ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S3291/php/rule.adoc
Fred Tingaud 16f6c0aecf
Inline adoc when include has no additional value (#1940) 
Inline adoc files when they are included exactly once.

Also fix language tags because this inlining gives us better information
on what language the code is written in.
2023-05-25 14:18:12 +02:00

70 lines
2.0 KiB
Plaintext
Raw Blame History

== Why is this an issue?
This rule will check that:
* the sql query is not built using a concatenation
* there is at least a call to bindParm between the call to prepare and fetch on the PDO connection object
=== Noncompliant code example
[source,php]
----
$id = $_GET['id'];
try {
$conn = new PDO('mysql:host=localhost;dbname=myDatabase', $username, $password);
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$stmt = $conn->prepare('SELECT * FROM myTable WHERE id = ' + $id);
while($row = $stmt->fetch(PDO::FETCH_OBJ)) {
echo $row->name;
}
} catch(PDOException $e) {
echo 'ERROR: ' . $e->getMessage();
}
----
=== Compliant solution
[source,php]
----
$id = $_GET['id'];
try {
$conn = new PDO('mysql:host=localhost;dbname=myDatabase', $username, $password);
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$stmt = $conn->prepare('SELECT * FROM myTable WHERE id = :id');
$stmt->bindParam(':id', $id, PDO::PARAM_INT);
while($row = $stmt->fetch(PDO::FETCH_OBJ)) {
echo $row->name;
}
} catch(PDOException $e) {
echo 'ERROR: ' . $e->getMessage();
}
----
== Resources
* https://owasp.org/Top10/A03_2021-Injection/[OWASP Top 10 2021 Category A3] - Injection
* https://cwe.mitre.org/data/definitions/89[MITRE, CWE-89] - Improper Neutralization of Special Elements used in an SQL Command
ifdef::env-github,rspecator-view[]
'''
== Comments And Links
(visible only on this page)
=== on 28 Jul 2015, 11:15:41 Ann Campbell wrote:
\[~alexandre.gigleux] isn't this just like the subtask I closed yesterday? I rolled the gist of that one into the other subtask...
=== on 28 Jul 2015, 11:25:14 Alexandre Gigleux wrote:
That's correct. Creating it as a SubTask was not correct hence why I created again as a Task.
=== on 28 Jul 2015, 11:32:20 Ann Campbell wrote:
There's no need for this RSpec [~alexandre.gigleux]. I've already rolled the gist of it into the other subtask.
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink