Issues in Db.php (master) - Issues in master - starweb/starlit-db - Measure and Improve Code Quality continuously with Scrutinizer

Issues (11)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/Db.php (2 issues)

Labels

Severity

Major 2

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * Starlit Db.
 *
 * @copyright Copyright (c) 2016 Starweb AB
 * @license   BSD 3-Clause
 */

namespace Starlit\Db;

use Starlit\Db\Exception\ConnectionException;
use Starlit\Db\Exception\QueryException;
use \PDO;
use \PDOException;
use \PDOStatement;

/**
 * Extended PDO database wrapper.
 *
 * @author Andreas Nilsson <http://github.com/jandreasn>
 */
class Db
{
    /**
     * Database handle/connection.
     *
     * @var PDO
     */
    protected $pdo;

    /**
     * @var string
     */
    protected $dsn;

    /**
     * @var string
     */
    protected $username;

    /**
     * @var string
     */
    protected $password;

    /**
     * @var array
     */
    protected $options;

    /**
     * @var bool
     */
    protected $hasActiveTransaction = false;

    /**
     * @var PdoFactoryInterface
     */
    private $pdoFactory;

    /**
     * Constructor.
     *
     * @param string|PDO            $hostDsnOrPdo A MySQL host, a dsn or an existing PDO instance.
     * @param string|null           $username
     * @param string|null           $password
     * @param string|null           $database
     * @param array                 $options
     * @param PdoFactoryInterface   $pdoFactory
     *
     * @deprecated  The signature of the constructor will change in version 1.0.0 and accept
     *              only a PDO dsn string as first parameter dropping support to inject a PDO instance or host string
     */
    public function __construct(
        $hostDsnOrPdo,
        $username = null,
        $password = null,
        $database = null,
        array $options = [],
        PdoFactoryInterface $pdoFactory = null
    ) {
        if ($hostDsnOrPdo instanceof PDO) {
            @trigger_error(
// For example instead of
@mkdir($dir);

// Better use
if (@mkdir($dir) === false) {
    throw new \RuntimeException('The directory '.$dir.' could not be created.');
}
                'Support to pass a PDO instance to the constructor is deprecated and will be removed in version 1.0.0.'
                . ' You need to pass in a PDO dsn in the future as first parameter.',
                E_USER_DEPRECATED
            );

            $this->pdo = $hostDsnOrPdo;
        } elseif (strpos($hostDsnOrPdo, ':') !== false) {
            $this->dsn = $hostDsnOrPdo;
        } else {
            @trigger_error(
// For example instead of
@mkdir($dir);

// Better use
if (@mkdir($dir) === false) {
    throw new \RuntimeException('The directory '.$dir.' could not be created.');
}
                'Support to pass a host and database to the constructor is deprecated and will be removed in version '
                . '1.0.0. You need to pass in a PDO dsn in the future as first parameter.',
                E_USER_DEPRECATED
            );
            $this->dsn = "mysql:host={$hostDsnOrPdo}" . ($database ? ";dbname={$database}" : '');
        }

        $this->username = $username;
        $this->password = $password;
        $this->options = $options;
        $this->pdoFactory = $pdoFactory ?? new PdoFactory();
    }

    public function connect()
    {
        if ($this->isConnected()) {
            return;
        }

        $retries = $this->options['connectRetries'] ?? 0;
        do {
            try {
                $this->pdo = $this->pdoFactory->createPdo($this->dsn, $this->username, $this->password, $this->options);

                return;
            } catch (PDOException $e) {
                if ($this->isConnectionExceptionCausedByConnection($e) && $retries > 0) {
                    // Sleep for 100 - 500 ms until next retry
                    usleep(rand(100000, 500000));
                } else {
                    throw new ConnectionException($e);
                }
            }
        } while ($retries-- > 0);
    }

    /**
     * @param PDOException $exception
     * @return bool
     */
    private function isConnectionExceptionCausedByConnection(PDOException $exception)
    {
        return in_array($exception->getCode(), [
            2002, // Can't connect to MySQL server (Socket)
            2003, // Can't connect to MySQL server (TCP)
            2006, // MySQL server has gone away
            2013, // Lost connection to MySQL server during query
        ]);
    }

