Issues in PodsUpgrade.php (2.x) - Issues in 2.x - pods-framework/pods - Measure and Improve Code Quality continuously with Scrutinizer

Issues (2873)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

sql/upgrade/PodsUpgrade.php (10 issues)

Labels

Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

/**
 * @package Pods\Upgrade
 */
class PodsUpgrade {

	/**
	 * @var array
	 */
	public $tables = array();

	/**
	 * @var array
	 */
	protected $progress = array();

	/**
	 * @var PodsAPI
	 */
	protected $api = null;

	/**
	 * @var string
	 */
	protected $version = null;

	/**
	 *
	 */
	public function __construct() {

		$this->api = pods_api();

		$this->get_tables();
		$this->get_progress();
	}

	/**
	 * @param null $_blog_id Blog ID to install.
	 */
	public function install( $_blog_id = null ) {

		/**
		 * @var $wpdb WPDB
		 */
		global $wpdb;
function myFunction($a, $b) {
    // Do something
}

		// Switch DB table prefixes
		if ( null !== $_blog_id && $_blog_id !== $wpdb->blogid ) {
			switch_to_blog( pods_absint( $_blog_id ) );

		} else {
			$_blog_id = null;
		}

		$pods_version = get_option( 'pods_version' );

		do_action( 'pods_install', PODS_VERSION, $pods_version, $_blog_id );

		if ( ( ! pods_tableless() ) && false !== apply_filters( 'pods_install_run', null, PODS_VERSION, $pods_version, $_blog_id ) && 0 === (int) pods_v( 'pods_bypass_install' ) ) {
			$sql = file_get_contents( PODS_DIR . 'sql/dump.sql' );

			$sql = apply_filters( 'pods_install_sql', $sql, PODS_VERSION, $pods_version, $_blog_id );

			$charset_collate = 'DEFAULT CHARSET utf8';

			if ( ! empty( $wpdb->charset ) ) {
				$charset_collate = "DEFAULT CHARSET {$wpdb->charset}";
			}

			if ( ! empty( $wpdb->collate ) ) {
				$charset_collate .= " COLLATE {$wpdb->collate}";
			}

			if ( 'DEFAULT CHARSET utf8' !== $charset_collate ) {
				$sql = str_replace( 'DEFAULT CHARSET utf8', $charset_collate, $sql );
			}

			$sql = explode( ";\n", str_replace( array( "\r", 'wp_' ), array( "\n", $wpdb->prefix ), $sql ) );

			for ( $i = 0, $z = count( $sql ); $i < $z; $i ++ ) {
				$query = trim( $sql[ $i ] );

				if ( empty( $query ) ) {
					continue;
				}

				pods_query( $query, 'Cannot setup SQL tables' );
			}

			// Auto activate component.
			if ( ! PodsInit::$components ) {
				if ( ! defined( 'PODS_LIGHT' ) || ! PODS_LIGHT ) {
					PodsInit::$components = pods_components();
				}
			}

			if ( PodsInit::$components ) {
				PodsInit::$components->activate_component( 'templates' );
			}
		}//end if

		do_action( 'pods_install_post', PODS_VERSION, $pods_version, $_blog_id );
	}

	/**
	 *
	 */
	public function get_tables() {

		/**
		 * @var $wpdb WPDB
		 */
		global $wpdb;
function myFunction($a, $b) {
    // Do something
}

		$tables = $wpdb->get_results( "SHOW TABLES LIKE '{$wpdb->prefix}pod%'", ARRAY_N );


		if ( ! empty( $tables ) ) {
			foreach ( $tables as $table ) {
				$this->tables[] = $table[0];
			}
		}
	}

	/**
	 *
	 */
	public function get_progress() {

		$methods = get_class_methods( $this );

		foreach ( $methods as $method ) {
			if ( 0 === strpos( $method, 'migrate_' ) ) {
				$this->progress[ str_replace( 'migrate_', '', $method ) ] = false;
			}
		}

