rspec/rules/S3291/php/rule.adoc

== Why is this an issue?

This rule will check that:

* the sql query is not built using a concatenation
* there is at least a call to bindParm between the call to prepare and fetch on the PDO connection object


=== Noncompliant code example

[source,php]
----
$id = $_GET['id'];
try {
    $conn = new PDO('mysql:host=localhost;dbname=myDatabase', $username, $password);
    $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);    

    $stmt = $conn->prepare('SELECT * FROM myTable WHERE id = ' + $id);

    while($row = $stmt->fetch(PDO::FETCH_OBJ)) {
        echo $row->name;
    }
} catch(PDOException $e) {
    echo 'ERROR: ' . $e->getMessage();
}
----


=== Compliant solution

[source,php]
----
$id = $_GET['id'];
try {
    $conn = new PDO('mysql:host=localhost;dbname=myDatabase', $username, $password);
    $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);    

    $stmt = $conn->prepare('SELECT * FROM myTable WHERE id = :id');
    $stmt->bindParam(':id', $id, PDO::PARAM_INT);

    while($row = $stmt->fetch(PDO::FETCH_OBJ)) {
        echo $row->name;
    }
} catch(PDOException $e) {
    echo 'ERROR: ' . $e->getMessage();
}
----


== Resources

* https://owasp.org/Top10/A03_2021-Injection/[OWASP Top 10 2021 Category A3] - Injection
* https://cwe.mitre.org/data/definitions/89[MITRE, CWE-89] - Improper Neutralization of Special Elements used in an SQL Command

ifdef::env-github,rspecator-view[]
'''
== Comments And Links
(visible only on this page)

=== on 28 Jul 2015, 11:15:41 Ann Campbell wrote:
\[~alexandre.gigleux] isn't this just like the subtask I closed yesterday? I rolled the gist of that one into the other subtask...

=== on 28 Jul 2015, 11:25:14 Alexandre Gigleux wrote:
That's correct. Creating it as a SubTask was not correct hence why I created again as a Task. 

=== on 28 Jul 2015, 11:32:20 Ann Campbell wrote:
There's no need for this RSpec [~alexandre.gigleux]. I've already rolled the gist of it into the other subtask.

endif::env-github,rspecator-view[]
migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`== Why is this an issue?`

RULEAPI-617: Add Jira closed RSPECs in Github repository 2021-06-08 14:23:48 +02:00			`This rule will check that:`

			`* the sql query is not built using a concatenation`
			`* there is at least a call to bindParm between the call to prepare and fetch on the PDO connection object`


migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`=== Noncompliant code example`
RULEAPI-617: Add Jira closed RSPECs in Github repository 2021-06-08 14:23:48 +02:00
RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,php]`
RULEAPI-617: Add Jira closed RSPECs in Github repository 2021-06-08 14:23:48 +02:00			`----`
			`$id = $_GET['id'];`
			`try {`
			`$conn = new PDO('mysql:host=localhost;dbname=myDatabase', $username, $password);`
			`$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);`

			`$stmt = $conn->prepare('SELECT * FROM myTable WHERE id = ' + $id);`

			`while($row = $stmt->fetch(PDO::FETCH_OBJ)) {`
			`echo $row->name;`
			`}`
			`} catch(PDOException $e) {`
			`echo 'ERROR: ' . $e->getMessage();`
			`}`
			`----`


migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`=== Compliant solution`
RULEAPI-617: Add Jira closed RSPECs in Github repository 2021-06-08 14:23:48 +02:00
RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,php]`
RULEAPI-617: Add Jira closed RSPECs in Github repository 2021-06-08 14:23:48 +02:00			`----`
			`$id = $_GET['id'];`
			`try {`
			`$conn = new PDO('mysql:host=localhost;dbname=myDatabase', $username, $password);`
			`$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);`

			`$stmt = $conn->prepare('SELECT * FROM myTable WHERE id = :id');`
			`$stmt->bindParam(':id', $id, PDO::PARAM_INT);`

			`while($row = $stmt->fetch(PDO::FETCH_OBJ)) {`
			`echo $row->name;`
			`}`
			`} catch(PDOException $e) {`
			`echo 'ERROR: ' . $e->getMessage();`
			`}`
			`----`


migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`== Resources`
RULEAPI-709: Security rules are mapped to the OWASP Top 10 2021 security-standard (#545) 2021-11-01 15:00:32 +01:00
			`* https://owasp.org/Top10/A03_2021-Injection/[OWASP Top 10 2021 Category A3] - Injection`
Fix CWE mapping (#1128) 2022-08-18 10:33:50 +02:00			`* https://cwe.mitre.org/data/definitions/89[MITRE, CWE-89] - Improper Neutralization of Special Elements used in an SQL Command`
RULEAPI-709: Security rules are mapped to the OWASP Top 10 2021 security-standard (#545) 2021-11-01 15:00:32 +01:00
RULEAPI-617: Add Jira closed RSPECs in Github repository 2021-06-08 14:23:48 +02:00			`ifdef::env-github,rspecator-view[]`
RULEAPI-576: add a horizontal rule between rule description and comments 2021-06-08 15:52:13 +02:00			`'''`
RULEAPI-617: Add Jira closed RSPECs in Github repository 2021-06-08 14:23:48 +02:00			`== Comments And Links`
			`(visible only on this page)`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== on 28 Jul 2015, 11:15:41 Ann Campbell wrote:`
			`\[~alexandre.gigleux] isn't this just like the subtask I closed yesterday? I rolled the gist of that one into the other subtask...`

			`=== on 28 Jul 2015, 11:25:14 Alexandre Gigleux wrote:`
			`That's correct. Creating it as a SubTask was not correct hence why I created again as a Task.`

			`=== on 28 Jul 2015, 11:32:20 Ann Campbell wrote:`
			`There's no need for this RSpec [~alexandre.gigleux]. I've already rolled the gist of it into the other subtask.`

RULEAPI-617: Add Jira closed RSPECs in Github repository 2021-06-08 14:23:48 +02:00			`endif::env-github,rspecator-view[]`