Prevent false-positives in placeholder validation (#752)

staabm · web-flow · commit f33136c81acc · 2025-03-06T16:23:27.000+01:00
* Prevent false-positives in placeholder validation

* fix
diff --git a/src/QueryReflection/PlaceholderValidation.php b/src/QueryReflection/PlaceholderValidation.php
@@ -20,7 +20,7 @@ public function checkQuery(Expr $queryExpr, Scope $scope, array $parameters): it
 
         $queryStrings = [];
         $namedPlaceholders = false;
-        foreach ($queryReflection->resolveQueryStrings($queryExpr, $scope) as $queryString) {
+        foreach ($queryReflection->resolveQueryStrings($queryExpr, $scope, false) as $queryString) {
             $queryStrings[] = $queryString;
 
             if ($queryReflection->containsNamedPlaceholders($queryString, $parameters)) {
diff --git a/src/QueryReflection/QueryReflection.php b/src/QueryReflection/QueryReflection.php
@@ -268,7 +268,7 @@ public function resolvePreparedQueryString(Expr $queryExpr, Type $parameterTypes
      *
      * @throws UnresolvableQueryException
      */
-    public function resolveQueryStrings(Expr $queryExpr, Scope $scope): iterable
+    public function resolveQueryStrings(Expr $queryExpr, Scope $scope, bool $resolveNonConstantQueries = true): iterable
     {
         $type = $scope->getType($queryExpr);
 
@@ -287,7 +287,12 @@ public function resolveQueryStrings(Expr $queryExpr, Scope $scope): iterable
 
             // query simulation might lead in a invalid query, skip those
             $error = $this->validateQueryString($normalizedQuery);
-            if ($error === null) {
+            if (
+                $error === null
+                // late abort the query, so we allow the query simulation/validation to throw
+                // UnresolvableQueryException
+                && $resolveNonConstantQueries
+            ) {
                 yield $normalizedQuery;
             }
         }
diff --git a/tests/rules/data/syntax-error-in-prepared-statement.php b/tests/rules/data/syntax-error-in-prepared-statement.php
@@ -361,4 +361,25 @@ public function bug458(Connection $conn)
         $table = $this->returnsUnion();
         $conn->executeQuery('SELECT * FROM ' . $table . ' LIMIT 1');
     }
+
+    /**
+     * @param array<int> $ids
+     */
+    protected function conditionalUnnamedPlaceholder(Connection $connection, array $ids, int $adaid): void
+    {
+        $values = [];
+        $query = 'SELECT email, adaid FROM ada';
+
+        $query .= ' AND adaid IN (' . someCall($ids) . ')';
+        $values = array_merge($values, $ids);
+
+        if (rand(0, 1) === 1) {
+            $query .= ' AND email = ?';
+            $values[] = 'test@example.org';
+        }
+
+        $query .= ' ORDER BY adaid';
+
+        $connection->preparedQuery($query, $values);
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -268,7 +268,7 @@ public function resolvePreparedQueryString(Expr $queryExpr, Type $parameterTypes`
`268`	`268`	`*`
`269`	`269`	`* @throws UnresolvableQueryException`
`270`	`270`	`*/`
`271`		`- public function resolveQueryStrings(Expr $queryExpr, Scope $scope): iterable`
	`271`	`+ public function resolveQueryStrings(Expr $queryExpr, Scope $scope, bool $resolveNonConstantQueries = true): iterable`
`272`	`272`	`{`
`273`	`273`	`$type = $scope->getType($queryExpr);`
`274`	`274`
`@@ -287,7 +287,12 @@ public function resolveQueryStrings(Expr $queryExpr, Scope $scope): iterable`
`287`	`287`
`288`	`288`	`// query simulation might lead in a invalid query, skip those`
`289`	`289`	`$error = $this->validateQueryString($normalizedQuery);`
`290`		`- if ($error === null) {`
	`290`	`+ if (`
	`291`	`+ $error === null`
	`292`	`+ // late abort the query, so we allow the query simulation/validation to throw`
	`293`	`+ // UnresolvableQueryException`
	`294`	`+ && $resolveNonConstantQueries`
	`295`	`+ ) {`
`291`	`296`	`yield $normalizedQuery;`
`292`	`297`	`}`
`293`	`298`	`}`