Issues in Field.php (master) - Issues in master - samsoncms/api - Measure and Improve Code Quality continuously with Scrutinizer

Issues (168)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/Field.php (6 issues)

Labels

Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
namespace samsoncms\api;

use samsoncms\api\exception\AdditionalFieldTypeNotFound;
use samsonframework\orm\Condition;
use samsonframework\orm\QueryInterface;

/**
 * SamsonCMS additional field table entity class
 * @package samson\cms
 */
class Field extends \samsonframework\orm\Record
{
    /** Store entity name */
    const ENTITY = __CLASS__;

    /** Entity field names constants for using in code */
    const F_PRIMARY = 'FieldID';
    const F_IDENTIFIER = 'Name';
    const F_DESCRIPTION = 'Description';
    const F_TYPE = 'Type';
    const F_DELETION = 'Active';
    const F_DEFAULT = 'Value';
    const F_LOCALIZED = 'local';

    /** Additional field storing text value */
    const TYPE_TEXT = 0;
    /** Additional field storing resource link */
    const TYPE_RESOURCE = 1;
	    /** Additional field storing date value */
    const TYPE_DATE = 3;
    /** Additional field storing options value */
    const TYPE_OPTIONS = 4;
    /** Additional field storing other entity identifier */
    const TYPE_ENTITYID = 6;
    /** Additional field storing numeric value */
    const TYPE_NUMERIC = 7;
    /** Additional field storing long text value */
    const TYPE_LONGTEXT = 8;
    /** Additional field storing gallery value */
    const TYPE_GALLERY = 9;
    /** Additional field storing datetime value */
    const TYPE_DATETIME = 10;
    /** Additional field storing boolean value */
    const TYPE_BOOL = 11;
    /** Additional field navigation identifier value */
    const TYPE_NAVIGATION = 12;
    /** Additional field external picture identifier value */
    const TYPE_EXTERNALPICTURE = 13;
	
    /** @var array Collection of field type to php variable type relations */
    protected static $phpTYPE = array(
        self::TYPE_TEXT => 'string',
        self::TYPE_RESOURCE => 'string',
        self::TYPE_OPTIONS => 'string',
        self::TYPE_LONGTEXT => 'string',
        self::TYPE_BOOL => 'bool',
        self::TYPE_ENTITYID => 'int',
        self::TYPE_NUMERIC => 'int',
        self::TYPE_DATETIME => 'int',
        self::TYPE_DATE => 'int',
        self::TYPE_GALLERY => 'int',
        self::TYPE_NAVIGATION => 'int',
		self::TYPE_EXTERNALPICTURE => 'string'
    );

    /**
     * Get additional field type in form of Field constant name
     * by database additional field type identifier.
     *
     * @param integer $fieldType Additional field type identifier
     *
     * @return string Additional field type constant
     * @throws AdditionalFieldTypeNotFound
     */
    public static function phpType($fieldType)
    {
        $pointer = &static::$phpTYPE[$fieldType];
        if (isset($pointer)) {
            return $pointer;
        } else {
            throw new AdditionalFieldTypeNotFound($fieldType);
        }
    }

    /**
     * Get internal field type in form of Field constant name
     * by php originial type.
     *
     * @param string $fieldType PHP type
     *
     * @return string Additional field type constant
     * @throws AdditionalFieldTypeNotFound
     */
    public static function internalType($fieldType)
    {
        $types = array_flip(static::$phpTYPE);
        if (array_key_exists($fieldType, $types)) {
            return $types[$fieldType];
        } else {
            throw new AdditionalFieldTypeNotFound($fieldType);
        }
    }

    /**
     * Get current entity instances collection by navigation identifier.
     *
     * @param QueryInterface    $query        Database query
     * @param string            $navigationID Navigation identifier
     * @param self[]|array|null $return       Variable where request result would be returned
     *
     * @return bool|self[] True if field entities has been found and $return is passed
     *                      or self[] if only two parameters is passed.
     */
    public static function byNavigationID(QueryInterface $query, $navigationID, &$return = array())
    {
        /** @var array $fieldIDs Collection of entity identifiers filtered by additional field */
        $fieldIDs = null;
        if (static::idsByNavigationID($query, $navigationID, $fieldIDs)) {
            static::byIDs($query, $fieldIDs, $return);
        }

