Database queries should use parameter binding

More information: https://insight.symfony.com/what-we-analyse/doctrine.database_query_contains_string_and_variable_concatenation

  1. }
  2. if ($param->getAvailableValues() && is_array($param->getAvailableValues())) {
  3. $c = $form->addSelect($key, $this->getParamLabel($param), array_combine($param->getAvailableValues(), $param->getAvailableValues()));
  4. if (!$param->isRequired()) {
  5. $c->setPrompt('Select ' . $this->getLabel($param));

    If provided by the user, the value of $this->getLabel($param) may allow an SQL injection attack. Avoid concatenating parameters to SQL query strings, and use parameter binding instead.

    Time to fix: about 1 hour
    Open Issue Permalink
    Last edited by Michal Lulco
  6. }
  7. } elseif ($param->getAvailableValues() && is_string($param->getAvailableValues())) {
  8. $c = $form->addText($key, $this->getParamLabel($param))->setDisabled(true);
  9. $defaults[$key] = $param->getAvailableValues();
  10. } elseif ($param->getType() == InputParam::TYPE_FILE) {

Object parameters should be type hinted

More information: https://insight.symfony.com/what-we-analyse/php.object_parameter_not_type_hinted

  1. * @param string $key param key
  2. * @param string $value actual value from request
  3. *
  4. * @return string
  5. */
  6. private function processParam(InputParam $param, $key, $value)

    The parameter value, which is an object, should be typehinted.

    Time to fix: about 1 hour
    Open Issue Permalink
    Last edited by Tomas Majer
  7. {
  8. if ($param->getKey() == $key) {
  9. if (!$value) {
  10. return null;
  11. }

Booleans and null should be compared strictly

More information: https://insight.symfony.com/what-we-analyse/php.strict_boolean_comparison_should_be_used

  1. $result = [];
  2. foreach ($values as $key => $value) {
  3. if (is_array($value)) {
  4. $counter = 0;
  5. foreach ($value as $innerValue) {
  6. if ($innerValue != null) {

    With booleans and null, only strict comparison (with !== operator) should be used to lower bug risks and to improve performances.

    Time to fix: about 15 minutes
    Open Issue Permalink
    Last edited by Tomas Majer
  7. $result[$key . "[".$counter++."]"] = $innerValue;
  8. }
  9. }
  10. } else {
  11. $result[$key] = $value;

Unused use statement should be avoided

More information: https://insight.symfony.com/what-we-analyse/php.unused_use_statement

  1. namespace Tomaj\NetteApi\Presenters;
  2. use Exception;
  3. use Nette\Application\Responses\JsonResponse;
  4. use Nette\Application\UI\Presenter;
  5. use Nette\DI\Container;

    The class Nette\DI\Container is declared but never used. You should remove the use statement.

    Time to fix: about 15 minutes
    Open Issue Permalink
    Last edited by Michal Lulco
  6. use Nette\Http\Response;
  7. use Tomaj\NetteApi\ApiDecider;
  8. use Tomaj\NetteApi\Authorization\ApiAuthorizationInterface;
  9. use Tomaj\NetteApi\Handlers\ApiHandlerInterface;
  10. use Tomaj\NetteApi\Logger\ApiLoggerInterface;