Wavyzz/dolibarr-fork
2
0
Fork 0
forked from Wavyzz/dolibarr
Code Pull Requests Activity

Fix sql request when using encrypt

Browse Source
This commit is contained in:
Laurent Destailleur
2021-09-02 13:25:00 +02:00
parent 8600d8d00d
commit cac1a7ba5f
11 changed files with 98 additions and 82 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
test/phpunit/CodingPhpTest.php
View File

@@ -290,7 +290,13 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase
// with xxx that is not 'thi' (for $this->db->sanitize) and 'db-' (for $db->sanitize). It means we forget a ' if string, or an (int) if int, when forging sql request.
preg_match_all('/(DELETE|OR|AND|WHERE|INSERT)\s.*([^\s][^\s][^\s])\s*=\s*"\s*\.\s*\$(...)/', $filecontent, $matches, PREG_SET_ORDER);
foreach ($matches as $key => $val) {
if ($val[2] == 'ity' && $val[3] == 'con') { // exclude entity = $conf->entity
if ($val[2] == 'ity' && $val[3] == 'con') { // exclude entity = ".$conf->entity
continue;
}
if ($val[2] == 'ame' && $val[3] == 'db-' && preg_match('/WHERE name/', $val[0])) { // exclude name = ".$db->encrypt(
continue;
}
if ($val[2] == 'ame' && $val[3] == 'thi' && preg_match('/WHERE name/', $val[0])) { // exclude name = ".$this->db->encrypt(
continue;
}
var_dump($matches);
@@ -305,7 +311,10 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase
// with xxx that is not 'db-' (for $db->escape). It means we forget a ' if string, or an (int) if int, when forging sql request.
preg_match_all('/(VALUES).*,\s*"\s*\.\s*\$(...)/', $filecontent, $matches, PREG_SET_ORDER);
foreach ($matches as $key => $val) {
if ($val[2] == 'VALUES' && $val[3] == 'db-') { // exclude $db->escape(
if ($val[1] == 'VALUES' && $val[2] == 'db-') { // exclude $db->escape(
continue;
}
if ($val[1] == 'VALUES' && $val[2] == 'thi' && preg_match('/this->db->encrypt/', $val[0])) { // exclude ".$this->db->encrypt(
continue;
}
var_dump($matches);