        // If only one argument is passed - return null, otherwise bool
        return func_num_args() > 2 ? sizeof($return) : $return;
    }

    /**
     * Get current entity identifiers collection by navigation identifier.
     *
     * @param QueryInterface $query Database query
     * @param string         $navigationID Navigation identifier
     * @param array          $return Variable where request result would be returned
     * @param array          $materialIDs Collection of material identifiers for filtering query
     *
     * @return bool|array True if field entities has been found and $return is passed
     *                      or collection of identifiers if only two parameters is passed.
     */
    public static function idsByNavigationID(
        QueryInterface $query,
        $navigationID,
        &$return = array(),
        $materialIDs = null
    )
    {

        // Prepare query
        $query->entity(CMS::FIELD_NAVIGATION_RELATION_ENTITY)
            ->where('StructureID', $navigationID)
            ->where('Active', 1);

        // Add material identifier filter if passed
        if (isset($materialIDs)) {
            $query->where('MaterialID', $materialIDs);
        }

        // Perform database query and get only material identifiers collection
        $return = $query->fields('FieldID');

        // If only one argument is passed - return null, otherwise bool
        return func_num_args() > 2 ? sizeof($return) : $return;
    }

    /**
     * Get current entity instances collection by their identifiers.
     * Method can accept different query executors.
     *
     * @param QueryInterface $query Database query
     * @param string|array   $fieldIDs Field identifier or their colleciton
     * @param self[]|array|null $return Variable where request result would be returned
     * @param string $executor Method name for query execution
     *
     * @return bool|self[] True if material entities has been found and $return is passed
     *                      or self[] if only two parameters is passed.
     */
    public static function byIDs(QueryInterface $query, $fieldIDs, &$return = array(), $executor = 'exec')

    {
        $return = $query->entity(get_called_class())
            ->where('FieldID', $fieldIDs)
            ->where('Active', 1)
            ->orderBy('priority')
            ->$executor();

        // If only one argument is passed - return null, otherwise bool
        return func_num_args() > 2 ? sizeof($return) : $return;
    }

    /**
     * Find additional field database record by Name.
     * This is generic method that should be used in nested classes to find its
     * records by some its primary key value.
     *
     * @param QueryInterface $query  Query object instance
     * @param string         $name   Additional field name
     * @param self           $return Variable to return found database record
     *
     * @return bool|null|self  Field instance or null if 3rd parameter not passed
     */
    public static function byName(QueryInterface $query, $name, self & $return = null)
    {
        // Get field record by name column
        $return = static::oneByColumn($query, 'Name', $name);


        // If only one argument is passed - return null, otherwise bool
        return func_num_args() > 1 ? $return == null : $return;
    }

    /**
     * Find additional field database record by Name or ID.
     * This is generic method that should be used in nested classes to find its
     * records by some its primary key value.
     *
     * @param QueryInterface $query Query object instance
     * @param string         $nameOrID Additional field name or identifier
     * @param self $return Variable to return found database record
     *
*@return bool|null|self  Field instance or null if 3rd parameter not passed
     */
    public static function byNameOrID(QueryInterface $query, $nameOrID, self & $return = null)
    {
        // Create id or URL condition
        $idOrUrl = new Condition('OR');
        $idOrUrl->add('FieldID', $nameOrID)->add('Name', $nameOrID);

        // Perform query
        $return = $query->entity(get_called_class())->whereCondition($idOrUrl)->first();

        // If only one argument is passed - return null, otherwise bool
        return func_num_args() > 1 ? $return == null : $return;
    }

    /**
     * If this field has defined key=>value set.
     *
     * @return array|mixed Grouped collection of field key => value possible values or value for key passed.
     */
    public function options($key = null)
    {
        $types = array();
        // Convert possible field values to array
        foreach (explode(',', $this->Value) as $typeValue) {
class MyClass { }

$x = new MyClass();
$x->foo = true;
            // Split view and value
            $typeValue = explode(':', $typeValue);

            // Store to key => value collection
            $types[$typeValue[0]] = $typeValue[1];
        }

        return isset($key) ? $types[$key] : $types;
    }

    /** @return string Get additional field value field name depending on its type */
    public function valueFieldName()
    {
        return self::valueColumn($this->Type);
class MyClass { }

