extends Post { /* ... */ }

function my_function(Post $post) {
    echo strtoupper($post->getAuthor());
}
	}

	/**
	 * Modify record
	 *
	 * @param	int		$id			ID of record
	 * @param	array	$db_data	array of data
/**
 * @param array $germany
 * @param array $island
 * @param array $italy
 */
function finale($germany, $island) {
    return "2:1";
}
	 * @return	bool
	 */
	public function update($id, array $data)
	{
		$result = $this->getDatabase()->table($this->getTable())->where('id', $id)->update($data);

		return $result;
	}

	/**
	 * Delete one or multiple record/s
	 *
	 * @param	int		ID/s of record
	 * @return	boolean
	 */
	public function delete($ids)

	{
		$data = array('deleted' => '1');
		$result = $this->getDatabase()->table($this->getTable())->where('id', $ids)->update($data);

		return $result;
	}

	/**
	 * Return meeting data
	 *
	 * @return  Nette\Database\Table\IRow
	 */
	public function getData($meetingId = null)
	{
		if(isset($meetingId)) {
			$data = $this->find($meetingId);
		} else {
			$data = $this->all();
		}

		if(!$data) {
			return 0;
		} else {
			return $data;
		}
	}

	/**
	 * @param  string $priceType cost|advance
	 * @return integer
	 */
	public function getPrice($priceType)
	{
		return $this->getDatabase()
			->table($this->getTable())
			->select($priceType)
			->where('id', $this->getMeetingId())
			->limit(1)
			->fetchField();
	}

	/**
	 * @param  integer $meetingId
	 * @return $this
	 */
	public function setRegistrationHandlers($meetingId = 1)
	{
		$meeting = $this->getDatabase()
			->table($this->getTable())
			->select('id')
			->select('place')
			->select('DATE_FORMAT(start_date, "%Y") AS year')
			->select('UNIX_TIMESTAMP(open_reg) AS open_reg')
			->select('UNIX_TIMESTAMP(close_reg) AS close_reg')
			->where('id', $meetingId)
			->order('id DESC')
			->limit(1)
			->fetch();

		$this->setRegHeading($meeting->place . ' ' . $meeting->year);
		$this->setRegClosing($meeting->close_reg);
		$this->setRegOpening($meeting->open_reg);

		return $this;
	}

	/**
	 * @return string
	 */
	public function getRegOpening()
	{
		return $this->regOpening;
	}

	/**
	 * @param  string $value
	 * @return $this
	 */
	public function setRegOpening($value = '')
	{
		$this->regOpening = $value;


		return $this;
	}

	/**
	 * @return string
	 */
	public function getRegClosing()
	{
		return $this->regClosing;
	}

	/**
	 * @param  string $value
	 * @return $this
	 */
	public function setRegClosing($value = '')
	{
		$this->regClosing = $value;


		return $this;
	}

	/**
	 * @return string
	 */
	public function getRegHeading()
	{
		return $this->regHeading;
	}

	/**
	 * @param  string $value
	 * @return $this
	 */
	public function setRegHeading($value = '')
	{
		$this->regHeading = $value;

		return $this;
	}

	/**
	 * Is registration open?
	 *
	 * @return 	boolean
	 */
	public function isRegOpen($debug = false)
	{
		return (($this->getRegOpening() < time()) && (time() < $this->getRegClosing()) || $debug);
	}

	/**
	 * @param  integer $id
	 * @return string
	 */
	public function getProvinceNameById($id)
	{
		return $this->getDatabase()
			->table('kk_provinces')
			->select('province_name')
			->where('id', $id)
			->limit(1)
			->fetchField('province_name');
	}

	/**
	 * @return Row
	 */
	public function findEventId()
	{
		return $this->getDatabase()
			->table($this->getTable())
			->where('id', $this->getMeetingId())
			->limit(1)
			->fetchField('skautis_event_id');
	}

	/**
	 * @return Row
	 */
	public function findCourseId()
	{
		return $this->getDatabase()
			->table($this->getTable())
			->where('id', $this->getMeetingId())
			->limit(1)
			->fetchField('skautis_course_id');
	}

	/**
	 * @param  integer|string $meetingId
	 * @return ActiveRow
	 */
	public function getPlaceAndYear($meetingId)
	{
		return $this->getDatabase()
			->table($this->getTable())
			->select('place')
			->select('DATE_FORMAT(start_date, "%Y") AS year')
			->where('id = ? AND deleted = ?', $meetingId, '0')
			->limit(1)
			->fetch();
	}

