Issues in MSSQLQueryBuilder.php (master) - Issues in master - silverstripe/silverstripe-mssql - Measure and Improve Code Quality continuously with Scrutinizer

Issues (37)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/MSSQLQueryBuilder.php (1 issue)

Labels

Severity

Minor 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

namespace SilverStripe\MSSQL;

use InvalidArgumentException;
use SilverStripe\ORM\Queries\SQLSelect;
use SilverStripe\ORM\Connect\DBQueryBuilder;
use SilverStripe\ORM\Queries\SQLConditionalExpression;
use SilverStripe\ORM\Queries\SQLUpdate;

/**
 * Builds a SQL query string from a SQLExpression object
 */
class MSSQLQueryBuilder extends DBQueryBuilder
{

    protected function buildSelectQuery(SQLSelect $query, array &$parameters)
    {
        list($limit, $offset) = $this->parseLimit($query);

        // If not using ofset then query generation is quite straightforward
        if (empty($offset)) {
            $sql = parent::buildSelectQuery($query, $parameters);
            // Inject limit into SELECT fragment
            if (!empty($limit)) {
                $sql = preg_replace('/^(SELECT (DISTINCT)?)/i', '${1} TOP '.$limit, $sql);
            }
            return $sql;
        }

        // When using offset we must use a subselect
        // @see http://stackoverflow.com/questions/2135418/equivalent-of-limit-and-offset-for-sql-server
        $orderby = $query->getOrderBy();

        // workaround for subselect not working with alias functions
        // just use the function directly in the order by instead of the alias
        $selects = $query->getSelect();
        foreach ($orderby as $field => $dir) {
            if (preg_match('/_SortColumn/', $field)) {
                unset($orderby[$field]);
                $orderby[$selects[str_replace('"', '', $field)]] = $dir;
            }
        }

        // Create order expression, using the first column if none explicitly specified
        if ($orderby) {

            // Simple implementation of buildOrderByFragment
            $statements = array();
            foreach ($orderby as $clause => $dir) {
                $statements[] = trim("$clause $dir");
            }
            $orderByClause = "ORDER BY " . implode(', ', $statements);
        } else {
            $selects = $query->getSelect();
            $firstCol = reset($selects);
            $orderByClause = "ORDER BY $firstCol";
        }

        // Build main query SQL
        $sql = parent::buildSelectQuery($query, $parameters);

        // Inject row number into selection
        $sql = preg_replace('/^(SELECT (DISTINCT)?)/i', '${1} ROW_NUMBER() OVER ('.$orderByClause.') AS Number, ', $sql);

        // Sub-query this SQL
        if (empty($limit)) {
            $limitCondition = "Number > ?";
            $parameters[] = $offset;
        } else {
            $limitCondition = "Number BETWEEN ? AND ?";
            $parameters[] = $offset + 1;
            $parameters[] = $offset + $limit;
        }

        return "SELECT * FROM ($sql) AS Numbered WHERE $limitCondition ORDER BY Number";
    }

    public function buildLimitFragment(SQLSelect $query, array &$parameters)
    {
        // Limit is handled at the buildSelectQuery level
        return '';
    }

    public function buildOrderByFragment(SQLSelect $query, array &$parameters)
    {
        // If doing a limit/offset at the same time then don't build the orde by fragment here
        list($offset, $limit) = $this->parseLimit($query);
        if (empty($offset) || empty($limit)) {
            return parent::buildOrderByFragment($query, $parameters);
        }
        return '';
    }

    public function buildWhereFragment(SQLConditionalExpression $query, array &$parameters)
    {
        // Get parameterised elements
        $where = parent::buildWhereFragment($query, $parameters);

        if (!$where) {
            return '';
        }

        // remove explict order in where
        $where = preg_replace("/ORDER BY ([^\)])+ [ASC|DESC]+/", '', $where);

        return $where;
    }

    /**
     * Extracts the limit and offset from the limit clause
     *
     * @param SQLSelect $query
     * @return array Two item array with $limit and $offset as values
     * @throws InvalidArgumentException
     */
    protected function parseLimit(SQLSelect $query)
    {
        $limit = '';
        $offset = '0';

        if (is_array($query->getLimit())) {
            $limitArr = $query->getLimit();
            if (isset($limitArr['limit'])) {
                $limit = $limitArr['limit'];
            }
            if (isset($limitArr['start'])) {
                $offset = $limitArr['start'];
            }
        } elseif (preg_match('/^([0-9]+) offset ([0-9]+)$/i', trim($query->getLimit()), $matches)) {
            $limit = $matches[1];
            $offset = $matches[2];
        } else {
            //could be a comma delimited string
            $bits = explode(',', $query->getLimit());
            if (sizeof($bits) > 1) {
                list($offset, $limit) = $bits;
            } else {
                $limit = $bits[0];
            }
        }