$x = new MyClass();
$x->foo = true;
    }

    /** @return string Get additional field value field name depending on its type */
    public static function valueColumn($type)
    {
        switch ($type) {
            case self::TYPE_DATETIME:
            case self::TYPE_DATE:
            case self::TYPE_NUMERIC:
                return MaterialField::F_NUMERIC;
            case self::TYPE_ENTITYID:
            case self::TYPE_NAVIGATION:
                return MaterialField::F_KEY;
            default:
                return MaterialField::F_VALUE;
        }
    }

    /** @return bool True if field is localized */
    public function localized()
    {
        return $this->local == 1;
class MyClass { }

$x = new MyClass();
$x->foo = true;
    }
}


1		<?php
2		namespace samsoncms\api;
3
4		use samsoncms\api\exception\AdditionalFieldTypeNotFound;
5		use samsonframework\orm\Condition;
6		use samsonframework\orm\QueryInterface;
7
8		/**
9		* SamsonCMS additional field table entity class
10		* @package samson\cms
11		*/
12		class Field extends \samsonframework\orm\Record
13		{
14		/** Store entity name */
15		const ENTITY = __CLASS__;
16
17		/** Entity field names constants for using in code */
18		const F_PRIMARY = 'FieldID';
19		const F_IDENTIFIER = 'Name';
20		const F_DESCRIPTION = 'Description';
21		const F_TYPE = 'Type';
22		const F_DELETION = 'Active';
23		const F_DEFAULT = 'Value';
24		const F_LOCALIZED = 'local';
25
26		/** Additional field storing text value */
27		const TYPE_TEXT = 0;
28		/** Additional field storing resource link */
29		const TYPE_RESOURCE = 1;
30		/** Additional field storing date value */
31		const TYPE_DATE = 3;
32		/** Additional field storing options value */
33		const TYPE_OPTIONS = 4;
34		/** Additional field storing other entity identifier */
35		const TYPE_ENTITYID = 6;
36		/** Additional field storing numeric value */
37		const TYPE_NUMERIC = 7;
38		/** Additional field storing long text value */
39		const TYPE_LONGTEXT = 8;
40		/** Additional field storing gallery value */
41		const TYPE_GALLERY = 9;
42		/** Additional field storing datetime value */
43		const TYPE_DATETIME = 10;
44		/** Additional field storing boolean value */
45		const TYPE_BOOL = 11;
46		/** Additional field navigation identifier value */
47		const TYPE_NAVIGATION = 12;
48		/** Additional field external picture identifier value */
49		const TYPE_EXTERNALPICTURE = 13;
50
51		/** @var array Collection of field type to php variable type relations */
52		protected static $phpTYPE = array(
53		self::TYPE_TEXT => 'string',
54		self::TYPE_RESOURCE => 'string',
55		self::TYPE_OPTIONS => 'string',
56		self::TYPE_LONGTEXT => 'string',
57		self::TYPE_BOOL => 'bool',
58		self::TYPE_ENTITYID => 'int',
59		self::TYPE_NUMERIC => 'int',
60		self::TYPE_DATETIME => 'int',
61		self::TYPE_DATE => 'int',
62		self::TYPE_GALLERY => 'int',
63		self::TYPE_NAVIGATION => 'int',
64		self::TYPE_EXTERNALPICTURE => 'string'
65		);
66
67		/**
68		* Get additional field type in form of Field constant name
69		* by database additional field type identifier.
70		*
71		* @param integer $fieldType Additional field type identifier
72		*
73		* @return string Additional field type constant
74		* @throws AdditionalFieldTypeNotFound
75		*/
76		public static function phpType($fieldType)
77		{
78		$pointer = &static::$phpTYPE[$fieldType];
79		if (isset($pointer)) {
80		return $pointer;
81		} else {
82		throw new AdditionalFieldTypeNotFound($fieldType);
83		}
84		}
85
86		/**
87		* Get internal field type in form of Field constant name
88		* by php originial type.
89		*
90		* @param string $fieldType PHP type
91		*
92		* @return string Additional field type constant
93		* @throws AdditionalFieldTypeNotFound
94		*/
95		public static function internalType($fieldType)
96		{
97		$types = array_flip(static::$phpTYPE);
98		if (array_key_exists($fieldType, $types)) {
99		return $types[$fieldType];
100		} else {
101		throw new AdditionalFieldTypeNotFound($fieldType);
102		}
103		}
104
105		/**
106		* Get current entity instances collection by navigation identifier.
107		*
108		* @param QueryInterface $query Database query
109		* @param string $navigationID Navigation identifier
110		* @param self[]\|array\|null $return Variable where request result would be returned
111		*
112		* @return bool\|self[] True if field entities has been found and $return is passed
113		* or self[] if only two parameters is passed.
