paul999
commented
7 years ago Can you add a unit test for it Senky? At least one that triggers the notice, and I guess 1 that has a sql_escape call in it. See https://github.com/phpbb/epv/blob/master/tests/epv_test_validate_php_functions_test.php#L18 on how you can run the tester
This PR adds a new validator which tries to find potential SQL injection entry points. What it does is basically find all SQL queries, where a
WHEREclause contains a PHP variable which is not casted to(int), orsql_escape-d.Note, that in order to prevent false positives, there are edge cases that are omitted, like
WHERE forum_id = $from_id";. Extension validators should check all SQL queries manually during the validation.