Wavyzz/dolibarr
2
0
Fork 1
mirror of https://github.com/Dolibarr/dolibarr.git synced 2026-02-07 16:41:48 +01:00
Code Issues Packages Projects Releases Wiki Activity

Clean sql code

Browse Source
This commit is contained in:
Laurent Destailleur
2024-10-29 02:18:17 +01:00
parent 46c6827ccb
commit e6f1d4835f
35 changed files with 151 additions and 137 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
test/phpunit/CodingPhpTest.php
View File

@@ -331,6 +331,25 @@ class CodingPhpTest extends CommonClassTest
$this->assertTrue($ok, 'Found a forged SQL string that contains the function NOW() in file '.$file['relativename'].' Using this SQL function is forbidden. See https://wiki.dolibarr.org/index.php?title=Language_and_development_rules#SQL_Coding_rules');
//exit;
// Check bad casting on forge sql
$ok = true;
$matches = array();
preg_match_all('/\$sql\s*\.?=\s*[\"\'][a-z\s=_]+[\'\"]\s*\.\$([a-z->_]+)/', $filecontent, $matches, PREG_SET_ORDER);
foreach ($matches as $key => $val) {
if (in_array($val[1], array('object->get', 'user', 'this->sanitize', 'this->db->sanitize', 'this->db->escape', 'this->db->encrypt', 'this->db->plimit', 'db->decrypt', 'db->sanitize', 'db->ifsql', 'this->db->prefix', 'clause', 'sqlwhere', 'sqlorder'))) { // exclude $db->escape( and $this->
continue;
}
//if ($val[1] != '\'"' && $val[1] != '\'\'') {
var_dump($matches);
$ok = false;
break;
//}
//if ($reg[0] != 'db') $ok=false;
}
//print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n";
$this->assertTrue($ok, 'Found a forged SQL string that does not use escape or int cast for file '.$file['relativename']);
//exit;
// Check that forged sql string is using ' instead of " as string PHP quotes
$ok = true;
$matches = array();