    /**
     * Close the database connection.
     */
    public function disconnect()
    {
        $this->pdo = null;
    }

    /**
     */
    public function reconnect()
    {
        $this->disconnect();
        $this->connect();
    }

    /**
     * Check if database connection is open.
     *
     * @return bool
     */
    public function isConnected()
    {
        return ($this->pdo instanceof PDO);
    }

    /**
     * Returns the PDO handle.
     *
     * Can be used to gain access to any special PDO methods.
     *
     * @return PDO
     */
    public function getPdo()
    {
        return $this->pdo;
    }

    /**
     * Creates and executes a PDO statement.
     *
     * @param string $sql
     * @param array  $parameters
     * @return PDOStatement
     */
    protected function executeQuery($sql, array $parameters = [])
    {
        $this->connect();

        $dbParameters = $this->prepareParameters($parameters);
        try {
            $pdoStatement = $this->pdo->prepare($sql);
            $pdoStatement->execute($dbParameters);

            return $pdoStatement;
        } catch (PDOException $e) {
            throw new QueryException($e, $sql, $dbParameters);
        }
    }

    /**
     * Execute an SQL statement and return the number of affected rows.
     *
     * @param string $sql
     * @param array  $parameters
     * @return int The number of rows affected
     */
    public function exec($sql, array $parameters = [])
    {
        $statement = $this->executeQuery($sql, $parameters);

        return $statement->rowCount();
    }

    /**
     * Execute an SQL statement and return the first row.
     *
     * @param string $sql
     * @param array  $parameters
     * @param bool   $indexedKeys
     * @return array|false
     */
    public function fetchRow($sql, array $parameters = [], $indexedKeys = false)
    {
        $statement = $this->executeQuery($sql, $parameters);

        return $statement->fetch($indexedKeys ? PDO::FETCH_NUM : PDO::FETCH_ASSOC);
    }

    /**
     * Execute an SQL statement and return all rows as an array.
     *
     * @param string $sql
     * @param array  $parameters
     * @param bool   $indexedKeys
     * @return array
     */
    public function fetchRows($sql, array $parameters = [], $indexedKeys = false)
    {
        $statement = $this->executeQuery($sql, $parameters);

        return $statement->fetchAll($indexedKeys ? PDO::FETCH_NUM : PDO::FETCH_ASSOC);
    }

    /**
     * Execute an SQL statement and return the first column of the first row.
     *
     * @param string $sql
     * @param array  $parameters
     * @return string|false
     */
    public function fetchValue($sql, array $parameters = [])
    {
        $statement = $this->executeQuery($sql, $parameters);

        return $statement->fetchColumn(0);
    }

    /**
     * Quote a value for a safe use in query (eg. bla'bla -> 'bla''bla').
     *
     * @param mixed $value
     * @return string
     */
    public function quote($value)
    {
        $this->connect();

        return $this->pdo->quote($value);
    }

    /**
     * Get id of the last inserted row.
     *
     * @return int
     */
    public function getLastInsertId()
    {
        $this->connect();

        return (int) $this->pdo->lastInsertId();
    }

    /**
     * Prepare parameters for database use.
     *
     * @param array $parameters
     * @return array
     */
    protected function prepareParameters(array $parameters = [])
    {
        foreach ($parameters as &$parameterValue) {
            if (is_bool($parameterValue)) {
                $parameterValue = (int) $parameterValue;
            } elseif ($parameterValue instanceof \DateTimeInterface) {
                $parameterValue = $parameterValue->format('Y-m-d H:i:s');
            } elseif (!is_scalar($parameterValue) && $parameterValue !== null) {
                throw new \InvalidArgumentException(
                    sprintf('Invalid db parameter type "%s"', gettype($parameterValue))
                );
            }
        }
        unset($parameterValue);

        return $parameters;
    }

    /**
     * Begin transaction (turns off autocommit mode).
     *
     * @param bool $onlyIfNoActiveTransaction
     * @return bool
     */
    public function beginTransaction($onlyIfNoActiveTransaction = false)
    {
        $this->connect();

        if ($onlyIfNoActiveTransaction && $this->hasActiveTransaction()) {
            return false;
        }

