Issues in BasicDbEntityService.php (master) - Issues in master - starweb/starlit-db - Measure and Improve Code Quality continuously with Scrutinizer

Issues (11)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/BasicDbEntityService.php (1 issue)

Labels

Bug 1

Severity

Minor 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * Starlit Db.
 *
 * @copyright Copyright (c) 2016 Starweb AB
 * @license   BSD 3-Clause
 */

namespace Starlit\Db;

use Starlit\Db\Exception;

/**
 * A database entity service is intended to handle database operations for existing
 * entity objects, i.e. load, save and load secondary objects etc.
 *
 * @author Andreas Nilsson <http://github.com/jandreasn>
 */
class BasicDbEntityService
{
    /**
     * The database adapter/connection/handler.
     *
     * @var Db
     */
    protected $db;

    /**
     * Constructor.
     *
     * @param Db $db
     */
    public function __construct(Db $db)
    {
        $this->db = $db;
    }

    /**
     * Load object's values from database table.
     *
     * @param AbstractDbEntity $dbEntity
     * @throws Exception\EntityNotFoundException
     */
    public function load(AbstractDbEntity $dbEntity)
    {
        // Check that the primary key is set
        if (!$dbEntity->getPrimaryDbValue()) {
            throw new \InvalidArgumentException(
                'Database entity can not be loaded because primary value is not set'
            );
        }

        // Fetch ad from db
        $row = $this->db->fetchRow(
            '
                SELECT *
                FROM `' . $dbEntity->getDbTableName() . '`
                WHERE ' . $this->getPrimaryKeyWhereSql($dbEntity) . '
            ',
            $this->getPrimaryKeyWhereParameters($dbEntity)
        );

        if (!$row) {
            throw new Exception\EntityNotFoundException("Db entity[{$dbEntity->getPrimaryDbValue()}] does not exist");
        }

        $dbEntity->setDbDataFromRow($row);
    }

    /**
     * Save entity to database table.
     *
     * @param AbstractDbEntity $dbEntity
     * @return bool
     */
    public function save(AbstractDbEntity $dbEntity)
    {
        if ($dbEntity->shouldBeDeletedFromDbOnSave()) {
            // Only delete if previously saved to db
            if ($dbEntity->getPrimaryDbValue()) {
                $this->delete($dbEntity);
            }

            return false;
        }

        if ($dbEntity->shouldInsertOnDbSave()) {
            // Note that database data always contains all properties,
            // with defaults for non set properties
            $dataToSave = $dbEntity->getDbData();
        } else {
            if ($dbEntity->hasModifiedDbProperties()) {
                $dataToSave = $dbEntity->getModifiedDbData();
            } else {
                // Return if no value has been modified and it's not an insert
                // (we always want to insert if no id exist, since some child objects might
                // depend on the this primary id being available)
                return false;
            }
        }

        // Check data
        $sqlData = [];
        foreach ($dataToSave as $propertyName => $value) {
            if (!empty($value) && is_scalar($value)
                && $dbEntity->getDbPropertyMaxLength($propertyName)
                && mb_strlen($value) > $dbEntity->getDbPropertyMaxLength($propertyName)
            ) {
                throw new \RuntimeException(
                    "Database field \"{$propertyName}\" exceeds field max length (value: \"{$value}\")"
                );
            } elseif (empty($value) && $dbEntity->getDbPropertyNonEmpty($propertyName)) {
                throw new \RuntimeException("Database field \"{$propertyName}\" is empty and required");
            } elseif (((is_scalar($value) && ((string) $value) === '') || (!is_scalar($value) && empty($value)))
                && $dbEntity->getDbPropertyRequired($propertyName)
            ) {
                throw new \RuntimeException("Database field \"{$propertyName}\" is required to be set");
            }

            // Set data keys db field format
            $fieldName = $dbEntity->getDbFieldName($propertyName);
            $sqlData[$fieldName] = $value;
        }