		$progress = (array) get_option( 'pods_framework_upgrade_' . str_replace( '.', '_', $this->version ), array() );

		if ( ! empty( $progress ) ) {
			$this->progress = array_merge( $this->progress, $progress );
		}
	}

	/**
	 * @param $params
	 *
	 * @return mixed|void
	 */
	public function ajax( $params ) {

		if ( ! isset( $params->step ) ) {
			return pods_error( __( 'Invalid upgrade process.', 'pods' ) );
		}

		if ( ! isset( $params->type ) ) {
			return pods_error( __( 'Invalid upgrade method.', 'pods' ) );
		}

		if ( ! method_exists( $this, $params->step . '_' . $params->type ) ) {
			return pods_error( __( 'Upgrade method not found.', 'pods' ) );
		}

		return call_user_func( array( $this, $params->step . '_' . $params->type ), $params );
	}

	/**
	 * @param      $method
	 * @param      $v
	 * @param null   $x
	 */
	public function update_progress( $method, $v, $x = null ) {


		if ( empty( $this->version ) ) {
			return;
		}

		$method = str_replace( 'migrate_', '', $method );

		if ( null !== $x ) {
			$this->progress[ $method ][ $x ] = (boolean) $v;
		} else {
			$this->progress[ $method ] = $v;
		}

		update_option( 'pods_framework_upgrade_' . str_replace( '.', '_', $this->version ), $this->progress );
	}

	/**
	 * @param      $method
	 * @param null   $x
	 *
	 * @return bool
	 */
	public function check_progress( $method, $x = null ) {


		$method = str_replace( 'migrate_', '', $method );

		if ( isset( $this->progress[ $method ] ) ) {
			if ( null === $x ) {
				return $this->progress[ $method ];
			} elseif ( isset( $this->progress[ $method ][ $x ] ) ) {
				return (boolean) $this->progress[ $method ][ $x ];
			}
		}

		return false;
	}

	/**
	 *
	 */
	public function upgraded() {

		if ( empty( $this->version ) ) {
			return;
		}

		$upgraded = get_option( 'pods_framework_upgraded' );

		if ( empty( $upgraded ) || ! is_array( $upgraded ) ) {
			$upgraded = array();
		}

		delete_option( 'pods_framework_upgrade_' . str_replace( '.', '_', $this->version ) );

		if ( ! in_array( $this->version, $upgraded, true ) ) {
			$upgraded[] = $this->version;
		}

		update_option( 'pods_framework_upgraded', $upgraded );
	}

	/**
	 *
	 */
	public function cleanup() {

		/**
		 * @var $wpdb WPDB
		 */
		global $wpdb;
function myFunction($a, $b) {
    // Do something
}

		foreach ( $this->tables as $table ) {
			if ( false !== strpos( $table, "{$wpdb->prefix}pod_" ) || "{$wpdb->prefix}pod" === $table ) {
				pods_query( "DROP TABLE `{$table}`", false );
			}
		}

		delete_option( 'pods_roles' );
		delete_option( 'pods_version' );
		delete_option( 'pods_framework_upgrade_2_0' );
		delete_option( 'pods_framework_upgrade_2_0_sister_ids' );
		delete_option( 'pods_framework_upgraded_1_x' );

		delete_option( 'pods_disable_file_browser' );
		delete_option( 'pods_files_require_login' );
		delete_option( 'pods_files_require_login_cap' );
		delete_option( 'pods_disable_file_upload' );
		delete_option( 'pods_upload_require_login' );
		delete_option( 'pods_upload_require_login_cap' );

		pods_query( "DELETE FROM `@wp_postmeta` WHERE `meta_key` LIKE '_pods_1x_%'" );
	}
}


Issues (2873)

Security Analysis not enabled

sql/upgrade/PodsUpgrade.php (10 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

