Database queries should use parameter binding

  • Critical
  • Security

More information: https://insight.sensiolabs.com/what-we-analyse/doctrine.database_query_contains_string_and_variable_concatenation

  1. if ($this->messageIndex < self::MESSAGE_LIMIT) {
  2. $this->setFirephpHeader($firePhpMeta, $value);
  3. } elseif ($this->messageIndex === self::MESSAGE_LIMIT) {
  4. $this->setFirephpHeader(
  5. array('Type'=>$this->firephpMethods['warn']),
  6. 'Limit of '.number_format(self::MESSAGE_LIMIT).' firePhp messages reached!'

    If provided by the user, the value of number_format(self::MESSAGE_LIMIT) may allow an SQL injection attack. Avoid concatenating parameters to SQL query strings, and use parameter binding instead.

    Time to fix: about 1 hour
    Open Issue Permalink
    Last edited by Brad Kent
  7. );
  8. }
  9. return;
  10. }
  • bkdotcom

    Ignored on Tue, 25 Jul 2017 02:42:30 GMT

PHP configuration should not be changed dynamically 2

  • Major
  • Bugrisk

More information: https://insight.sensiolabs.com/what-we-analyse/php.dynamically_change_configuration

  1. * @return void
  2. */
  3. public function register()
  4. {
  5. if (!$this->registered) {
  6. $this->prevDisplayErrors = ini_set('display_errors', 0);

    Changing PHP configuration dynamically through ini_set() may create hard to debug errors.

    Time to fix: about 2 hours
    Open Issue Permalink
    Last edited by Brad Kent
  7. $this->prevErrorHandler = set_error_handler(array($this, 'handleError'));
  8. $this->prevExceptionHandler = set_exception_handler(array($this, 'handleException'));
  9. $this->registered = true; // used by this->shutdownFunction()
  10. }
  11. return;
  • bkdotcom

    > may create hard to debug errors.

    that goes against the mission of this project
  • bkdotcom

    Ignored on Tue, 25 Jul 2017 02:43:51 GMT
  1. restore_exception_handler();
  2. if ($exHandlerCur == array($this, 'handleException')) {
  3. // we are the current exception handler
  4. restore_exception_handler();
  5. }
  6. ini_set('display_errors', $this->prevDisplayErrors);

    Changing PHP configuration dynamically through ini_set() may create hard to debug errors.

    Time to fix: about 2 hours
    Open Issue Permalink
    Last edited by Brad Kent
  7. $this->prevErrorHandler = null;
  8. $this->registered = false; // used by shutdownFunction()
  9. }
  10. return;
  11. }
  • bkdotcom

    > may create hard to debug errors.

    hopefully causes errors to be easily debugged
  • bkdotcom

    Ignored on Tue, 25 Jul 2017 02:53:37 GMT

Object parameters should be type hinted

  • Minor
  • Bugrisk

More information: https://insight.sensiolabs.com/what-we-analyse/php.object_parameter_not_type_hinted

  1. *
  2. * @param Exception|Throwable $exception exception to handle
  3. *
  4. * @return void
  5. */
  6. public function handleException($exception)

    The parameter exception, which is an object, should be typehinted.

    Time to fix: about 1 hour
    Open Issue Permalink
    Last edited by Brad Kent
  7. {
  8. // lets store the exception so we can use the backtrace it provides
  9. $this->uncaughtException = $exception;
  10. $this->handleError(
  11. E_ERROR,
  • bkdotcom

    http://php.net/manual/en/function.set-exception-handler.php
    Note that providing an explicit Exception type hint for the ex parameter in your callback will cause issues with the changed exception hierarchy in PHP 7.
  • bkdotcom

    Ignored on Wed, 13 Sep 2017 01:05:10 GMT