        // Insert new database row
        if ($dbEntity->shouldInsertOnDbSave()) {
            $this->db->insert(
                $dbEntity->getDbTableName(),
                $sqlData
            );

            // Update entity with auto increment value
            if (!is_array($dbEntity->getPrimaryDbPropertyKey())
                && !empty($lastInsertId = $this->db->getLastInsertId())
            ) {
                $dbEntity->setPrimaryDbValue($lastInsertId);
            } else {
                // For entities with for example string primary keys, we update primary value
                // with value/values from db data, indicating that the entity is now
                // in database/loaded.
                $dbEntity->updatePrimaryDbValueFromDbData();
            }
        // Update existing database row
        } else {
            $this->db->update(
                $dbEntity->getDbTableName(),
                $sqlData,
                $this->getPrimaryKeyWhereSql($dbEntity),
                $this->getPrimaryKeyWhereParameters($dbEntity)
            );
        }

        $dbEntity->clearModifiedDbProperties();
        $dbEntity->setForceDbInsertOnSave(false);

        return true;
    }

    /**
     * Delete entity's corresponding database row.
     *
     * @param AbstractDbEntity $dbEntity
     */
    public function delete(AbstractDbEntity $dbEntity)
    {
        if (!$dbEntity->getPrimaryDbValue()) {
            throw new \InvalidArgumentException('Primary database value not set');
        }

        $this->db->exec(
            'DELETE FROM `' . $dbEntity->getDbTableName() . '` WHERE ' . $this->getPrimaryKeyWhereSql($dbEntity),
            $this->getPrimaryKeyWhereParameters($dbEntity)
        );

        $dbEntity->setDeleted();
    }

    /**
     * @param AbstractDbEntity $dbEntity
     * @return string
     */
    protected function getPrimaryKeyWhereSql(AbstractDbEntity $dbEntity)
    {
        if (is_array($dbEntity->getPrimaryDbPropertyKey())) {
            $whereStrings = [];
            foreach ($dbEntity->getPrimaryDbFieldKey() as $primaryKeyPart) {
$collection = json_decode($data, true);
if ( ! is_array($collection)) {
    throw new \RuntimeException('$collection must be an array.');
}

foreach ($collection as $item) { /** ... */ }
                $whereStrings[] = '`' . $primaryKeyPart . '` = ?';
            }
            $whereSql = implode(' AND ', $whereStrings);
        } else {
            $whereSql = '`' . $dbEntity->getPrimaryDbFieldKey() . '` = ?';
        }

        return $whereSql;
    }

    /**
     * @param AbstractDbEntity $dbEntity
     * @return array
     */
    protected function getPrimaryKeyWhereParameters(AbstractDbEntity $dbEntity)
    {
        if (is_array($dbEntity->getPrimaryDbPropertyKey())) {
            $whereParameters = $dbEntity->getPrimaryDbValue();
        } else {
            $whereParameters = [$dbEntity->getPrimaryDbValue()];
        }

        return $whereParameters;
    }
}


GitHub Access Token became invalid

Issues (11)

