From d2d8e5c651e387e9080eb4073aa69cc13c7bfe97 Mon Sep 17 00:00:00 2001 From: Markus Staab Date: Tue, 4 Jan 2022 11:24:47 +0100 Subject: [PATCH 1/2] cover quoted query strings with tests these cases are supported with the newly added mysqli->real_escape_string() and pdo->quote() return type extensions --- .phpstan-dba.cache | 69 +++++++++++++++++++++++++++++++++++++++++++ tests/data/mysqli.php | 27 +++++++++++++++++ tests/data/pdo.php | 27 +++++++++++++++++ 3 files changed, 123 insertions(+) diff --git a/.phpstan-dba.cache b/.phpstan-dba.cache index 23224f915..9fb46a360 100644 --- a/.phpstan-dba.cache +++ b/.phpstan-dba.cache @@ -429,6 +429,75 @@ )), ), ), + 'SELECT email, adaid FROM ada WHERE adaid=1' => + array ( + 'error' => NULL, + 'result' => + array ( + 1 => + PHPStan\Type\Constant\ConstantArrayType::__set_state(array( + 'keyType' => + PHPStan\Type\UnionType::__set_state(array( + 'types' => + array ( + 0 => + PHPStan\Type\Constant\ConstantStringType::__set_state(array( + 'value' => 'adaid', + 'isClassString' => false, + )), + 1 => + PHPStan\Type\Constant\ConstantStringType::__set_state(array( + 'value' => 'email', + 'isClassString' => false, + )), + ), + )), + 'itemType' => + PHPStan\Type\UnionType::__set_state(array( + 'types' => + array ( + 0 => + PHPStan\Type\IntegerRangeType::__set_state(array( + 'min' => 0, + 'max' => 4294967295, + )), + 1 => + PHPStan\Type\StringType::__set_state(array( + )), + ), + )), + 'keyTypes' => + array ( + 0 => + PHPStan\Type\Constant\ConstantStringType::__set_state(array( + 'value' => 'email', + 'isClassString' => false, + )), + 1 => + PHPStan\Type\Constant\ConstantStringType::__set_state(array( + 'value' => 'adaid', + 'isClassString' => false, + )), + ), + 'valueTypes' => + array ( + 0 => + PHPStan\Type\StringType::__set_state(array( + )), + 1 => + PHPStan\Type\IntegerRangeType::__set_state(array( + 'min' => 0, + 'max' => 4294967295, + )), + ), + 'nextAutoIndex' => 0, + 'optionalKeys' => + array ( + ), + 'allArrays' => NULL, + )), + ), + ), 'SELECT email, adaid, gesperrt, freigabe1u1 FROM ada' => array ( 'error' => NULL, diff --git a/tests/data/mysqli.php b/tests/data/mysqli.php index 94122cb3f..c31958432 100644 --- a/tests/data/mysqli.php +++ b/tests/data/mysqli.php @@ -70,4 +70,31 @@ public function escape(mysqli $mysqli, int $i, float $f, $n, string $s, $nonE, s assertType('non-empty-string', $mysqli->real_escape_string($nonE)); assertType('string', $mysqli->real_escape_string($s)); } + + /** + * @param numeric $n + * @param non-empty-string $nonE + * @param numeric-string $numericString + */ + public function quotedArguments(mysqli $mysqli, int $i, float $f, $n, string $s, $nonE, string $numericString) + { + $result = $mysqli->query('SELECT email, adaid FROM ada WHERE adaid='.$mysqli->real_escape_string((string) $i)); + assertType('mysqli_result}>|false', $result); + + $result = $mysqli->query('SELECT email, adaid FROM ada WHERE adaid='.$mysqli->real_escape_string((string) $f)); + assertType('mysqli_result}>|false', $result); + + $result = $mysqli->query('SELECT email, adaid FROM ada WHERE adaid='.$mysqli->real_escape_string((string) $n)); + assertType('mysqli_result}>|false', $result); + + $result = $mysqli->query('SELECT email, adaid FROM ada WHERE adaid='.$mysqli->real_escape_string($numericString)); + assertType('mysqli_result}>|false', $result); + + // when quote() cannot return a numeric-string, we can't infer the precise result-type + $result = $mysqli->query('SELECT email, adaid FROM ada WHERE adaid='.$mysqli->real_escape_string($s)); + assertType('bool|mysqli_result', $result); + + $result = $mysqli->query('SELECT email, adaid FROM ada WHERE adaid='.