        return array($limit, $offset);
    }
}


1			<?php
2
3			namespace SilverStripe\MSSQL;
4
5			use InvalidArgumentException;
6			use SilverStripe\ORM\Queries\SQLSelect;
7			use SilverStripe\ORM\Connect\DBQueryBuilder;
8			use SilverStripe\ORM\Queries\SQLConditionalExpression;
9			use SilverStripe\ORM\Queries\SQLUpdate;
10
11			/**
12			* Builds a SQL query string from a SQLExpression object
13			*/
14			class MSSQLQueryBuilder extends DBQueryBuilder
15			{
16
17			protected function buildSelectQuery(SQLSelect $query, array &$parameters)
18			{
19			list($limit, $offset) = $this->parseLimit($query);
20
21			// If not using ofset then query generation is quite straightforward
22			if (empty($offset)) {
23			$sql = parent::buildSelectQuery($query, $parameters);
24			// Inject limit into SELECT fragment
25			if (!empty($limit)) {
26			$sql = preg_replace('/^(SELECT (DISTINCT)?)/i', '${1} TOP '.$limit, $sql);
27			}
28			return $sql;
29			}
30
31			// When using offset we must use a subselect
32			// @see http://stackoverflow.com/questions/2135418/equivalent-of-limit-and-offset-for-sql-server
33			$orderby = $query->getOrderBy();
34
35			// workaround for subselect not working with alias functions
36			// just use the function directly in the order by instead of the alias
37			$selects = $query->getSelect();
38			foreach ($orderby as $field => $dir) {
39			if (preg_match('/_SortColumn/', $field)) {
40			unset($orderby[$field]);
41			$orderby[$selects[str_replace('"', '', $field)]] = $dir;
42			}
43			}
44
45			// Create order expression, using the first column if none explicitly specified
46			if ($orderby) {
			0 ignored issues – show Bug Best Practice introduced 2015-12-16 23:35 UTC by Report Bug Copy Issue Report Show Similar Issues like this The expression `$orderby` of type `array` is implicitly converted to a boolean; are you sure this is intended? If so, consider using `! empty($expr)` instead to make it clear that you intend to check for an array without elements. This check marks implicit conversions of arrays to boolean values in a comparison. While in PHP an empty array is considered to be equal (but not identical) to false, this is not always apparent. Consider making the comparison explicit by using `empty(..)` or `! empty(...)` instead. Loading history...
47			// Simple implementation of buildOrderByFragment
48			$statements = array();
49			foreach ($orderby as $clause => $dir) {
50			$statements[] = trim("$clause $dir");
51			}
52			$orderByClause = "ORDER BY " . implode(', ', $statements);
53			} else {
54			$selects = $query->getSelect();
55			$firstCol = reset($selects);
56			$orderByClause = "ORDER BY $firstCol";
57			}
58
59			// Build main query SQL
60			$sql = parent::buildSelectQuery($query, $parameters);
61
62			// Inject row number into selection
63			$sql = preg_replace('/^(SELECT (DISTINCT)?)/i', '${1} ROW_NUMBER() OVER ('.$orderByClause.') AS Number, ', $sql);
64
65			// Sub-query this SQL
66			if (empty($limit)) {
67			$limitCondition = "Number > ?";
68			$parameters[] = $offset;
69			} else {
70			$limitCondition = "Number BETWEEN ? AND ?";
71			$parameters[] = $offset + 1;
72			$parameters[] = $offset + $limit;
73			}
74
75			return "SELECT * FROM ($sql) AS Numbered WHERE $limitCondition ORDER BY Number";
76			}
77
78			public function buildLimitFragment(SQLSelect $query, array &$parameters)
79			{
80			// Limit is handled at the buildSelectQuery level
81			return '';
82			}
83
84			public function buildOrderByFragment(SQLSelect $query, array &$parameters)
85			{
86			// If doing a limit/offset at the same time then don't build the orde by fragment here
87			list($offset, $limit) = $this->parseLimit($query);
88			if (empty($offset) \|\| empty($limit)) {
89			return parent::buildOrderByFragment($query, $parameters);
90			}
91			return '';
92			}
93
94			public function buildWhereFragment(SQLConditionalExpression $query, array &$parameters)
95			{
96			// Get parameterised elements
97			$where = parent::buildWhereFragment($query, $parameters);
98
99			if (!$where) {
100			return '';
101			}
102
103			// remove explict order in where
104			$where = preg_replace("/ORDER BY ([^\)])+ [ASC\|DESC]+/", '', $where);
105
106			return $where;
107			}
108
109			/**
110			* Extracts the limit and offset from the limit clause
111			*
112			* @param SQLSelect $query
113			* @return array Two item array with $limit and $offset as values
114			* @throws InvalidArgumentException
115			*/
116			protected function parseLimit(SQLSelect $query)
117			{
118			$limit = '';
119			$offset = '0';
120
121			if (is_array($query->getLimit())) {
122			$limitArr = $query->getLimit();
123			if (isset($limitArr['limit'])) {
124			$limit = $limitArr['limit'];
125			}
126			if (isset($limitArr['start'])) {
127			$offset = $limitArr['start'];
128			}
129			} elseif (preg_match('/^([0-9]+) offset ([0-9]+)$/i', trim($query->getLimit()), $matches)) {
130			$limit = $matches[1];
131			$offset = $matches[2];
132			} else {
133			//could be a comma delimited string
134			$bits = explode(',', $query->getLimit());
135			if (sizeof($bits) > 1) {
136			list($offset, $limit) = $bits;
137			} else {
138			$limit = $bits[0];
139			}
140			}
141
142			return array($limit, $offset);
143			}
144			}
145

silverstripe / silverstripe-mssql

Issues (37)

Security Analysis no request data

src/MSSQLQueryBuilder.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like