Issues in ContentsHandler.php (master) - Issues in master - mambax7/xoopsfaq - Measure and Improve Code Quality continuously with Scrutinizer

Issues (67)

Security Analysis not enabled

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

Header Injection

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

class/ContentsHandler.php (2 issues)

Severity

Unknown 2

<?php declare(strict_types=1);

namespace XoopsModules\Xoopsfaq;

/*
 You may not change or alter any portion of this comment or credits of
 supporting developers from this source code or any supporting source code
 which is considered copyrighted (c) material of the original comment or credit
 authors.

 This program is distributed in the hope that it will be useful, but
 WITHOUT ANY WARRANTY; without even the implied warranty of
 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
 */

/**
 * Contents (FAQ) and Handler Class Definitions
 *
 * @author    John Neill
 * @author    XOOPS Module Development Team
 * @copyright Copyright (c) 2001-2017 {@link https://xoops.org XOOPS Project}
 * @license   https://www.gnu.org/licenses/gpl-2.0.html GNU Public License
 * @since     ::   1.23
 */

use Xmf\Module\Admin;

/**
 * ContentsHandler
 *
 * @author   ::    John Neill
 * @copyright:: Copyright (c) 2009
 * @access::    public
 */
final class ContentsHandler extends \XoopsPersistableObjectHandler
{
    /**
     * Constructor
     */
    public function __construct(\XoopsDatabase $db = null)
    {
        parent::__construct($db, 'xoopsfaq_contents', Contents::class, 'contents_id', 'contents_title');
    }

    /**
     * ContentsHandler::getObj()
     *
     * @param \CriteriaElement|string|null $sort sort order ('id', 'cid', 'title', 'publish', or 'weight') default: 'id'
     *
     * @return array Contents object
     */
    public function getObj($sort = null): array
    {
        $sort ??= 'id';
        $obj  = [];
        if ($sort instanceof \CriteriaElement) {
            $criteria = $sort;
        } else {
            $criteria = new \CriteriaCompo();
            $sort     = \in_array(mb_strtolower($sort), ['id', 'cid', 'title', 'publish', 'weight'], true) ? 'contents_' . \mb_strtolower($sort) : 'contents_id';
            $criteria->setSort($sort);
            $criteria->order = 'ASC';
            $criteria->setStart(0);
            $criteria->setLimit(0);
        }
        $obj['list']  = $this->getObjects($criteria, false);
        $obj['count'] = (0 !== $obj['list']) ? \count($obj['list']) : 0;


        return $obj;
    }

    /**
     * ContentsHandler::getPublished()
     *
     * @return array array of XoopsfaqContent objects
     */
    public function getPublished(?string $id = null): array
    {
        $id ??= '';
        \xoops_load('constants', \basename(\dirname(__DIR__)));

        $obj               = [];
        $criteriaPublished = new \CriteriaCompo();
        $criteriaPublished->add(new \Criteria('contents_publish', Constants::NOT_PUBLISHED, '>'));
        $criteriaPublished->add(new \Criteria('contents_publish', \time(), '<='));

        $criteria = new \CriteriaCompo(new \Criteria('contents_active', Constants::ACTIVE));
        if (!empty($id)) {
            $criteria->add(new \Criteria('contents_cid', $id, '='));
        }
        $criteria->add($criteriaPublished);
        $criteria->order = 'ASC';
        $criteria->setSort('contents_weight');

        $obj['list']  = $this->getObjects($criteria, false);
        $obj['count'] = (0 !== $obj['list']) ? \count($obj['list']) : 0;


        return $obj;
    }

    /**
     * Returns category ids of categories that have content
     *
     * @return array contains category ids
     */
    public function getCategoriesIdsWithContent(): array
    {
        $ret    = [];
        $sql    = 'SELECT contents_cid ';
        $sql    .= 'FROM `' . $this->table . '` ';
        $sql    .= 'WHERE (contents_active =\'' . Constants::ACTIVE . '\') ';
        $sql    .= 'GROUP BY contents_cid';
        $result = $this->db->query($sql);
        if ($this->db->isResultSet($result)) {
            while (false !== ($myrow = $this->db->fetchArray($result))) {
                $ret[$myrow['contents_cid']] = $myrow['contents_cid'];
            }
        }

        return $ret;
    }

    /**
     * ContentsHandler::displayAdminListing()
     */
    public function displayAdminListing(?string $sort = null): void
    {
        $sort ??= 'id';
        echo $this->renderAdminListing($sort);
    }

    /**
     * ContentsHandler::renderAdminListing()
     *
     * @return string html listing of Contents (FAQ) for Admin
     * @see \XoopsModules\Xoopsfaq\Helper
     */
    public function renderAdminListing(?string $sort = null): string
    {
        $sort ??= 'id';
        //        if (!\class_exists('Xoopsfaq\Utility')) {
        //            \xoops_load('utility', \basename(\dirname(__DIR__)));
        //        }