1. Pass all data via parameters

2. Create a class that maintains your state

1. Pass all data via parameters

2. Create a class that maintains your state

1. Pass all data via parameters

2. Create a class that maintains your state

1			<?php
2
3			/**
4			* @package Pods\Upgrade
5			*/
6			class PodsUpgrade {
7
8			/**
9			* @var array
10			*/
11			public $tables = array();
12
13			/**
14			* @var array
15			*/
16			protected $progress = array();
17
18			/**
19			* @var PodsAPI
20			*/
21			protected $api = null;
22
23			/**
24			* @var string
25			*/
26			protected $version = null;
27
28			/**
29			*
30			*/
31			public function __construct() {
32
33			$this->api = pods_api();
34
35			$this->get_tables();
36			$this->get_progress();
37			}
38
39			/**
40			* @param null $_blog_id Blog ID to install.
41			*/
42			public function install( $_blog_id = null ) {
43
44			/**
45			* @var $wpdb WPDB
46			*/
47			global $wpdb;
			0 ignored issues – show Compatibility Best Practice introduced 2015-11-23 18:42 UTC by Report Bug Copy Issue Report Show Similar Issues like this Use of `global` functionality is not recommended; it makes your code harder to test, and less reusable. Instead of relying on `global` state, we recommend one of these alternatives: 1. Pass all data via parameters function myFunction($a, $b) { // Do something } 2. Create a class that maintains your state class MyClass { private $a; private $b; public function __construct($a, $b) { $this->a = $a; $this->b = $b; } public function myFunction() { // Do something } } Loading history...
48
49			// Switch DB table prefixes
50			if ( null !== $_blog_id && $_blog_id !== $wpdb->blogid ) {
51			switch_to_blog( pods_absint( $_blog_id ) );
			0 ignored issues – show introduced 2018-03-03 20:10 UTC by Report Bug Copy Issue Report Show Similar Issues like this switch_to_blog is not something you should ever need to do in a VIP theme context. Instead use an API (XML-RPC, REST) to interact with other sites if needed. Loading history...
52			} else {
53			$_blog_id = null;
54			}
55
56			$pods_version = get_option( 'pods_version' );
57
58			do_action( 'pods_install', PODS_VERSION, $pods_version, $_blog_id );
59
60			if ( ( ! pods_tableless() ) && false !== apply_filters( 'pods_install_run', null, PODS_VERSION, $pods_version, $_blog_id ) && 0 === (int) pods_v( 'pods_bypass_install' ) ) {
61			$sql = file_get_contents( PODS_DIR . 'sql/dump.sql' );
			0 ignored issues – show introduced 2018-03-03 20:10 UTC by Report Bug Copy Issue Report Show Similar Issues like this file_get_contents is highly discouraged, please use wpcom_vip_file_get_contents() instead. Loading history...
62			$sql = apply_filters( 'pods_install_sql', $sql, PODS_VERSION, $pods_version, $_blog_id );
63
64			$charset_collate = 'DEFAULT CHARSET utf8';
65
66			if ( ! empty( $wpdb->charset ) ) {
67			$charset_collate = "DEFAULT CHARSET {$wpdb->charset}";
68			}
69
70			if ( ! empty( $wpdb->collate ) ) {
71			$charset_collate .= " COLLATE {$wpdb->collate}";
72			}
73
74			if ( 'DEFAULT CHARSET utf8' !== $charset_collate ) {
75			$sql = str_replace( 'DEFAULT CHARSET utf8', $charset_collate, $sql );
76			}
77
78			$sql = explode( ";\n", str_replace( array( "\r", 'wp_' ), array( "\n", $wpdb->prefix ), $sql ) );
79
80			for ( $i = 0, $z = count( $sql ); $i < $z; $i ++ ) {
81			$query = trim( $sql[ $i ] );
82
83			if ( empty( $query ) ) {
84			continue;
85			}
86
87			pods_query( $query, 'Cannot setup SQL tables' );
88			}
89
90			// Auto activate component.
91			if ( ! PodsInit::$components ) {
92			if ( ! defined( 'PODS_LIGHT' ) \|\| ! PODS_LIGHT ) {
93			PodsInit::$components = pods_components();
94			}
95			}
96
97			if ( PodsInit::$components ) {
98			PodsInit::$components->activate_component( 'templates' );
99			}
100			}//end if
