From 2524090156586ea4ebb686d41ae73b0b0143bb8d Mon Sep 17 00:00:00 2001 From: Markus Staab Date: Wed, 22 Feb 2023 21:16:28 +0100 Subject: [PATCH] Prefer `inference-placeholder` over `taint-escape sql` (#536) --- src/QueryReflection/QueryReflection.php | 8 +++--- .../rules/UnresolvableQueryMethodRuleTest.php | 7 +++++ tests/rules/data/bug-536.php | 26 +++++++++++++++++++ 3 files changed, 37 insertions(+), 4 deletions(-) create mode 100644 tests/rules/data/bug-536.php diff --git a/src/QueryReflection/QueryReflection.php b/src/QueryReflection/QueryReflection.php index d55f10df5..c7ba05de9 100644 --- a/src/QueryReflection/QueryReflection.php +++ b/src/QueryReflection/QueryReflection.php @@ -337,14 +337,14 @@ private function resolveQueryStringExpr(Expr $queryExpr, Scope $scope, bool $res } if ($queryExpr instanceof Expr\CallLike) { - if ('sql' === PhpDocUtil::matchTaintEscape($queryExpr, $scope)) { - return '1'; - } - $placeholder = PhpDocUtil::matchInferencePlaceholder($queryExpr, $scope); if (null !== $placeholder) { return $placeholder; } + + if ('sql' === PhpDocUtil::matchTaintEscape($queryExpr, $scope)) { + return '1'; + } } if ($queryExpr instanceof Concat) { diff --git a/tests/rules/UnresolvableQueryMethodRuleTest.php b/tests/rules/UnresolvableQueryMethodRuleTest.php index b67bcea91..ce4ad41a1 100644 --- a/tests/rules/UnresolvableQueryMethodRuleTest.php +++ b/tests/rules/UnresolvableQueryMethodRuleTest.php @@ -65,4 +65,11 @@ public function testSyntaxErrorInQueryRule(): void ], ]); } + + public function testBug536(): void + { + require_once __DIR__ . '/data/bug-536.php'; + + $this->analyse([__DIR__ . '/data/bug-536.php'], []); + } } diff --git a/tests/rules/data/bug-536.php b/tests/rules/data/bug-536.php new file mode 100644 index 000000000..c23071f69 --- /dev/null +++ b/tests/rules/data/bug-536.php @@ -0,0 +1,26 @@ +query('SELECT email, adaid FROM '. X::getTablePrefix('ada'), PDO::FETCH_ASSOC); +} + +class X { + /** + * Returns the table prefix. + * + * @return non-empty-string + * + * @phpstandba-inference-placeholder 'ada' + * @psalm-taint-escape sql + */ + public static function getTablePrefix() + { + + } + +}