        $this->pdo->beginTransaction();
        $this->hasActiveTransaction = true;

        return true;
    }

    /**
     * Commits current active transaction (restores autocommit mode).
     */
    public function commit()
    {
        $this->connect();

        $this->pdo->commit();
        $this->hasActiveTransaction = false;
    }

    /**
     * Rolls back current active transaction (restores autocommit mode).
     */
    public function rollBack()
    {
        $this->connect();

        $this->pdo->rollBack();
        $this->hasActiveTransaction = false;
    }

    /**
     * @return bool
     */
    public function hasActiveTransaction()
    {
        return $this->hasActiveTransaction;
    }

    /**
     * @param string $table
     * @param array $data
     * @param bool $updateOnDuplicateKey
     * @return int The number of rows affected
     */
    public function insert($table, array $data, $updateOnDuplicateKey = false)
    {
        $sql = 'INSERT INTO `' . $table . '`';
        if (empty($data)) {
            $sql .= "\nVALUES ()";
            $parameters = [];
        } else {
            $fields = array_keys($data);
            $fieldsSql = '`' . implode('`, `', $fields) . '`';
            $placeholdersSql = implode(', ', array_fill(0, count($fields), '?'));

            $sql .= ' (' . $fieldsSql . ")\n";
            $sql .= 'VALUES (' . $placeholdersSql . ")\n";

            $parameters = array_values($data);

            if ($updateOnDuplicateKey) {
                $assignmentSql = $this->getAssignmentSql(array_fill_keys($fields, '?'));
                $sql .= 'ON DUPLICATE KEY UPDATE ' . $assignmentSql;
                $parameters = array_merge($parameters, $parameters);
            }
        }

        return $this->exec($sql, $parameters);
    }

    /**
     * @param array $assignmentData
     * @return string
     */
    protected function getAssignmentSql(array $assignmentData)
    {
        $assignments = [];
        foreach ($assignmentData as $field => $value) {
            $assignments[] = sprintf('`%s` = %s', $field, $value);
        }

        return implode(', ', $assignments);
    }

    /**
     * @param string $table
     * @param array  $data
     * @param string $whereSql
     * @param array  $whereParameters
     * @return int The number of rows affected
     */
    public function update($table, array $data, $whereSql = '', array $whereParameters = [])
    {
        $fields = array_keys($data);
        $assignmentSql = $this->getAssignmentSql(array_fill_keys($fields, '?'));

        $sql = 'UPDATE `' . $table . "`\n"
            . 'SET ' . $assignmentSql
            . ($whereSql ? "\nWHERE " . $whereSql : '')
        ;

        $parameters = array_merge(array_values($data), $whereParameters);

        return $this->exec($sql, $parameters);
    }
}


GitHub Access Token became invalid

Issues (11)