	/**
	 * @return ActiveRow
	 */
	public function getMenuItems()
	{
		return $this->getDatabase()
			->table($this->getTable())
			->select('id AS mid')
			->select('place')
			->select('DATE_FORMAT(start_date, "%Y") AS year')
			->where('deleted', '0')
			->order('id DESC')
			->fetchAll();
	}

	/**
	 * @return integer
	 */
	public function getLastMeetingId()
	{
		return $this->getDatabase()
			->table($this->getTable())
			->select('id')
			->order('id DESC')
			->limit(1)
			->fetchField();
	}

}


1		<?php
2
3		namespace App\Models;
4
5		use Nette\Database\Context;
6		use App\Models\ProgramModel;
7		use App\Models\BaseModel;
8
9		/**
10		* Meeting
11		*
12		* class for handling meeting
13		*
14		* @created 2012-11-09
15		* @author Tomas Litera <[email protected]>
16		*/
17		class MeetingModel extends BaseModel
		0 ignored issues – show Coding Style introduced 2017-03-07 23:06 UTC by Report Bug Copy Issue Report Show Similar Issues like this The property $form_names is not named in camelCase. This check marks property names that have not been written in camelCase. In camelCase names are written without any punctuation, the start of each new word being marked by a capital letter. Thus the name database connection string becomes `databaseConnectionString`. Loading history...
18		{
19
20		/**
21		* @var array
22		*/
23		private $weekendDays = [];
24
25		/**
26		* @var array
27		*/
28		public $form_names = [];
29
30		/**
31		* @var array
32		*/
33		public $dbColumns = [];
34
35		/**
36		* @var DateTime
37		*/
38		public $regOpening = NULL;
39
40		/**
41		* @var DateTime
42		*/
43		public $regClosing = NULL;
44
45		/** @var string registration heading text */
46		public $regHeading = '';
47
48		public $eventId;
49		public $courseId;
50
51		private $configuration;
		0 ignored issues – show Unused Code introduced 2017-03-07 23:06 UTC by Report Bug Copy Issue Report Show Similar Issues like this The property `$configuration` is not used and could be removed. This check marks private properties in classes that are never used. Those properties can be removed. Loading history...
52
53		private $program;
54		private $httpEncoding;
55		private $dbTable;
56
57		protected $table = 'kk_meetings';
58
59		/** Constructor */
60		public function __construct(Context $database, ProgramModel $program)
61		{
62		$this->weekendDays = array("pátek", "sobota", "neděle");
63		$this->form_names = array(
64		"place",
65		"start_date",
66		"end_date",
67		"open_reg",
68		"close_reg",
69		"contact",
70		"email",
71		"gsm",
72		"cost",
73		"advance",
74		"numbering",
75		'skautis_event_id',
76		'skautis_course_id',
77		);
78		$this->dbColumns = array(
79		"place",
80		"start_date",
81		"end_date",
82		"open_reg",
83		"close_reg",
84		"contact",
85		"email",
86		"gsm",
87		"cost",
88		"advance",
89		"numbering",
90		'skautis_event_id',
91		'skautis_course_id',
92		);
93		$this->dbTable = "kk_meetings";
94		$this->setDatabase($database);
95		$this->program = $program;
96		}
97
98		/**
99		* @param string $encoding
100		*/
101		public function setHttpEncoding($encoding)
102		{
103		$this->httpEncoding = $encoding;
104		}
105
106		/**
107		* Create new or return existing instance of class
108		*
109		* @return mixed instance of class
110		*/
111		public static function getInstance()
112		{
113		if(self::$instance === false) {
114		self::$instance = new self();
		0 ignored issues – show Bug introduced 2017-03-07 23:06 UTC by Report Bug Copy Issue Report Show Similar Issues like this The call to `MeetingModel::__construct()` misses some required arguments starting with `$database`. Loading history...
115		}
116		return self::$instance;
117		}
118
119		/**
120		* @return Nette\Database\Table\IRow
121		*/
122		public function all()
123		{
124		return $this->getDatabase()
125		->table($this->getTable())
126		->where('deleted', '0')
127		->fetchAll();
128		}
129
130		/**
131		* @param int $id
132		* @return Nette\Database\Table\IRow
133		*/
134		public function find($id)
135		{
136		return $this->getDatabase()
137		->table($this->getTable())
138		->where('deleted ? AND id ?', '0', $id)
139		->fetch();
140		}
141
142		/**
143		* Create a new record
144		*
145		* @param mixed array of data
146		* @return boolean
147		*/
148		public function create(array $data)
149		{
150		$data['guid'] = md5(uniqid());
151		$result = $this->getDatabase()->query('INSERT INTO ' . $this->getTable(), $data);