114		*/
115		public static function byNavigationID(QueryInterface $query, $navigationID, &$return = array())
116		{
117		/** @var array $fieldIDs Collection of entity identifiers filtered by additional field */
118		$fieldIDs = null;
119		if (static::idsByNavigationID($query, $navigationID, $fieldIDs)) {
120		static::byIDs($query, $fieldIDs, $return);
121		}
122
123		// If only one argument is passed - return null, otherwise bool
124		return func_num_args() > 2 ? sizeof($return) : $return;
125		}
126
127		/**
128		* Get current entity identifiers collection by navigation identifier.
129		*
130		* @param QueryInterface $query Database query
131		* @param string $navigationID Navigation identifier
132		* @param array $return Variable where request result would be returned
133		* @param array $materialIDs Collection of material identifiers for filtering query
134		*
135		* @return bool\|array True if field entities has been found and $return is passed
136		* or collection of identifiers if only two parameters is passed.
137		*/
138		public static function idsByNavigationID(
139		QueryInterface $query,
140		$navigationID,
141		&$return = array(),
142		$materialIDs = null
143		)
144		{
		0 ignored issues – show Coding Style introduced 2016-03-31 12:28 UTC by Report Bug Copy Issue Report Show Similar Issues like this The closing parenthesis and the opening brace of a multi-line function declaration must be on the same line Loading history...
145		// Prepare query
146		$query->entity(CMS::FIELD_NAVIGATION_RELATION_ENTITY)
147		->where('StructureID', $navigationID)
148		->where('Active', 1);
149
150		// Add material identifier filter if passed
151		if (isset($materialIDs)) {
152		$query->where('MaterialID', $materialIDs);
153		}
154
155		// Perform database query and get only material identifiers collection
156		$return = $query->fields('FieldID');
157
158		// If only one argument is passed - return null, otherwise bool
159		return func_num_args() > 2 ? sizeof($return) : $return;
160		}
161
162		/**
163		* Get current entity instances collection by their identifiers.
164		* Method can accept different query executors.
165		*
166		* @param QueryInterface $query Database query
167		* @param string\|array $fieldIDs Field identifier or their colleciton
168		* @param self[]\|array\|null $return Variable where request result would be returned
169		* @param string $executor Method name for query execution
170		*
171		* @return bool\|self[] True if material entities has been found and $return is passed
172		* or self[] if only two parameters is passed.
173		*/
174	View Code Duplication	public static function byIDs(QueryInterface $query, $fieldIDs, &$return = array(), $executor = 'exec')
		0 ignored issues – show Duplication introduced 2015-12-08 20:14 UTC by Report Bug Copy Issue Report Show Similar Issues like this This method seems to be duplicated in your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
175		{
176		$return = $query->entity(get_called_class())
177		->where('FieldID', $fieldIDs)
178		->where('Active', 1)
179		->orderBy('priority')
180		->$executor();
181
182		// If only one argument is passed - return null, otherwise bool
183		return func_num_args() > 2 ? sizeof($return) : $return;
184		}
185
186		/**
187		* Find additional field database record by Name.
188		* This is generic method that should be used in nested classes to find its
189		* records by some its primary key value.
190		*
191		* @param QueryInterface $query Query object instance
192		* @param string $name Additional field name
193		* @param self $return Variable to return found database record
194		*
195		* @return bool\|null\|self Field instance or null if 3rd parameter not passed
196		*/
197		public static function byName(QueryInterface $query, $name, self & $return = null)
198		{
199		// Get field record by name column
200		$return = static::oneByColumn($query, 'Name', $name);
		0 ignored issues – show Deprecated Code introduced 2016-02-10 20:27 UTC by Report Bug Copy Issue Report Show Similar Issues like this The method `samsonframework\orm\Record::oneByColumn()` has been deprecated with message: Record should not be queryable, query class ancestor must be used This method has been deprecated. The supplier of the class has supplied an explanatory message. The explanatory message should give you some clue as to whether and when the method will be removed from the class and what other method or class to use instead. Loading history...