$mysqli->real_escape_string($nonE)); + assertType('bool|mysqli_result', $result); + } } diff --git a/tests/data/pdo.php b/tests/data/pdo.php index a7b5d8654..66bbdc47a 100644 --- a/tests/data/pdo.php +++ b/tests/data/pdo.php @@ -172,4 +172,31 @@ public function quote(PDO $pdo, int $i, float $f, $n, string $s, $nonE, string $ assertType('non-empty-string|false', $pdo->quote($nonE, PDO::PARAM_LOB)); assertType('string|false', $pdo->quote($s, PDO::PARAM_LOB)); } + + /** + * @param numeric $n + * @param non-empty-string $nonE + * @param numeric-string $numericString + */ + public function quotedArguments(PDO $pdo, int $i, float $f, $n, string $s, $nonE, string $numericString) + { + $stmt = $pdo->query('SELECT email, adaid FROM ada WHERE adaid='.$pdo->quote((string) $i), PDO::FETCH_ASSOC); + assertType('PDOStatement}>', $stmt); + + $stmt = $pdo->query('SELECT email, adaid FROM ada WHERE adaid='.$pdo->quote((string) $f), PDO::FETCH_ASSOC); + assertType('PDOStatement}>', $stmt); + + $stmt = $pdo->query('SELECT email, adaid FROM ada WHERE adaid='.$pdo->quote((string) $n), PDO::FETCH_ASSOC); + assertType('PDOStatement}>', $stmt); + + $stmt = $pdo->query('SELECT email, adaid FROM ada WHERE adaid='.$pdo->quote($numericString), PDO::FETCH_ASSOC); + assertType('PDOStatement}>', $stmt); + + // when quote() cannot return a numeric-string, we can't infer the precise result-type + $stmt = $pdo->query('SELECT email, adaid FROM ada WHERE adaid='.$pdo->quote($s), PDO::FETCH_ASSOC); + assertType('PDOStatement|false', $stmt); + + $stmt = $pdo->query('SELECT email, adaid FROM ada WHERE adaid='.$pdo->quote($nonE), PDO::FETCH_ASSOC); + assertType('PDOStatement|false', $stmt); + } } From e0df60253f45bdfc971f3a0b214558e0b4413401 Mon Sep 17 00:00:00 2001 From: Markus Staab Date: Tue, 4 Jan 2022 11:27:40 +0100 Subject: [PATCH 2/2] cs --- tests/data/mysqli.php | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/tests/data/mysqli.php b/tests/data/mysqli.php index c31958432..7054fe423 100644 --- a/tests/data/mysqli.php +++ b/tests/data/mysqli.php @@ -78,23 +78,23 @@ public function escape(mysqli $mysqli, int $i, float $f, $n, string $s, $nonE, s */ public function quotedArguments(mysqli $mysqli, int $i, float $f, $n, string $s, $nonE, string $numericString) { - $result = $mysqli->query('SELECT email, adaid FROM ada WHERE adaid='.$mysqli->real_escape_string((string) $i)); - assertType('mysqli_result}>|false', $result); + $result = $mysqli->query('SELECT email, adaid FROM ada WHERE adaid='.$mysqli->real_escape_string((string) $i)); + assertType('mysqli_result}>|false', $result); - $result = $mysqli->query('SELECT email, adaid FROM ada WHERE adaid='.$mysqli->real_escape_string((string) $f)); - assertType('mysqli_result}>|false', $result); + $result = $mysqli->query('SELECT email, adaid FROM ada WHERE adaid='.$mysqli->real_escape_string((string) $f)); + assertType('mysqli_result}>|false', $result); - $result = $mysqli->query('SELECT email, adaid FROM ada WHERE adaid='.$mysqli->real_escape_string((string) $n)); - assertType('mysqli_result}>|false', $result); + $result = $mysqli->query('SELECT email, adaid FROM ada WHERE adaid='.$mysqli->real_escape_string((string) $n)); + assertType('mysqli_result}>|false', $result); - $result = $mysqli->query('SELECT email, adaid FROM ada WHERE adaid='.$mysqli->real_escape_string($numericString)); - assertType('mysqli_result}>|false', $result); + $result = $mysqli->query('SELECT email, adaid FROM ada WHERE adaid='.$mysqli->real_escape_string($numericString)); + assertType('mysqli_result}>|false', $result); // when quote() cannot return a numeric-string, we can't infer the precise result-type - $result = $mysqli->query('SELECT email, adaid FROM ada WHERE adaid='.$mysqli->real_escape_string($s)); - assertType('bool|mysqli_result', $result); + $result = $mysqli->query('SELECT email, adaid FROM ada WHERE adaid='.$mysqli->real_escape_string($s)); + assertType('bool|mysqli_result', $result); - $result = $mysqli->query('SELECT email, adaid FROM ada WHERE adaid='.$mysqli->real_escape_string($nonE)); - assertType('bool|mysqli_result', $result); + $result = $mysqli->query('SELECT email, adaid FROM ada WHERE adaid='.$mysqli->real_escape_string($nonE)); + assertType('bool|mysqli_result', $result); } }