101
102			do_action( 'pods_install_post', PODS_VERSION, $pods_version, $_blog_id );
103			}
104
105			/**
106			*
107			*/
108			public function get_tables() {
109
110			/**
111			* @var $wpdb WPDB
112			*/
113			global $wpdb;
			0 ignored issues – show Compatibility Best Practice introduced 2015-11-23 18:42 UTC by Report Bug Copy Issue Report Show Similar Issues like this Use of `global` functionality is not recommended; it makes your code harder to test, and less reusable. Instead of relying on `global` state, we recommend one of these alternatives: 1. Pass all data via parameters function myFunction($a, $b) { // Do something } 2. Create a class that maintains your state class MyClass { private $a; private $b; public function __construct($a, $b) { $this->a = $a; $this->b = $b; } public function myFunction() { // Do something } } Loading history...
114
115			$tables = $wpdb->get_results( "SHOW TABLES LIKE '{$wpdb->prefix}pod%'", ARRAY_N );
			0 ignored issues – show introduced 2018-03-03 20:10 UTC by Report Bug Copy Issue Report Show Similar Issues like this Usage of a direct database call is discouraged. Loading history... introduced 2018-03-03 20:10 UTC by Report Bug Copy Issue Report Show Similar Issues like this Usage of a direct database call without caching is prohibited. Use wp_cache_get / wp_cache_set. Loading history...
116
117			if ( ! empty( $tables ) ) {
118			foreach ( $tables as $table ) {
119			$this->tables[] = $table[0];
120			}
121			}
122			}
123
124			/**
125			*
126			*/
127			public function get_progress() {
128
129			$methods = get_class_methods( $this );
130
131			foreach ( $methods as $method ) {
132			if ( 0 === strpos( $method, 'migrate_' ) ) {
133			$this->progress[ str_replace( 'migrate_', '', $method ) ] = false;
134			}
135			}
136
137			$progress = (array) get_option( 'pods_framework_upgrade_' . str_replace( '.', '_', $this->version ), array() );
138
139			if ( ! empty( $progress ) ) {
140			$this->progress = array_merge( $this->progress, $progress );
141			}
142			}
143
144			/**
145			* @param $params
146			*
147			* @return mixed\|void
148			*/
149			public function ajax( $params ) {
150
151			if ( ! isset( $params->step ) ) {
152			return pods_error( __( 'Invalid upgrade process.', 'pods' ) );
153			}
154
155			if ( ! isset( $params->type ) ) {
156			return pods_error( __( 'Invalid upgrade method.', 'pods' ) );
157			}
158
159			if ( ! method_exists( $this, $params->step . '_' . $params->type ) ) {
160			return pods_error( __( 'Upgrade method not found.', 'pods' ) );
161			}
162
163			return call_user_func( array( $this, $params->step . '_' . $params->type ), $params );
164			}
165
166			/**
167			* @param $method
168			* @param $v
169			* @param null $x
170			*/
171			public function update_progress( $method, $v, $x = null ) {
			0 ignored issues – show Comprehensibility introduced 2018-03-03 20:10 UTC by Report Bug Copy Issue Report Show Similar Issues like this Avoid variables with short names like $v. Configured minimum length is 3. Short variable names may make your code harder to understand. Variable names should be self-descriptive. This check looks for variable names who are shorter than a configured minimum. Loading history... Comprehensibility introduced 2018-03-03 20:10 UTC by Report Bug Copy Issue Report Show Similar Issues like this Avoid variables with short names like $x. Configured minimum length is 3. Short variable names may make your code harder to understand. Variable names should be self-descriptive. This check looks for variable names who are shorter than a configured minimum. Loading history...
172
173			if ( empty( $this->version ) ) {
174			return;
175			}
176
177			$method = str_replace( 'migrate_', '', $method );
178
179			if ( null !== $x ) {
180			$this->progress[ $method ][ $x ] = (boolean) $v;
