Fix false-positive parameter validation error when query string is not resolvable (#630)

staabm · web-flow · commit ccabc0c7fa85 · 2023-09-29T11:35:18.000Z
diff --git a/src/QueryReflection/PlaceholderValidation.php b/src/QueryReflection/PlaceholderValidation.php
@@ -28,6 +28,10 @@ public function checkQuery(Expr $queryExpr, Scope $scope, array $parameters): it
             }
         }
 
+        if ($queryStrings === []) {
+            return;
+        }
+
         if ($namedPlaceholders) {
             yield from $this->validateNamedPlaceholders($queryStrings, $parameters);
 
@@ -36,8 +40,8 @@ public function checkQuery(Expr $queryExpr, Scope $scope, array $parameters): it
 
         $minPlaceholderCount = PHP_INT_MAX;
         $maxPlaceholderCount = 0;
-        foreach ($queryStrings as $queryString) {
-            $placeholderCount = $queryReflection->countPlaceholders($queryString);
+        foreach ($queryStrings as $unnamedQueryString) {
+            $placeholderCount = $queryReflection->countPlaceholders($unnamedQueryString);
             if ($placeholderCount < $minPlaceholderCount) {
                 $minPlaceholderCount = $placeholderCount;
             }
diff --git a/tests/rules/data/placeholder-bug.php b/tests/rules/data/placeholder-bug.php
@@ -47,4 +47,12 @@ public function wrongMinBound(PDO $pdo)
         $stmt = $pdo->prepare('SELECT email, adaid FROM ada WHERE adaid = ? OR adaid = ? ');
         $stmt->execute([]);
     }
+
+    public function notResolvableQuery(PDO $pdo, $params)
+    {
+        $query ='SELECT email, adaid FROM ada WHERE email = ? '.$params;
+
+        $stmt = $pdo->prepare($query);
+        $stmt->execute(['hello world']);
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -28,6 +28,10 @@ public function checkQuery(Expr $queryExpr, Scope $scope, array $parameters): it`
`28`	`28`	`}`
`29`	`29`	`}`
`30`	`30`
	`31`	`+ if ($queryStrings === []) {`
	`32`	`+ return;`
	`33`	`+ }`
	`34`	`+`
`31`	`35`	`if ($namedPlaceholders) {`
`32`	`36`	`yield from $this->validateNamedPlaceholders($queryStrings, $parameters);`
`33`	`37`
`@@ -36,8 +40,8 @@ public function checkQuery(Expr $queryExpr, Scope $scope, array $parameters): it`
`36`	`40`
`37`	`41`	`$minPlaceholderCount = PHP_INT_MAX;`
`38`	`42`	`$maxPlaceholderCount = 0;`
`39`		`- foreach ($queryStrings as $queryString) {`
`40`		`- $placeholderCount = $queryReflection->countPlaceholders($queryString);`
	`43`	`+ foreach ($queryStrings as $unnamedQueryString) {`
	`44`	`+ $placeholderCount = $queryReflection->countPlaceholders($unnamedQueryString);`
`41`	`45`	`if ($placeholderCount < $minPlaceholderCount) {`
`42`	`46`	`$minPlaceholderCount = $placeholderCount;`
`43`	`47`	`}`
Original file line number	Diff line number	Diff line change
`@@ -47,4 +47,12 @@ public function wrongMinBound(PDO $pdo)`
`47`	`47`	`$stmt = $pdo->prepare('SELECT email, adaid FROM ada WHERE adaid = ? OR adaid = ? ');`
`48`	`48`	`$stmt->execute([]);`
`49`	`49`	`}`
	`50`	`+`
	`51`	`+ public function notResolvableQuery(PDO $pdo, $params)`
	`52`	`+ {`
	`53`	`+ $query ='SELECT email, adaid FROM ada WHERE email = ? '.$params;`
	`54`	`+`
	`55`	`+ $stmt = $pdo->prepare($query);`
	`56`	`+ $stmt->execute(['hello world']);`
	`57`	`+ }`
`50`	`58`	`}`