Closed senky closed 7 years ago
Can you add a unit test for it Senky? At least one that triggers the notice, and I guess 1 that has a sql_escape call in it. See https://github.com/phpbb/epv/blob/master/tests/epv_test_validate_php_functions_test.php#L18 on how you can run the tester
This PR adds a new validator which tries to find potential SQL injection entry points. What it does is basically find all SQL queries, where a
WHERE
clause contains a PHP variable which is not casted to(int)
, orsql_escape
-d.Note, that in order to prevent false positives, there are edge cases that are omitted, like
WHERE forum_id = $from_id";
. Extension validators should check all SQL queries manually during the validation.