Security Analysis no request data

src/BasicDbEntityService.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

1		<?php
2		/**
3		* Starlit Db.
4		*
5		* @copyright Copyright (c) 2016 Starweb AB
6		* @license BSD 3-Clause
7		*/
8
9		namespace Starlit\Db;
10
11		use Starlit\Db\Exception;
12
13		/**
14		* A database entity service is intended to handle database operations for existing
15		* entity objects, i.e. load, save and load secondary objects etc.
16		*
17		* @author Andreas Nilsson <http://github.com/jandreasn>
18		*/
19		class BasicDbEntityService
20		{
21		/**
22		* The database adapter/connection/handler.
23		*
24		* @var Db
25		*/
26		protected $db;
27
28		/**
29		* Constructor.
30		*
31		* @param Db $db
32		*/
33	15	public function __construct(Db $db)
34		{
35	15	$this->db = $db;
36	15	}
37
38		/**
39		* Load object's values from database table.
40		*
41		* @param AbstractDbEntity $dbEntity
42		* @throws Exception\EntityNotFoundException
43		*/
44	3	public function load(AbstractDbEntity $dbEntity)
45		{
46		// Check that the primary key is set
47	3	if (!$dbEntity->getPrimaryDbValue()) {
48	1	throw new \InvalidArgumentException(
49	1	'Database entity can not be loaded because primary value is not set'
50		);
51		}
52
53		// Fetch ad from db
54	2	$row = $this->db->fetchRow(
55		'
56		SELECT *
57	2	FROM `' . $dbEntity->getDbTableName() . '`
58	2	WHERE ' . $this->getPrimaryKeyWhereSql($dbEntity) . '
59		',
60	2	$this->getPrimaryKeyWhereParameters($dbEntity)
61		);
62
63	2	if (!$row) {
64	1	throw new Exception\EntityNotFoundException("Db entity[{$dbEntity->getPrimaryDbValue()}] does not exist");
65		}
66
67	1	$dbEntity->setDbDataFromRow($row);
68	1	}
69
70		/**
71		* Save entity to database table.
72		*
73		* @param AbstractDbEntity $dbEntity
74		* @return bool
75		*/
76	10	public function save(AbstractDbEntity $dbEntity)
77		{
78	10	if ($dbEntity->shouldBeDeletedFromDbOnSave()) {
79		// Only delete if previously saved to db
80	2	if ($dbEntity->getPrimaryDbValue()) {
81	1	$this->delete($dbEntity);
82		}
83
84	2	return false;
85		}
86
87	8	if ($dbEntity->shouldInsertOnDbSave()) {
88		// Note that database data always contains all properties,
89		// with defaults for non set properties
90	5	$dataToSave = $dbEntity->getDbData();
91		} else {
92	3	if ($dbEntity->hasModifiedDbProperties()) {
93	2	$dataToSave = $dbEntity->getModifiedDbData();
94		} else {
95		// Return if no value has been modified and it's not an insert
96		// (we always want to insert if no id exist, since some child objects might
97		// depend on the this primary id being available)
98	1	return false;
99		}
100		}
101
102		// Check data
103	7	$sqlData = [];
104	7	foreach ($dataToSave as $propertyName => $value) {
105	7	if (!empty($value) && is_scalar($value)
106	7	&& $dbEntity->getDbPropertyMaxLength($propertyName)
107	7	&& mb_strlen($value) > $dbEntity->getDbPropertyMaxLength($propertyName)
108		) {
109	1	throw new \RuntimeException(
110	1	"Database field \"{$propertyName}\" exceeds field max length (value: \"{$value}\")"
111		);
112	7	} elseif (empty($value) && $dbEntity->getDbPropertyNonEmpty($propertyName)) {
113	1	throw new \RuntimeException("Database field \"{$propertyName}\" is empty and required");
114	7	} elseif (((is_scalar($value) && ((string) $value) === '') \|\| (!is_scalar($value) && empty($value)))
115	7	&& $dbEntity->getDbPropertyRequired($propertyName)
116		) {
117	2	throw new \RuntimeException("Database field \"{$propertyName}\" is required to be set");
118		}
119
120		// Set data keys db field format
121	7	$fieldName = $dbEntity->getDbFieldName($propertyName);
122	7	$sqlData[$fieldName] = $value;
123		}
124
125
126		// Insert new database row
