mirror of
https://github.com/Dolibarr/dolibarr.git
synced 2026-01-07 01:23:00 +01:00
Clean code
This commit is contained in:
Laurent Destailleur
@@ -250,7 +250,6 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase
|
||||
|
||||
$ok=true;
|
||||
$matches=array();
|
||||
// Check string get_class...
|
||||
preg_match_all('/'.preg_quote('get_class($this)."::".__METHOD__', '/').'/', $filecontent, $matches, PREG_SET_ORDER);
|
||||
foreach ($matches as $key => $val) {
|
||||
$ok=false;
|
||||
@@ -260,9 +259,9 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase
|
||||
$this->assertTrue($ok, 'Found string get_class($this)."::".__METHOD__ that must be replaced with __METHOD__ only in '.$file['relativename']);
|
||||
//exit;
|
||||
|
||||
// Check string $this->db->idate without quotes
|
||||
$ok=true;
|
||||
$matches=array();
|
||||
// Check string $this->db->idate without quotes
|
||||
preg_match_all('/(..)\s*\.\s*\$this->db->idate\(/', $filecontent, $matches, PREG_SET_ORDER);
|
||||
foreach ($matches as $key => $val) {
|
||||
if ($val[1] != '\'"' && $val[1] != '\'\'') {
|
||||
@@ -276,11 +275,10 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase
|
||||
//exit;
|
||||
|
||||
|
||||
$ok=true;
|
||||
$matches=array();
|
||||
|
||||
// Check sql string DELETE|OR|AND|WHERE|INSERT ... yyy = ".$xxx
|
||||
// with xxx that is not 'thi' (for $this->db->sanitize) and 'db-' (for $db->sanitize). It means we forget a ' if string, or an (int) if int, when forging sql request.
|
||||
$ok=true;
|
||||
$matches=array();
|
||||
preg_match_all('/(DELETE|OR|AND|WHERE|INSERT)\s.*([^\s][^\s][^\s])\s*=\s*"\s*\.\s*\$(...)/', $filecontent, $matches, PREG_SET_ORDER);
|
||||
foreach ($matches as $key => $val) {
|
||||
if ($val[2] == 'ity' && $val[3] == 'con') { // exclude entity = ".$conf->entity
|
||||
@@ -300,8 +298,39 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase
|
||||
$this->assertTrue($ok, 'Found non quoted or not casted var into sql request '.$file['relativename'].' - Bad.');
|
||||
//exit;
|
||||
|
||||
// Check that forged sql string is using " as string PHP quotes
|
||||
$ok=true;
|
||||
$matches=array();
|
||||
preg_match_all('/\$sql \.= \'\s*VALUES.*\$/', $filecontent, $matches, PREG_SET_ORDER);
|
||||
foreach ($matches as $key => $val) {
|
||||
//if ($val[1] != '\'"' && $val[1] != '\'\'') {
|
||||
var_dump($matches);
|
||||
$ok=false;
|
||||
break;
|
||||
//}
|
||||
//if ($reg[0] != 'db') $ok=false;
|
||||
}
|
||||
//print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n";
|
||||
$this->assertTrue($ok, 'Found a forged SQL string that mix on same line the use of \' for PHP string and PHP variables into file '.$file['relativename'].' Use " to forge PHP string like this: $sql = "SELET ".$myvar...');
|
||||
//exit;
|
||||
|
||||
// Check that forged sql string is using " as string PHP quotes
|
||||
/*
|
||||
$ok=true;
|
||||
$matches=array();
|
||||
preg_match_all('/\$sql \.*= \'SELECT.*\$/', $filecontent, $matches, PREG_SET_ORDER);
|
||||
foreach ($matches as $key => $val) {
|
||||
var_dump($matches);
|
||||
$ok=false;
|
||||
break;
|
||||
}
|
||||
$this->assertTrue($ok, 'Found a forged SQL string that mix on same line the use of \' for PHP string and PHP variables into file '.$file['relativename'].' Use " to forge PHP string like this: $sql = "SELET ".$myvar...');
|
||||
*/
|
||||
|
||||
// Check sql string VALUES ... , ".$xxx
|
||||
// with xxx that is not 'db-' (for $db->escape). It means we forget a ' if string, or an (int) if int, when forging sql request.