201
202		// If only one argument is passed - return null, otherwise bool
203		return func_num_args() > 1 ? $return == null : $return;
204		}
205
206		/**
207		* Find additional field database record by Name or ID.
208		* This is generic method that should be used in nested classes to find its
209		* records by some its primary key value.
210		*
211		* @param QueryInterface $query Query object instance
212		* @param string $nameOrID Additional field name or identifier
213		* @param self $return Variable to return found database record
214		*
215		*@return bool\|null\|self Field instance or null if 3rd parameter not passed
216		*/
217		public static function byNameOrID(QueryInterface $query, $nameOrID, self & $return = null)
218		{
219		// Create id or URL condition
220		$idOrUrl = new Condition('OR');
221		$idOrUrl->add('FieldID', $nameOrID)->add('Name', $nameOrID);
222
223		// Perform query
224		$return = $query->entity(get_called_class())->whereCondition($idOrUrl)->first();
225
226		// If only one argument is passed - return null, otherwise bool
227		return func_num_args() > 1 ? $return == null : $return;
228		}
229
230		/**
231		* If this field has defined key=>value set.
232		*
233		* @return array\|mixed Grouped collection of field key => value possible values or value for key passed.
234		*/
235		public function options($key = null)
236		{
237		$types = array();
238		// Convert possible field values to array
239		foreach (explode(',', $this->Value) as $typeValue) {
		0 ignored issues – show Bug introduced 2016-10-04 18:24 UTC by Report Bug Copy Issue Report Show Similar Issues like this The property `Value` does not exist. Did you maybe forget to declare it? In PHP it is possible to write to properties without declaring them. For example, the following is perfectly valid PHP code: class MyClass { } $x = new MyClass(); $x->foo = true; Generally, it is a good practice to explictly declare properties to avoid accidental typos and provide IDE auto-completion: class MyClass { public $foo; } $x = new MyClass(); $x->foo = true; Loading history...
240		// Split view and value
241		$typeValue = explode(':', $typeValue);
242
243		// Store to key => value collection
244		$types[$typeValue[0]] = $typeValue[1];
245		}
246
247		return isset($key) ? $types[$key] : $types;
248		}
249
250		/** @return string Get additional field value field name depending on its type */
251		public function valueFieldName()
252		{
253		return self::valueColumn($this->Type);
		0 ignored issues – show Bug introduced 2016-10-04 18:24 UTC by Report Bug Copy Issue Report Show Similar Issues like this The property `Type` does not exist. Did you maybe forget to declare it? In PHP it is possible to write to properties without declaring them. For example, the following is perfectly valid PHP code: class MyClass { } $x = new MyClass(); $x->foo = true; Generally, it is a good practice to explictly declare properties to avoid accidental typos and provide IDE auto-completion: class MyClass { public $foo; } $x = new MyClass(); $x->foo = true; Loading history...
254		}
255
256		/** @return string Get additional field value field name depending on its type */
257		public static function valueColumn($type)
258		{
259		switch ($type) {
260		case self::TYPE_DATETIME:
261		case self::TYPE_DATE:
262		case self::TYPE_NUMERIC:
263		return MaterialField::F_NUMERIC;
264		case self::TYPE_ENTITYID:
265		case self::TYPE_NAVIGATION:
266		return MaterialField::F_KEY;
267		default:
268		return MaterialField::F_VALUE;
269		}
270		}
271
272		/** @return bool True if field is localized */
273		public function localized()
274		{
275		return $this->local == 1;
		0 ignored issues – show Bug introduced 2016-10-04 18:24 UTC by Report Bug Copy Issue Report Show Similar Issues like this The property `local` does not exist. Did you maybe forget to declare it? In PHP it is possible to write to properties without declaring them. For example, the following is perfectly valid PHP code: class MyClass { } $x = new MyClass(); $x->foo = true; Generally, it is a good practice to explictly declare properties to avoid accidental typos and provide IDE auto-completion: class MyClass { public $foo; } $x = new MyClass(); $x->foo = true; Loading history...
276		}
277		}
278

samsoncms / api

Issues (168)

Security Analysis no request data

src/Field.php (6 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like