127	3	if ($dbEntity->shouldInsertOnDbSave()) {
128	1	$this->db->insert(
129	1	$dbEntity->getDbTableName(),
130	1	$sqlData
131		);
132
133		// Update entity with auto increment value
134	1	if (!is_array($dbEntity->getPrimaryDbPropertyKey())
135	1	&& !empty($lastInsertId = $this->db->getLastInsertId())
136		) {
137		$dbEntity->setPrimaryDbValue($lastInsertId);
138		} else {
139		// For entities with for example string primary keys, we update primary value
140		// with value/values from db data, indicating that the entity is now
141		// in database/loaded.
142	1	$dbEntity->updatePrimaryDbValueFromDbData();
143		}
144		// Update existing database row
145		} else {
146	2	$this->db->update(
147	2	$dbEntity->getDbTableName(),
148	2	$sqlData,
149	2	$this->getPrimaryKeyWhereSql($dbEntity),
150	2	$this->getPrimaryKeyWhereParameters($dbEntity)
151		);
152		}
153
154	3	$dbEntity->clearModifiedDbProperties();
155	3	$dbEntity->setForceDbInsertOnSave(false);
156
157	3	return true;
158		}
159
160		/**
161		* Delete entity's corresponding database row.
162		*
163		* @param AbstractDbEntity $dbEntity
164		*/
165	3	public function delete(AbstractDbEntity $dbEntity)
166		{
167	3	if (!$dbEntity->getPrimaryDbValue()) {
168	1	throw new \InvalidArgumentException('Primary database value not set');
169		}
170
171	2	$this->db->exec(
172	2	'DELETE FROM `' . $dbEntity->getDbTableName() . '` WHERE ' . $this->getPrimaryKeyWhereSql($dbEntity),
173	2	$this->getPrimaryKeyWhereParameters($dbEntity)
174		);
175
176	2	$dbEntity->setDeleted();
177	2	}
178
179		/**
180		* @param AbstractDbEntity $dbEntity
181		* @return string
182		*/
183	6	protected function getPrimaryKeyWhereSql(AbstractDbEntity $dbEntity)
184		{
185	6	if (is_array($dbEntity->getPrimaryDbPropertyKey())) {
186	1	$whereStrings = [];
187	1	foreach ($dbEntity->getPrimaryDbFieldKey() as $primaryKeyPart) {
		0 ignored issues – show Bug introduced 2017-03-25 18:39 UTC by Report Bug Copy Issue Report Show Similar Issues like this The expression `$dbEntity->getPrimaryDbFieldKey()` of type `array\|string` is not guaranteed to be traversable. How about adding an additional type check? There are different options of fixing this problem. If you want to be on the safe side, you can add an additional type-check: $collection = json_decode($data, true); if ( ! is_array($collection)) { throw new \RuntimeException('$collection must be an array.'); } foreach ($collection as $item) { /** ... / } If you are sure that the expression is traversable, you might want to add a doc comment cast* to improve IDE auto-completion and static analysis: /** @var array $collection / $collection = json_decode($data, true); foreach ($collection as $item) { /* .. / } Mark the issue as a false-positive*: Just hover the remove button, in the top-right corner of this issue for more options. Loading history...
188	1	$whereStrings[] = '`' . $primaryKeyPart . '` = ?';
189		}
190	1	$whereSql = implode(' AND ', $whereStrings);
191		} else {
192	5	$whereSql = '`' . $dbEntity->getPrimaryDbFieldKey() . '` = ?';
193		}
194
195	6	return $whereSql;
196		}
197
198		/**
199		* @param AbstractDbEntity $dbEntity
200		* @return array
201		*/
202	6	protected function getPrimaryKeyWhereParameters(AbstractDbEntity $dbEntity)
203		{
204	6	if (is_array($dbEntity->getPrimaryDbPropertyKey())) {
205	1	$whereParameters = $dbEntity->getPrimaryDbValue();
206		} else {
207	5	$whereParameters = [$dbEntity->getPrimaryDbValue()];
208		}
209
210	6	return $whereParameters;
211		}
212		}
213

starweb / starlit-db

GitHub Access Token became invalid

Issues (11)

Security Analysis no request data

src/BasicDbEntityService.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like