152
153		return $result;
		0 ignored issues – show Bug Best Practice introduced 2017-03-07 23:06 UTC by Report Bug Copy Issue Report Show Similar Issues like this The return type of `return $result;` (`Nette\Database\ResultSet`) is incompatible with the return type of the parent method `App\Models\BaseModel::create` of type `Nette\Database\Table\IRow\|integer\|boolean`. If you return a value from a function or method, it should be a sub-type of the type that is given by the parent type f.e. an interface, or abstract method. This is more formally defined by the Lizkov substitution principle, and guarantees that classes that depend on the parent type can use any instance of a child type interchangably. This principle also belongs to the SOLID principles for object oriented design. Let’s take a look at an example: class Author { private $name; public function __construct($name) { $this->name = $name; } public function getName() { return $this->name; } } abstract class Post { public function getAuthor() { return 'Johannes'; } } class BlogPost extends Post { public function getAuthor() { return new Author('Johannes'); } } class ForumPost extends Post { /* ... */ } function my_function(Post $post) { echo strtoupper($post->getAuthor()); } Our function `my_function` expects a `Post` object, and outputs the author of the post. The base class `Post` returns a simple string and outputting a simple string will work just fine. However, the child class `BlogPost` which is a sub-type of `Post` instead decided to return an `object`, and is therefore violating the SOLID principles. If a `BlogPost` were passed to `my_function`, PHP would not complain, but ultimately fail when executing the `strtoupper` call in its body. Loading history...
154		}
155
156		/**
157		* Modify record
158		*
159		* @param int $id ID of record
160		* @param array $db_data array of data
		0 ignored issues – show Bug introduced 2017-03-07 23:06 UTC by Report Bug Copy Issue Report Show Similar Issues like this There is no parameter named `$db_data`. Was it maybe removed? This check looks for PHPDoc comments describing methods or function parameters that do not exist on the corresponding method or function. Consider the following example. The parameter `$italy` is not defined by the method `finale(...)`. /** * @param array $germany * @param array $island * @param array $italy */ function finale($germany, $island) { return "2:1"; } The most likely cause is that the parameter was removed, but the annotation was not. Loading history...
161		* @return bool
162		*/
163		public function update($id, array $data)
164		{
165		$result = $this->getDatabase()->table($this->getTable())->where('id', $id)->update($data);
166
167		return $result;
168		}
169
170		/**
171		* Delete one or multiple record/s
172		*
173		* @param int ID/s of record
174		* @return boolean
175		*/
176	View Code Duplication	public function delete($ids)
		0 ignored issues – show Duplication introduced 2017-09-10 21:00 UTC by Report Bug Copy Issue Report Show Similar Issues like this This method seems to be duplicated in your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
177		{
178		$data = array('deleted' => '1');
179		$result = $this->getDatabase()->table($this->getTable())->where('id', $ids)->update($data);
180
181		return $result;
182		}
183
184		/**
185		* Return meeting data
186		*
187		* @return Nette\Database\Table\IRow
188		*/
189		public function getData($meetingId = null)
190		{
191		if(isset($meetingId)) {
192		$data = $this->find($meetingId);
193		} else {
194		$data = $this->all();
195		}
196
197		if(!$data) {
198		return 0;
199		} else {
200		return $data;
201		}
202		}
203
204		/**
205		* @param string $priceType cost\|advance
206		* @return integer
207		*/
208		public function getPrice($priceType)
209		{
210		return $this->getDatabase()
211		->table($this->getTable())
212		->select($priceType)
213		->where('id', $this->getMeetingId())
214		->limit(1)
215		->fetchField();
216		}
217
218		/**
219		* @param integer $meetingId
220		* @return $this
221		*/
222		public function setRegistrationHandlers($meetingId = 1)
223		{
224		$meeting = $this->getDatabase()
225		->table($this->getTable())
226		->select('id')
227		->select('place')
228		->select('DATE_FORMAT(start_date, "%Y") AS year')
229		->select('UNIX_TIMESTAMP(open_reg) AS open_reg')
230		->select('UNIX_TIMESTAMP(close_reg) AS close_reg')