Security Analysis no request data

src/Db.php (2 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

1		<?php
2		/**
3		* Starlit Db.
4		*
5		* @copyright Copyright (c) 2016 Starweb AB
6		* @license BSD 3-Clause
7		*/
8
9		namespace Starlit\Db;
10
11		use Starlit\Db\Exception\ConnectionException;
12		use Starlit\Db\Exception\QueryException;
13		use \PDO;
14		use \PDOException;
15		use \PDOStatement;
16
17		/**
18		* Extended PDO database wrapper.
19		*
20		* @author Andreas Nilsson <http://github.com/jandreasn>
21		*/
22		class Db
23		{
24		/**
25		* Database handle/connection.
26		*
27		* @var PDO
28		*/
29		protected $pdo;
30
31		/**
32		* @var string
33		*/
34		protected $dsn;
35
36		/**
37		* @var string
38		*/
39		protected $username;
40
41		/**
42		* @var string
43		*/
44		protected $password;
45
46		/**
47		* @var array
48		*/
49		protected $options;
50
51		/**
52		* @var bool
53		*/
54		protected $hasActiveTransaction = false;
55
56		/**
57		* @var PdoFactoryInterface
58		*/
59		private $pdoFactory;
60
61		/**
62		* Constructor.
63		*
64		* @param string\|PDO $hostDsnOrPdo A MySQL host, a dsn or an existing PDO instance.
65		* @param string\|null $username
66		* @param string\|null $password
67		* @param string\|null $database
68		* @param array $options
69		* @param PdoFactoryInterface $pdoFactory
70		*
71		* @deprecated The signature of the constructor will change in version 1.0.0 and accept
72		* only a PDO dsn string as first parameter dropping support to inject a PDO instance or host string
73		*/
74	28	public function __construct(
75		$hostDsnOrPdo,
76		$username = null,
77		$password = null,
78		$database = null,
79		array $options = [],
80		PdoFactoryInterface $pdoFactory = null
81		) {
82	28	if ($hostDsnOrPdo instanceof PDO) {
83	28	@trigger_error(
		0 ignored issues – show Security Best Practice introduced 2019-02-24 22:13 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like you do not handle an error condition here. This can introduce security issues, and is generally not recommended. If you suppress an error, we recommend checking for the error condition explicitly: // For example instead of @mkdir($dir); // Better use if (@mkdir($dir) === false) { throw new \RuntimeException('The directory '.$dir.' could not be created.'); } Loading history...
84		'Support to pass a PDO instance to the constructor is deprecated and will be removed in version 1.0.0.'
85	28	. ' You need to pass in a PDO dsn in the future as first parameter.',
86	28	E_USER_DEPRECATED
87		);
88
89	28	$this->pdo = $hostDsnOrPdo;
90	4	} elseif (strpos($hostDsnOrPdo, ':') !== false) {
91	3	$this->dsn = $hostDsnOrPdo;
92		} else {
93	1	@trigger_error(
		0 ignored issues – show Security Best Practice introduced 2019-02-24 22:13 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like you do not handle an error condition here. This can introduce security issues, and is generally not recommended. If you suppress an error, we recommend checking for the error condition explicitly: // For example instead of @mkdir($dir); // Better use if (@mkdir($dir) === false) { throw new \RuntimeException('The directory '.$dir.' could not be created.'); } Loading history...
94		'Support to pass a host and database to the constructor is deprecated and will be removed in version '
95	1	. '1.0.0. You need to pass in a PDO dsn in the future as first parameter.',
96	1	E_USER_DEPRECATED
97		);
98	1	$this->dsn = "mysql:host={$hostDsnOrPdo}" . ($database ? ";dbname={$database}" : '');
99		}
100
101	28	$this->username = $username;
102	28	$this->password = $password;
103	28	$this->options = $options;
104	28	$this->pdoFactory = $pdoFactory ?? new PdoFactory();
105	28	}
106
107	18	public function connect()
108		{
109	18	if ($this->isConnected()) {
110	15	return;
111		}
112
113	3	$retries = $this->options['connectRetries'] ?? 0;
114		do {
115		try {
116	3	$this->pdo = $this->pdoFactory->createPdo($this->dsn, $this->username, $this->password, $this->options);
117
118	2	return;
119	2	} catch (PDOException $e) {