|
||||
$ok=true;
|
||||
$matches=array();
|
||||
preg_match_all('/(VALUES).*,\s*"\s*\.\s*\$(...)/', $filecontent, $matches, PREG_SET_ORDER);
|
||||
foreach ($matches as $key => $val) {
|
||||
if ($val[1] == 'VALUES' && $val[2] == 'db-') { // exclude $db->escape(
|
||||
@@ -321,6 +350,8 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase
|
||||
// Check '".$xxx non escaped
|
||||
|
||||
// Check string ='".$this->xxx with xxx that is not 'escape'. It means we forget a db->escape when forging sql request.
|
||||
$ok=true;
|
||||
$matches=array();
|
||||
preg_match_all('/=\s*\'"\s*\.\s*\$this->(....)/', $filecontent, $matches, PREG_SET_ORDER);
|
||||
foreach ($matches as $key => $val) {
|
||||
if ($val[1] != 'db->' && $val[1] != 'esca') {
|
||||
@@ -332,6 +363,8 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase
|
||||
$this->assertTrue($ok, 'Found non escaped string in building of a sql request (case 1) in '.$file['relativename'].' - Bad.');
|
||||
|
||||
// Check string sql|set...'".$yyy->xxx with xxx that is not 'escape', 'idate', .... It means we forget a db->escape when forging sql request.
|
||||
$ok=true;
|
||||
$matches=array();
|
||||
preg_match_all('/(sql|SET|WHERE|INSERT|VALUES).+\s*\'"\s*\.\s*\$(.........)/', $filecontent, $matches, PREG_SET_ORDER);
|
||||
foreach ($matches as $key => $val) {
|
||||
if (! in_array($val[2], array('this->db-', 'this->esc', 'db->escap', 'dbs->esca', 'mydb->esc', 'dbsession', 'db->idate', 'escapedli', 'excludeGr', 'includeGr'))) {
|
||||
@@ -345,6 +378,8 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase
|
||||
//exit;
|
||||
|
||||
// Check string sql|set...'.$yyy->xxx with xxx that is not 'escape', 'idate', .... It means we forget a db->escape when forging sql request.
|
||||
$ok=true;
|
||||
$matches=array();
|
||||
preg_match_all('/(\$sql|SET\s|WHERE\s|INSERT\s|VALUES\s|VALUES\().+\s*\'\s*\.\s*\$(.........)/', $filecontent, $matches, PREG_SET_ORDER);
|
||||
foreach ($matches as $key => $val) {
|
||||
if (! in_array($val[2], array('this->db-', 'db->sanit', 'conf->ent', 'key : \'\')', 'key])."\')', 'excludefi', 'regexstri', ''))) {
|
||||
@@ -361,6 +396,8 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase
|
||||
// Checks with IN
|
||||
|
||||
// Check string 'IN (".xxx' or 'IN (\'.xxx' with xxx that is not '$this->db->sanitize' and not '$db->sanitize'. It means we forget a db->sanitize when forging sql request.
|
||||
$ok=true;
|
||||
$matches=array();
|
||||
preg_match_all('/ IN \([\'"]\s*\.\s*(.........)/i', $filecontent, $matches, PREG_SET_ORDER);
|
||||
foreach ($matches as $key => $val) {
|
||||
if (!in_array($val[1], array('$db->sani', '$this->db', 'getEntity', 'WON\',\'L', 'self::STA', 'Commande:', 'CommandeF', 'Entrepot:', 'Facture::', 'FactureFo', 'ExpenseRe', 'Societe::', 'Ticket::S'))) {
|
||||
@@ -374,6 +411,8 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase
|
||||
//exit;
|
||||
|
||||
// Check string 'IN (\'".xxx' with xxx that is not '$this->db->sanitize' and not '$db->sanitize'. It means we forget a db->sanitize when forging sql request.
|
||||
$ok=true;
|
||||
$matches=array();
|
||||
preg_match_all('/ IN \(\'"\s*\.\s*(.........)/i', $filecontent, $matches, PREG_SET_ORDER);
|
||||
foreach ($matches as $key => $val) {
|
||||
if (!in_array($val[1], array('$db->sani', '$this->db', 'getEntity', 'WON\',\'L', 'self::STA', 'Commande:', 'CommandeF', 'Entrepot:', 'Facture::', 'FactureFo', 'ExpenseRe', 'Societe::', 'Ticket::S'))) {
|
||||
|
||||
Reference in New Issue
Block a user