/vendor

SQLTrees (php)

This is a PHP version of the Java library [SQLTrees](https://github.com/Orange-Cyberdefense/sqltrees) aiming at annihilating (possibility of) SQL injections and at the same time keeping the whole expressiveness of SQL. You can read (in French) [this introductory article](https://connect.ed-diamond.com/MISC/misc-111/zero-sqli-malgre-les-developpeurs), or read below a summary.

Example

In the MySQL system database `information_schema`, take the following SQL request containing a parameter in the WHERE provided by the application to let the user jump at some point in the list:

``lang=sql`

SELECT table_schema, table_name, engine, table_rows, create_time FROM tables WHERE table_name >= 'parameter' ORDER BY table_name, create_time LIMIT 0,10;

And now the name of the columns could introduce a SQL injection, if the columns names are not sufficiently sanitised beforehand, even if we use a parametrised SQL request.

During an audit, all functions manipulating some parts of SQL requests must be carefully examinated to be sure no one has some escaping issues.

**With this library**, the previous parametrised function would be rewritten like this:

{

"require": {

"php": ">=7.3"

},

"autoload": {

"psr-4": {

"SQLTrees\\": "src/"

},

"files": [

"src/functions.php"

]

}

}

namespace SQLTrees;

use mysqli;

class AST {

protected $lp = '(';

protected $rp = ')';

protected $label;

protected $parenLevel;

private $children;

function __construct( string $label, ?array $a, int $plevel ) {

$this->parenLevel = $plevel;

$this->label = $label;

$this->children = ( $a === null ) ? [] : $a;

}

public function getChildrenCount() : int {

return count( $this->children );

}

public function getChild( int $i ) : AST {

return $this->children[$i];

}

protected function writeTo( CompiledStatement $b ) : void {

$b->addToken( $this->label );

$n = $this->getChildrenCount();

for( $i = 0; $i < $n; $i++ ) {

$this->getChild( $i )->cpwriteTo( $b, $this->parenLevel );

}

}

protected function pwriteTo( CompiledStatement $b ) : void {

$b->addToken( $this->lp );

$this->writeTo( $b );

$b->addToken( $this->rp );

}

protected function cpwriteTo( CompiledStatement $b, int $p ) : void {

if( $this->parenLevel < $p ) {

$this->writeTo( $b );

} else {

$this->pwriteTo( $b );

}

}

/**

public function compile() : CompiledStatement {

$b = new CompiledStatement();

$this->writeTo( $b );

return $b;

}

public function execute_mysqli( mysqli $con ) {

return $this->compile()->run_mysqli( $con );

}

}

namespace SQLTrees;

use \mysqli;

use \mysqli_stmt;

final class CompiledStatement {

/** @var string */

private $tpl = '';

/** @var string[] */

private $args = [];

/** @var string[] */

private $types = [];

public function getTpl() : string {

return trim( $this->tpl ) . ';';

}

public function getArgs() : array {

return $this->args;

}

public function getTypes() : array {

return $this->types;

}

/**

public function addParam( string $s, string $type ) : void {

$this->tpl .= '? ';

$this->args[] = $s;

$this->types[] = $type;

}

public function addStringParam( string $s ) : void {

$this->tpl .= '? ';

$this->args[] = $s;

$this->types[] = 's';

}

public function addToken( string $repr ) : void {

$this->tpl .= $repr;

$this->tpl .= ' ';

}

/**

public function getPreparedStatement_mysqli( mysqli $con ) : mysqli_stmt {

$stmt = new mysqli_stmt( $con, $this->getTpl() );

$types = implode( '', $this->types );

if( $types ) {

$stmt->bind_param( $types, ...$this->args );

}

return $stmt;

}

/**

public function run_mysqli( mysqli $con ) : mysqli_stmt {

$stmt = $this->getPreparedStatement_mysqli( $con );

if( !$stmt->execute() ) {

throw new CompiledStatementError( 'Execution failed' );

}

return $stmt;

}

}

namespace SQLTrees;

use \RuntimeException;

class CompiledStatementError extends RuntimeException {}

namespace SQLTrees;

final class OperatorAST extends AST {

/** @var ?AST Neutral element, when the expressions array is empty. */

protected $neutral;

function __construct( string $s, array $exprs, int $plevel, ?AST $neutral ) {

parent::__construct( $s, $exprs, $plevel );

$this->neutral = $neutral;

}

protected function writeTo( CompiledStatement $b ) : void {

$n = $this->getChildrenCount();

if( $n === 0 ) {

if( $this->neutral ) {

$this->neutral->writeTo( $b );

}

} else {

$this->getChild( 0 )->cpwriteTo( $b, $this->parenLevel );

for( $i = 1; $i < $n; $i++ ) {

$b->addToken( $this->label );

$this->getChild( $i )->cpwriteTo( $b, $this->parenLevel );

}

}

}

}