rspec/rules/S3291/php/rule.adoc

This rule will check that:

* the sql query is not built using a concatenation
* there is at least a call to bindParm between the call to prepare and fetch on the PDO connection object


== Noncompliant Code Example

[source,php]
----
$id = $_GET['id'];
try {
    $conn = new PDO('mysql:host=localhost;dbname=myDatabase', $username, $password);
    $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);    

    $stmt = $conn->prepare('SELECT * FROM myTable WHERE id = ' + $id);

    while($row = $stmt->fetch(PDO::FETCH_OBJ)) {
        echo $row->name;
    }
} catch(PDOException $e) {
    echo 'ERROR: ' . $e->getMessage();
}
----


== Compliant Solution

[source,php]
----
$id = $_GET['id'];
try {
    $conn = new PDO('mysql:host=localhost;dbname=myDatabase', $username, $password);
    $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);    

    $stmt = $conn->prepare('SELECT * FROM myTable WHERE id = :id');
    $stmt->bindParam(':id', $id, PDO::PARAM_INT);

    while($row = $stmt->fetch(PDO::FETCH_OBJ)) {
        echo $row->name;
    }
} catch(PDOException $e) {
    echo 'ERROR: ' . $e->getMessage();
}
----


== See

* https://owasp.org/Top10/A03_2021-Injection/[OWASP Top 10 2021 Category A3] - Injection

ifdef::env-github,rspecator-view[]
'''
== Comments And Links
(visible only on this page)

include::comments-and-links.adoc[]
endif::env-github,rspecator-view[]
RULEAPI-617: Add Jira closed RSPECs in Github repository 2021-06-08 14:23:48 +02:00			`This rule will check that:`

			`* the sql query is not built using a concatenation`
			`* there is at least a call to bindParm between the call to prepare and fetch on the PDO connection object`


			`== Noncompliant Code Example`

RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,php]`
RULEAPI-617: Add Jira closed RSPECs in Github repository 2021-06-08 14:23:48 +02:00			`----`
			`$id = $_GET['id'];`
			`try {`
			`$conn = new PDO('mysql:host=localhost;dbname=myDatabase', $username, $password);`
			`$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);`

			`$stmt = $conn->prepare('SELECT * FROM myTable WHERE id = ' + $id);`

			`while($row = $stmt->fetch(PDO::FETCH_OBJ)) {`
			`echo $row->name;`
			`}`
			`} catch(PDOException $e) {`
			`echo 'ERROR: ' . $e->getMessage();`
			`}`
			`----`


			`== Compliant Solution`

RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,php]`
RULEAPI-617: Add Jira closed RSPECs in Github repository 2021-06-08 14:23:48 +02:00			`----`
			`$id = $_GET['id'];`
			`try {`
			`$conn = new PDO('mysql:host=localhost;dbname=myDatabase', $username, $password);`
			`$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);`

			`$stmt = $conn->prepare('SELECT * FROM myTable WHERE id = :id');`
			`$stmt->bindParam(':id', $id, PDO::PARAM_INT);`

			`while($row = $stmt->fetch(PDO::FETCH_OBJ)) {`
			`echo $row->name;`
			`}`
			`} catch(PDOException $e) {`
			`echo 'ERROR: ' . $e->getMessage();`
			`}`
			`----`


RULEAPI-709: Security rules are mapped to the OWASP Top 10 2021 security-standard (#545) 2021-11-01 15:00:32 +01:00			`== See`

			`* https://owasp.org/Top10/A03_2021-Injection/[OWASP Top 10 2021 Category A3] - Injection`

RULEAPI-617: Add Jira closed RSPECs in Github repository 2021-06-08 14:23:48 +02:00			`ifdef::env-github,rspecator-view[]`
RULEAPI-576: add a horizontal rule between rule description and comments 2021-06-08 15:52:13 +02:00			`'''`
RULEAPI-617: Add Jira closed RSPECs in Github repository 2021-06-08 14:23:48 +02:00			`== Comments And Links`
			`(visible only on this page)`

			`include::comments-and-links.adoc[]`
			`endif::env-github,rspecator-view[]`