120	2	if ($this->isConnectionExceptionCausedByConnection($e) && $retries > 0) {
121		// Sleep for 100 - 500 ms until next retry
122	2	usleep(rand(100000, 500000));
123		} else {
124	1	throw new ConnectionException($e);
125		}
126		}
127	2	} while ($retries-- > 0);
128		}
129
130		/**
131		* @param PDOException $exception
132		* @return bool
133		*/
134	2	private function isConnectionExceptionCausedByConnection(PDOException $exception)
135		{
136	2	return in_array($exception->getCode(), [
137	2	2002, // Can't connect to MySQL server (Socket)
138		2003, // Can't connect to MySQL server (TCP)
139		2006, // MySQL server has gone away
140		2013, // Lost connection to MySQL server during query
141		]);
142		}
143
144		/**
145		* Close the database connection.
146		*/
147	1	public function disconnect()
148		{
149	1	$this->pdo = null;
150	1	}
151
152		/**
153		*/
154	1	public function reconnect()
155		{
156	1	$this->disconnect();
157	1	$this->connect();
158	1	}
159
160		/**
161		* Check if database connection is open.
162		*
163		* @return bool
164		*/
165	19	public function isConnected()
166		{
167	19	return ($this->pdo instanceof PDO);
168		}
169
170		/**
171		* Returns the PDO handle.
172		*
173		* Can be used to gain access to any special PDO methods.
174		*
175		* @return PDO
176		*/
177	4	public function getPdo()
178		{
179	4	return $this->pdo;
180		}
181
182		/**
183		* Creates and executes a PDO statement.
184		*
185		* @param string $sql
186		* @param array $parameters
187		* @return PDOStatement
188		*/
189	7	protected function executeQuery($sql, array $parameters = [])
190		{
191	7	$this->connect();
192
193	7	$dbParameters = $this->prepareParameters($parameters);
194		try {
195	6	$pdoStatement = $this->pdo->prepare($sql);
196	5	$pdoStatement->execute($dbParameters);
197
198	5	return $pdoStatement;
199	1	} catch (PDOException $e) {
200	1	throw new QueryException($e, $sql, $dbParameters);
201		}
202		}
203
204		/**
205		* Execute an SQL statement and return the number of affected rows.
206		*
207		* @param string $sql
208		* @param array $parameters
209		* @return int The number of rows affected
210		*/
211	4	public function exec($sql, array $parameters = [])
212		{
213	4	$statement = $this->executeQuery($sql, $parameters);
214
215	2	return $statement->rowCount();
216		}
217
218		/**
219		* Execute an SQL statement and return the first row.
220		*
221		* @param string $sql
222		* @param array $parameters
223		* @param bool $indexedKeys
224		* @return array\|false
225		*/
226	1	public function fetchRow($sql, array $parameters = [], $indexedKeys = false)
227		{
228	1	$statement = $this->executeQuery($sql, $parameters);
229
230	1	return $statement->fetch($indexedKeys ? PDO::FETCH_NUM : PDO::FETCH_ASSOC);
231		}
232
233		/**
234		* Execute an SQL statement and return all rows as an array.
235		*
236		* @param string $sql
237		* @param array $parameters
238		* @param bool $indexedKeys
239		* @return array
240		*/
241	1	public function fetchRows($sql, array $parameters = [], $indexedKeys = false)
242		{
243	1	$statement = $this->executeQuery($sql, $parameters);
244
245	1	return $statement->fetchAll($indexedKeys ? PDO::FETCH_NUM : PDO::FETCH_ASSOC);
246		}
247
248		/**
249		* Execute an SQL statement and return the first column of the first row.
250		*
251		* @param string $sql
252		* @param array $parameters
253		* @return string\|false
254		*/
255	1	public function fetchValue($sql, array $parameters = [])
256		{
257	1	$statement = $this->executeQuery($sql, $parameters);
258
259	1	return $statement->fetchColumn(0);
260		}
261
262		/**
263		* Quote a value for a safe use in query (eg. bla'bla -> 'bla''bla').
264		*
265		* @param mixed $value
266		* @return string
267		*/
268	1	public function quote($value)
269		{
270	1	$this->connect();
271
272	1	return $this->pdo->quote($value);
273		}
274
275		/**
276		* Get id of the last inserted row.
277		*
278		* @return int
279		*/
280	1	public function getLastInsertId()
281		{
282	1	$this->connect();
283
284	1	return (int) $this->pdo->lastInsertId();
285		}
