Skip to content

Add Psalm taint annotations for SQL injection analysis #78

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
koriym merged 1 commit into from
Dec 28, 2025
+36 −8
Merged

Add Psalm taint annotations for SQL injection analysis #78

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions src/PerformSql.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@

final class PerformSql implements PerformSqlInterface
{
/** @psalm-taint-escape sql */
#[Override]
public function perform(ExtendedPdoInterface $pdo, string $sqlId, string $sql, array $values): PDOStatement
{
Expand Down
2 changes: 2 additions & 0 deletions src/PerformSqlInterface.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,8 @@ interface PerformSqlInterface
* @param array<string, mixed> $values The values to bind to the SQL statement.
*
* @return PDOStatement The result of the performed SQL statement.
*
* @psalm-taint-escape sql
*/
public function perform(ExtendedPdoInterface $pdo, string $sqlId, string $sql, array $values): PDOStatement;
}
1 change: 1 addition & 0 deletions src/PerformTemplatedSql.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ public function __construct(
) {
}

/** @psalm-taint-escape sql */
#[Override]
public function perform(ExtendedPdoInterface $pdo, string $sqlId, string $sql, array $values): PDOStatement
{
Expand Down
10 changes: 10 additions & 0 deletions src/SqlQuery.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,8 @@ public function __construct(

/**
* {@inheritDoc}
*
* @psalm-taint-escape sql
*/
#[Override]
public function exec(string $sqlId, array $values = [], FetchInterface|null $fetch = null): void
Expand All @@ -63,6 +65,8 @@ public function exec(string $sqlId, array $values = [], FetchInterface|null $fet

/**
* {@inheritDoc}
*
* @psalm-taint-escape sql
*/
#[Override]
public function getRow(string $sqlId, array $values = [], FetchInterface|null $fetch = null): array|object|null
Expand All @@ -80,6 +84,8 @@ public function getRow(string $sqlId, array $values = [], FetchInterface|null $f

/**
* {@inheritDoc}
*
* @psalm-taint-escape sql
*/
#[Override]
public function getRowList(string $sqlId, array $values = [], FetchInterface|null $fetch = null): array
Expand All @@ -92,6 +98,8 @@ public function getRowList(string $sqlId, array $values = [], FetchInterface|nul

/**
* {@inheritDoc}
*
* @psalm-taint-escape sql
*/
#[Override]
public function getCount(string $sqlId, array $values): int
Expand Down Expand Up @@ -193,6 +201,8 @@ public function getStatement(): PDOStatement

/**
* {@inheritDoc}
*
* @psalm-taint-escape sql
*/
#[Override]
public function getPages(string $sqlId, array $values, int $perPage, string $queryTemplate = '/{?page}', string|null $entity = null): PagesInterface
Expand Down
18 changes: 16 additions & 2 deletions src/SqlQueryInterface.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,25 +10,39 @@ interface SqlQueryInterface
* @param array<string, mixed> $values
*
* @return array<mixed>|object|null
*
* @psalm-taint-escape sql
*/
public function getRow(string $sqlId, array $values = [], FetchInterface|null $fetch = null): array|object|null;

/**
* @param array<string, mixed> $values
*
* @return array<array<mixed>>
*
* @psalm-taint-escape sql
*/
public function getRowList(string $sqlId, array $values = [], FetchInterface|null $fetch = null): array;

/** @param array<string, mixed> $values */
/**
* @param array<string, mixed> $values
*
* @psalm-taint-escape sql
*/
public function exec(string $sqlId, array $values = [], FetchInterface|null $fetch = null): void;

/** @param array<string, mixed> $values */
/**
* @param array<string, mixed> $values
*
* @psalm-taint-escape sql
*/
public function getCount(string $sqlId, array $values): int;

/**
* @param array<string, mixed> $values
* @param ?class-string $entity
*
* @psalm-taint-escape sql
*/
public function getPages(string $sqlId, array $values, int $perPage, string $queryTemplate = '/{?page}', string|null $entity = null): PagesInterface;
}
7 changes: 4 additions & 3 deletions tests/sql/create_promise.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
CREATE TABLE IF NOT EXISTS todo
CREATE TABLE IF NOT EXISTS promise
(
id INTEGER,
title TEXT
id TEXT,
title TEXT,
time TEXT
)
5 changes: 2 additions & 3 deletions tests/sql/create_todo.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
CREATE TABLE IF NOT EXISTS promise
CREATE TABLE IF NOT EXISTS todo
(
id TEXT,
title TEXT,
time TEXT
title TEXT
)
Loading