Wavyzz/dolibarr-fork
2
0
Fork 0
forked from Wavyzz/dolibarr
Code Pull Requests Activity

Fix #ygosha5698

Browse Source
This commit is contained in:
Laurent Destailleur
2021-03-22 12:00:41 +01:00
parent 15440917b1
commit 6a0e0f4c06
43 changed files with 80 additions and 68 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
test/phpunit/CodingPhpTest.php
View File

@@ -311,6 +311,18 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase
$this->assertTrue($ok, 'Found non escaped string in building of a sql request '.$file['relativename'].': '.$val[0].' - Bad.');
//exit;
// Check string IN (".xxx with xxx that is not '$this->db->sanitize' and not '$db->sanitize'. It means we forget a db->sanitize when forging sql request.
preg_match_all('/ IN \([\'"]\s*\.\s*(.........)/i', $filecontent, $matches, PREG_SET_ORDER);
foreach ($matches as $key => $val) {
if (!in_array($val[1], array('$db->sani', '$this->db', 'getEntity', 'self::STA', 'Commande:', 'CommandeF', 'Facture::', 'FactureFo', 'ExpenseRe', 'Societe::'))) {
$ok=false;
break;
}
//if ($reg[0] != 'db') $ok=false;
}
//print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n";
$this->assertTrue($ok, 'Found non sanitized string in building of a IN or NOT IN sql request '.$file['relativename'].' - Bad.');
//exit;
// Test that output of $_SERVER\[\'QUERY_STRING\'\] is escaped.
$ok=true;