286
287		/**
288		* Prepare parameters for database use.
289		*
290		* @param array $parameters
291		* @return array
292		*/
293	7	protected function prepareParameters(array $parameters = [])
294		{
295	7	foreach ($parameters as &$parameterValue) {
296	6	if (is_bool($parameterValue)) {
297	1	$parameterValue = (int) $parameterValue;
298	6	} elseif ($parameterValue instanceof \DateTimeInterface) {
299	1	$parameterValue = $parameterValue->format('Y-m-d H:i:s');
300	5	} elseif (!is_scalar($parameterValue) && $parameterValue !== null) {
301	1	throw new \InvalidArgumentException(
302	6	sprintf('Invalid db parameter type "%s"', gettype($parameterValue))
303		);
304		}
305		}
306	6	unset($parameterValue);
307
308	6	return $parameters;
309		}
310
311		/**
312		* Begin transaction (turns off autocommit mode).
313		*
314		* @param bool $onlyIfNoActiveTransaction
315		* @return bool
316		*/
317	4	public function beginTransaction($onlyIfNoActiveTransaction = false)
318		{
319	4	$this->connect();
320
321	4	if ($onlyIfNoActiveTransaction && $this->hasActiveTransaction()) {
322	1	return false;
323		}
324
325	4	$this->pdo->beginTransaction();
326	4	$this->hasActiveTransaction = true;
327
328	4	return true;
329		}
330
331		/**
332		* Commits current active transaction (restores autocommit mode).
333		*/
334	2	public function commit()
335		{
336	2	$this->connect();
337
338	2	$this->pdo->commit();
339	2	$this->hasActiveTransaction = false;
340	2	}
341
342		/**
343		* Rolls back current active transaction (restores autocommit mode).
344		*/
345	2	public function rollBack()
346		{
347	2	$this->connect();
348
349	2	$this->pdo->rollBack();
350	2	$this->hasActiveTransaction = false;
351	2	}
352
353		/**
354		* @return bool
355		*/
356	3	public function hasActiveTransaction()
357		{
358	3	return $this->hasActiveTransaction;
359		}
360
361		/**
362		* @param string $table
363		* @param array $data
364		* @param bool $updateOnDuplicateKey
365		* @return int The number of rows affected
366		*/
367	3	public function insert($table, array $data, $updateOnDuplicateKey = false)
368		{
369	3	$sql = 'INSERT INTO `' . $table . '`';
370	3	if (empty($data)) {
371	1	$sql .= "\nVALUES ()";
372	1	$parameters = [];
373		} else {
374	2	$fields = array_keys($data);
375	2	$fieldsSql = '`' . implode('`, `', $fields) . '`';
376	2	$placeholdersSql = implode(', ', array_fill(0, count($fields), '?'));
377
378	2	$sql .= ' (' . $fieldsSql . ")\n";
379	2	$sql .= 'VALUES (' . $placeholdersSql . ")\n";
380
381	2	$parameters = array_values($data);
382
383	2	if ($updateOnDuplicateKey) {
384	1	$assignmentSql = $this->getAssignmentSql(array_fill_keys($fields, '?'));
385	1	$sql .= 'ON DUPLICATE KEY UPDATE ' . $assignmentSql;
386	1	$parameters = array_merge($parameters, $parameters);
387		}
388		}
389
390	3	return $this->exec($sql, $parameters);
391		}
392
393		/**
394		* @param array $assignmentData
395		* @return string
396		*/
397	2	protected function getAssignmentSql(array $assignmentData)
398		{
399	2	$assignments = [];
400	2	foreach ($assignmentData as $field => $value) {
401	2	$assignments[] = sprintf('`%s` = %s', $field, $value);
402		}
403
404	2	return implode(', ', $assignments);
405		}
406
407		/**
408		* @param string $table
409		* @param array $data
410		* @param string $whereSql
411		* @param array $whereParameters
412		* @return int The number of rows affected
413		*/
414	1	public function update($table, array $data, $whereSql = '', array $whereParameters = [])
415		{
416	1	$fields = array_keys($data);
417	1	$assignmentSql = $this->getAssignmentSql(array_fill_keys($fields, '?'));
418
419	1	$sql = 'UPDATE `' . $table . "`\n"
420	1	. 'SET ' . $assignmentSql
421	1	. ($whereSql ? "\nWHERE " . $whereSql : '')
422		;
423
424	1	$parameters = array_merge(array_values($data), $whereParameters);
425
426	1	return $this->exec($sql, $parameters);
427		}
428		}
429

starweb / starlit-db

GitHub Access Token became invalid

Issues (11)

Security Analysis no request data

src/Db.php (2 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like