231		->where('id', $meetingId)
232		->order('id DESC')
233		->limit(1)
234		->fetch();
235
236		$this->setRegHeading($meeting->place . ' ' . $meeting->year);
237		$this->setRegClosing($meeting->close_reg);
238		$this->setRegOpening($meeting->open_reg);
239
240		return $this;
241		}
242
243		/**
244		* @return string
245		*/
246		public function getRegOpening()
247		{
248		return $this->regOpening;
249		}
250
251		/**
252		* @param string $value
253		* @return $this
254		*/
255		public function setRegOpening($value = '')
256		{
257		$this->regOpening = $value;
		0 ignored issues – show Documentation Bug introduced 2017-09-17 19:40 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `$value` of type `string` is incompatible with the declared type `object<App\Models\DateTime>` of property `$regOpening`. Our type inference engine has found an assignment to a property that is incompatible with the declared type of that property. Either this assignment is in error or the assigned type should be added to the documentation/type hint for that property.. Loading history...
258
259		return $this;
260		}
261
262		/**
263		* @return string
264		*/
265		public function getRegClosing()
266		{
267		return $this->regClosing;
268		}
269
270		/**
271		* @param string $value
272		* @return $this
273		*/
274		public function setRegClosing($value = '')
275		{
276		$this->regClosing = $value;
		0 ignored issues – show Documentation Bug introduced 2017-09-17 19:40 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `$value` of type `string` is incompatible with the declared type `object<App\Models\DateTime>` of property `$regClosing`. Our type inference engine has found an assignment to a property that is incompatible with the declared type of that property. Either this assignment is in error or the assigned type should be added to the documentation/type hint for that property.. Loading history...
277
278		return $this;
279		}
280
281		/**
282		* @return string
283		*/
284		public function getRegHeading()
285		{
286		return $this->regHeading;
287		}
288
289		/**
290		* @param string $value
291		* @return $this
292		*/
293		public function setRegHeading($value = '')
294		{
295		$this->regHeading = $value;
296
297		return $this;
298		}
299
300		/**
301		* Is registration open?
302		*
303		* @return boolean
304		*/
305		public function isRegOpen($debug = false)
306		{
307		return (($this->getRegOpening() < time()) && (time() < $this->getRegClosing()) \|\| $debug);
308		}
309
310		/**
311		* @param integer $id
312		* @return string
313		*/
314		public function getProvinceNameById($id)
315		{
316		return $this->getDatabase()
317		->table('kk_provinces')
318		->select('province_name')
319		->where('id', $id)
320		->limit(1)
321		->fetchField('province_name');
322		}
323
324		/**
325		* @return Row
326		*/
327		public function findEventId()
328		{
329		return $this->getDatabase()
330		->table($this->getTable())
331		->where('id', $this->getMeetingId())
332		->limit(1)
333		->fetchField('skautis_event_id');
334		}
335
336		/**
337		* @return Row
338		*/
339		public function findCourseId()
340		{
341		return $this->getDatabase()
342		->table($this->getTable())
343		->where('id', $this->getMeetingId())
344		->limit(1)
345		->fetchField('skautis_course_id');
346		}
347
348		/**
349		* @param integer\|string $meetingId
350		* @return ActiveRow
351		*/
352		public function getPlaceAndYear($meetingId)
353		{
354		return $this->getDatabase()
355		->table($this->getTable())
356		->select('place')
357		->select('DATE_FORMAT(start_date, "%Y") AS year')
358		->where('id = ? AND deleted = ?', $meetingId, '0')
359		->limit(1)
360		->fetch();
361		}
362
363		/**
364		* @return ActiveRow
365		*/
366		public function getMenuItems()
367		{
368		return $this->getDatabase()
369		->table($this->getTable())
370		->select('id AS mid')
371		->select('place')
372		->select('DATE_FORMAT(start_date, "%Y") AS year')
373		->where('deleted', '0')
374		->order('id DESC')
375		->fetchAll();
376		}
377
378		/**
379		* @return integer
380		*/
381		public function getLastMeetingId()
382		{
383		return $this->getDatabase()
384		->table($this->getTable())
385		->select('id')
386		->order('id DESC')
387		->limit(1)
388		->fetchField();
389		}
390
391		}
392

literat / srazvs

Issues (789)

Security Analysis not enabled

app/models/MeetingModel.php (8 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like