        $objects = $this->getObj($sort);
        /** @var Helper $helper */
        $helper = Helper::getHelper(\basename(\dirname(__DIR__)));
        /** @var CategoryHandler $categoryHandler */
        $categoryHandler = $helper->getHandler('Category');
        $catFields       = ['category_id', 'category_title'];
        $catArray        = $categoryHandler->getAll(null, $catFields, false);

        $buttons = ['edit', 'delete'];

        $ret = '<table class="outer width100 bnone pad3 marg5">'
               . '  <thead>'
               . '  <tr class="center">'
               . '    <th class="width5">'
               . \_AM_XOOPSFAQ_CONTENTS_ID
               . '</th>'
               . '    <th class="width5">'
               . \_AM_XOOPSFAQ_CONTENTS_ACTIVE
               . '</th>'
               . '    <th class="width5">'
               . \_AM_XOOPSFAQ_CONTENTS_WEIGHT
               . '</th>'
               . '    <th class="left">'
               . \_AM_XOOPSFAQ_CONTENTS_TITLE
               . '</th>'
               . '    <th class="left">'
               . \_AM_XOOPSFAQ_CATEGORY_TITLE
               . '</th>'
               . '    <th>'
               . \_AM_XOOPSFAQ_CONTENTS_PUBLISH
               . '</th>'
               . '    <th class="width20">'
               . \_AM_XOOPSFAQ_ACTIONS
               . '</th>'
               . '  </tr>'
               . '  </thead>'
               . '  <tbody>';
        if (\is_array($objects) && ($objects['count'] > 0)) {
            $tdClass = 0;
            /** @var Contents $object */
            foreach ($objects['list'] as $object) {
                $thisCatId        = $object->getVar('contents_cid');
                $thisCatTitle     = $catArray[$thisCatId]['category_title'];
                $thisContentTitle = '<a href="' . $helper->url('index.php?cat_id=' . $thisCatId . '#q' . $object->getVar('contents_id')) . '" title="' . \_AM_XOOPSFAQ_CONTENTS_VIEW . '">' . $object->getVar('contents_title') . '</a>';
                ++$tdClass;
                $dispClass = ($tdClass % 1) ? 'even' : 'odd';
                $ret       .= '  <tr class="center middle">'
                              . '    <td class="'
                              . $dispClass
                              . '">'
                              . $object->getVar('contents_id')
                              . '</td>'
                              . '    <td class="'
                              . $dispClass
                              . '">'
                              . $object->getActiveIcon()
                              . '</td>'
                              . '    <td class="'
                              . $dispClass
                              . '">'
                              . $object->getVar('contents_weight')
                              . '</td>'
                              . '    <td class="'
                              . $dispClass
                              . ' left">'
                              . $thisContentTitle
                              . '</td>'
                              . '    <td class="'
                              . $dispClass
                              . ' left">'
                              . $thisCatTitle
                              . '</td>'
                              . '    <td class="'
                              . $dispClass
                              . '">'
                              . $object->getPublished(\_SHORTDATESTRING)
                              . '</td>'
                              . '    <td class="'
                              . $dispClass
                              . '">';
                $ret       .= Utility::renderIconLinks($buttons, 'contents_id', $object->getVar('contents_id')) . '</td>' . '  </tr>';
            }
        } else {
            $ret .= '  <tr class="center"><td colspan="7" class="even">' . \_AM_XOOPSFAQ_NOLISTING . '</td></tr>';
        }
        $ret .= '  </tbody>' . '</table>';

        return $ret;
    }

    /**
     * ContentsHandler::displayError()
     *
     * @param array|string $errors will display a page with the error(s)
     *
     * @see \Xmf\Module\Admin
     */
    public function displayError($errors = ''): void
    {
        if ('' !== $errors) {
            \xoops_cp_header();
            /** @var Admin $moduleAdmin */
            $moduleAdmin = Admin::getInstance();
            $moduleAdmin->displayNavigation(\basename(__FILE__));
            \xoops_error($errors, \_AM_XOOPSFAQ_ERROR_SUB);
            \xoops_cp_footer();
        }
    }
}


