Skip to content

Commit

Permalink
Add mysqli.execute-query as sink for TaintedSql
Browse files Browse the repository at this point in the history
  • Loading branch information
@cgocast
cgocast committed Jun 21, 2024
1 parent 01a8eb0 commit 7c53c9d
Show file tree
Hide file tree
Showing 2 changed files with 26 additions and 0 deletions.
10 changes: 10 additions & 0 deletions stubs/extensions/mysqli.phpstub
View file
Original file line number Diff line number Diff line change
Expand Up @@ -126,6 +126,11 @@ class mysqli
* @var int<-1, max>|numeric-string
*/
public int|string $affected_rows;

/**
* @psalm-taint-sink sql $query
*/
public function execute_query(string $query, ?array $params = null): mysqli_result|bool {}
}

/**
Expand Down Expand Up @@ -190,6 +195,11 @@ class mysqli_stmt
public string $sqlstate;
}

/**
* @psalm-taint-sink sql $query
*/
function mysqli_execute_query(mysqli $mysql, string $query, ?array $params = null): mysqli_result|bool {}

/**
* @psalm-taint-sink callable $class
*
Expand Down
16 changes: 16 additions & 0 deletions tests/TaintTest.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2511,6 +2511,22 @@ public static function getPrevious(string $s): string {
$function->invoke();',
'error_message' => 'TaintedCallable',
],
'taintedExecuteQueryFunction' => [
'code' => '<?php
$userId = $_GET["user_id"];
$query = "delete from users where user_id = " . $userId;
$link = mysqli_connect("localhost", "my_user", "my_password", "world");
$result = mysqli_execute_query($link, $query);',
'error_message' => 'TaintedSql',
],
'taintedExecuteQueryMethod' => [
'code' => '<?php
$userId = $_GET["user_id"];
$query = "delete from users where user_id = " . $userId;
$mysqli = new mysqli("localhost", "my_user", "my_password", "world");
$result = $mysqli->execute_query($query);',
'error_message' => 'TaintedSql',
],
];
}

Expand Down

0 comments on commit 7c53c9d

Please sign in to comment.