181			} else {
182			$this->progress[ $method ] = $v;
183			}
184
185			update_option( 'pods_framework_upgrade_' . str_replace( '.', '_', $this->version ), $this->progress );
186			}
187
188			/**
189			* @param $method
190			* @param null $x
191			*
192			* @return bool
193			*/
194			public function check_progress( $method, $x = null ) {
			0 ignored issues – show Comprehensibility introduced 2018-03-03 20:10 UTC by Report Bug Copy Issue Report Show Similar Issues like this Avoid variables with short names like $x. Configured minimum length is 3. Short variable names may make your code harder to understand. Variable names should be self-descriptive. This check looks for variable names who are shorter than a configured minimum. Loading history...
195
196			$method = str_replace( 'migrate_', '', $method );
197
198			if ( isset( $this->progress[ $method ] ) ) {
199			if ( null === $x ) {
200			return $this->progress[ $method ];
201			} elseif ( isset( $this->progress[ $method ][ $x ] ) ) {
202			return (boolean) $this->progress[ $method ][ $x ];
203			}
204			}
205
206			return false;
207			}
208
209			/**
210			*
211			*/
212			public function upgraded() {
213
214			if ( empty( $this->version ) ) {
215			return;
216			}
217
218			$upgraded = get_option( 'pods_framework_upgraded' );
219
220			if ( empty( $upgraded ) \|\| ! is_array( $upgraded ) ) {
221			$upgraded = array();
222			}
223
224			delete_option( 'pods_framework_upgrade_' . str_replace( '.', '_', $this->version ) );
225
226			if ( ! in_array( $this->version, $upgraded, true ) ) {
227			$upgraded[] = $this->version;
228			}
229
230			update_option( 'pods_framework_upgraded', $upgraded );
231			}
232
233			/**
234			*
235			*/
236			public function cleanup() {
237
238			/**
239			* @var $wpdb WPDB
240			*/
241			global $wpdb;
			0 ignored issues – show Compatibility Best Practice introduced 2015-11-23 18:42 UTC by Report Bug Copy Issue Report Show Similar Issues like this Use of `global` functionality is not recommended; it makes your code harder to test, and less reusable. Instead of relying on `global` state, we recommend one of these alternatives: 1. Pass all data via parameters function myFunction($a, $b) { // Do something } 2. Create a class that maintains your state class MyClass { private $a; private $b; public function __construct($a, $b) { $this->a = $a; $this->b = $b; } public function myFunction() { // Do something } } Loading history...
242
243			foreach ( $this->tables as $table ) {
244			if ( false !== strpos( $table, "{$wpdb->prefix}pod_" ) \|\| "{$wpdb->prefix}pod" === $table ) {
245			pods_query( "DROP TABLE `{$table}`", false );
246			}
247			}
248
249			delete_option( 'pods_roles' );
250			delete_option( 'pods_version' );
251			delete_option( 'pods_framework_upgrade_2_0' );
252			delete_option( 'pods_framework_upgrade_2_0_sister_ids' );
253			delete_option( 'pods_framework_upgraded_1_x' );
254
255			delete_option( 'pods_disable_file_browser' );
256			delete_option( 'pods_files_require_login' );
257			delete_option( 'pods_files_require_login_cap' );
258			delete_option( 'pods_disable_file_upload' );
259			delete_option( 'pods_upload_require_login' );
260			delete_option( 'pods_upload_require_login_cap' );
261
262			pods_query( "DELETE FROM `@wp_postmeta` WHERE `meta_key` LIKE '_pods_1x_%'" );
263			}
264			}
265

pods-framework / pods

Issues (2873)

Security Analysis not enabled

sql/upgrade/PodsUpgrade.php (10 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

1. Pass all data via parameters

2. Create a class that maintains your state

1. Pass all data via parameters

2. Create a class that maintains your state

1. Pass all data via parameters

2. Create a class that maintains your state

Duplication Side-by-Side

Filter issues like