1			<?php declare(strict_types=1);
2
3			namespace XoopsModules\Xoopsfaq;
4
5			/*
6			You may not change or alter any portion of this comment or credits of
7			supporting developers from this source code or any supporting source code
8			which is considered copyrighted (c) material of the original comment or credit
9			authors.
10
11			This program is distributed in the hope that it will be useful, but
12			WITHOUT ANY WARRANTY; without even the implied warranty of
13			MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
14			*/
15
16			/**
17			* Contents (FAQ) and Handler Class Definitions
18			*
19			* @author John Neill
20			* @author XOOPS Module Development Team
21			* @copyright Copyright (c) 2001-2017 {@link https://xoops.org XOOPS Project}
22			* @license https://www.gnu.org/licenses/gpl-2.0.html GNU Public License
23			* @since :: 1.23
24			*/
25
26			use Xmf\Module\Admin;
27
28			/**
29			* ContentsHandler
30			*
31			* @author :: John Neill
32			* @copyright:: Copyright (c) 2009
33			* @access:: public
34			*/
35			final class ContentsHandler extends \XoopsPersistableObjectHandler
36			{
37			/**
38			* Constructor
39			*/
40			public function __construct(\XoopsDatabase $db = null)
41			{
42			parent::__construct($db, 'xoopsfaq_contents', Contents::class, 'contents_id', 'contents_title');
43			}
44
45			/**
46			* ContentsHandler::getObj()
47			*
48			* @param \CriteriaElement\|string\|null $sort sort order ('id', 'cid', 'title', 'publish', or 'weight') default: 'id'
49			*
50			* @return array Contents object
51			*/
52			public function getObj($sort = null): array
53			{
54			$sort ??= 'id';
55			$obj = [];
56			if ($sort instanceof \CriteriaElement) {
57			$criteria = $sort;
58			} else {
59			$criteria = new \CriteriaCompo();
60			$sort = \in_array(mb_strtolower($sort), ['id', 'cid', 'title', 'publish', 'weight'], true) ? 'contents_' . \mb_strtolower($sort) : 'contents_id';
61			$criteria->setSort($sort);
62			$criteria->order = 'ASC';
63			$criteria->setStart(0);
64			$criteria->setLimit(0);
65			}
66			$obj['list'] = $this->getObjects($criteria, false);
67			$obj['count'] = (0 !== $obj['list']) ? \count($obj['list']) : 0;
			0 ignored issues – show introduced 2023-05-29 05:11 UTC by Report Bug Copy Issue Report Show Similar Issues like this The condition `0 !== $obj['list']` is always `true`. Loading history...
68
69			return $obj;
70			}
71
72			/**
73			* ContentsHandler::getPublished()
74			*
75			* @return array array of XoopsfaqContent objects
76			*/
77			public function getPublished(?string $id = null): array
78			{
79			$id ??= '';
80			\xoops_load('constants', \basename(\dirname(__DIR__)));
81
82			$obj = [];
83			$criteriaPublished = new \CriteriaCompo();
84			$criteriaPublished->add(new \Criteria('contents_publish', Constants::NOT_PUBLISHED, '>'));
85			$criteriaPublished->add(new \Criteria('contents_publish', \time(), '<='));
86
87			$criteria = new \CriteriaCompo(new \Criteria('contents_active', Constants::ACTIVE));
88			if (!empty($id)) {
89			$criteria->add(new \Criteria('contents_cid', $id, '='));
90			}
91			$criteria->add($criteriaPublished);
92			$criteria->order = 'ASC';
93			$criteria->setSort('contents_weight');
94
95			$obj['list'] = $this->getObjects($criteria, false);
96			$obj['count'] = (0 !== $obj['list']) ? \count($obj['list']) : 0;
			0 ignored issues – show introduced 2023-05-29 05:11 UTC by Report Bug Copy Issue Report Show Similar Issues like this The condition `0 !== $obj['list']` is always `true`. Loading history...
97
98			return $obj;
99			}
100
101			/**
102			* Returns category ids of categories that have content
103			*
104			* @return array contains category ids
105			*/
106			public function getCategoriesIdsWithContent(): array
107			{
108			$ret = [];
109			$sql = 'SELECT contents_cid ';
110			$sql .= 'FROM `' . $this->table . '` ';
111			$sql .= 'WHERE (contents_active =\'' . Constants::ACTIVE . '\') ';
112			$sql .= 'GROUP BY contents_cid';
113			$result = $this->db->query($sql);
114			if ($this->db->isResultSet($result)) {
115			while (false !== ($myrow = $this->db->fetchArray($result))) {
116			$ret[$myrow['contents_cid']] = $myrow['contents_cid'];
117			}
118			}
119
120			return $ret;
121			}
122
123			/**
124			* ContentsHandler::displayAdminListing()
125			*/
126			public function displayAdminListing(?string $sort = null): void
127			{
128			$sort ??= 'id';
129			echo $this->renderAdminListing($sort);
130			}
131
132			/**
133			* ContentsHandler::renderAdminListing()
134			*
135			* @return string html listing of Contents (FAQ) for Admin
136			* @see \XoopsModules\Xoopsfaq\Helper
137			*/
138			public function renderAdminListing(?string $sort = null): string
139			{
140			$sort ??= 'id';
141			// if (!\class_exists('Xoopsfaq\Utility')) {
142			// \xoops_load('utility', \basename(\dirname(__DIR__)));
143			// }
144
145			$objects = $this->getObj($sort);
146			/** @var Helper $helper */
147			$helper = Helper::getHelper(\basename(\dirname(__DIR__)));
148			/** @var CategoryHandler $categoryHandler */
149			$categoryHandler = $helper->getHandler('Category');
150			$catFields = ['category_id', 'category_title'];
151			$catArray = $categoryHandler->getAll(null, $catFields, false);
152
153			$buttons = ['edit', 'delete'];
154
155			$ret = '<table class="outer width100 bnone pad3 marg5">'
156			. ' <thead>'
157			. ' <tr class="center">'
158			. ' <th class="width5">'
159			. \_AM_XOOPSFAQ_CONTENTS_ID
160			. '</th>'
161			. ' <th class="width5">'
162			. \_AM_XOOPSFAQ_CONTENTS_ACTIVE
163			. '</th>'
164			. ' <th class="width5">'
165			. \_AM_XOOPSFAQ_CONTENTS_WEIGHT
166			. '</th>'
167			. ' <th class="left">'
168			. \_AM_XOOPSFAQ_CONTENTS_TITLE
169			. '</th>'
170			. ' <th class="left">'
171			. \_AM_XOOPSFAQ_CATEGORY_TITLE
172			. '</th>'
173			. ' <th>'
174			. \_AM_XOOPSFAQ_CONTENTS_PUBLISH
175			. '</th>'
176			. ' <th class="width20">'
177			. \_AM_XOOPSFAQ_ACTIONS
178			. '</th>'
179			. ' </tr>'
180			. ' </thead>'
181			. ' <tbody>';
182			if (\is_array($objects) && ($objects['count'] > 0)) {
183			$tdClass = 0;
184			/** @var Contents $object */
185			foreach ($objects['list'] as $object) {
186			$thisCatId = $object->getVar('contents_cid');
187			$thisCatTitle = $catArray[$thisCatId]['category_title'];
188			$thisContentTitle = '<a href="' . $helper->url('index.php?cat_id=' . $thisCatId . '#q' . $object->getVar('contents_id')) . '" title="' . \_AM_XOOPSFAQ_CONTENTS_VIEW . '">' . $object->getVar('contents_title') . '</a>';
189			++$tdClass;
190			$dispClass = ($tdClass % 1) ? 'even' : 'odd';
191			$ret .= ' <tr class="center middle">'
192			. ' <td class="'
193			. $dispClass
194			. '">'
195			. $object->getVar('contents_id')
196			. '</td>'
197			. ' <td class="'
198			. $dispClass
199			. '">'
200			. $object->getActiveIcon()
201			. '</td>'
202			. ' <td class="'
203			. $dispClass
204			. '">'
205			. $object->getVar('contents_weight')
206			. '</td>'
207			. ' <td class="'
208			. $dispClass
209			. ' left">'
210			. $thisContentTitle
211			. '</td>'
212			. ' <td class="'
213			. $dispClass
214			. ' left">'
215			. $thisCatTitle
216			. '</td>'
217			. ' <td class="'
218			. $dispClass
219			. '">'
220			. $object->getPublished(\_SHORTDATESTRING)
221			. '</td>'
222			. ' <td class="'
223			. $dispClass
224			. '">';
225			$ret .= Utility::renderIconLinks($buttons, 'contents_id', $object->getVar('contents_id')) . '</td>' . ' </tr>';
226			}
227			} else {
228			$ret .= ' <tr class="center"><td colspan="7" class="even">' . \_AM_XOOPSFAQ_NOLISTING . '</td></tr>';
229			}
230			$ret .= ' </tbody>' . '</table>';
231
232			return $ret;
233			}
234
235			/**
236			* ContentsHandler::displayError()
237			*
238			* @param array\|string $errors will display a page with the error(s)
239			*
240			* @see \Xmf\Module\Admin
241			*/
242			public function displayError($errors = ''): void
243			{
244			if ('' !== $errors) {
245			\xoops_cp_header();
246			/** @var Admin $moduleAdmin */
247			$moduleAdmin = Admin::getInstance();
248			$moduleAdmin->displayNavigation(\basename(__FILE__));
249			\xoops_error($errors, \_AM_XOOPSFAQ_ERROR_SUB);
250			\xoops_cp_footer();
251			}
252			}
253			}
254

mambax7 / xoopsfaq

Issues (67)

Security Analysis not enabled

class/ContentsHandler.php (2 issues)

Severity

Introduced By

Duplication Side-by-Side

Filter issues like