dolibarr/test/phpunit/CodingPhpTest.php

<?php
/* Copyright (C) 2013 Laurent Destailleur  <eldy@users.sourceforge.net>
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 3 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program. If not, see <https://www.gnu.org/licenses/>.
 * or see https://www.gnu.org/
 */

/**
 *      \file       test/phpunit/SqlTest.php
 *      \ingroup    test
 *      \brief      PHPUnit test
 *      \remarks    To run this script as CLI:  phpunit filename.php
 */

global $conf,$user,$langs,$db;
//define('TEST_DB_FORCE_TYPE','mysql');	// This is to force using mysql driver
//require_once 'PHPUnit/Autoload.php';
require_once dirname(__FILE__).'/../../htdocs/master.inc.php';
require_once dirname(__FILE__).'/../../htdocs/core/lib/security.lib.php';
require_once dirname(__FILE__).'/../../htdocs/core/lib/security2.lib.php';

if (! defined('NOREQUIREUSER'))  define('NOREQUIREUSER', '1');
if (! defined('NOREQUIREDB'))    define('NOREQUIREDB', '1');
if (! defined('NOREQUIRESOC'))   define('NOREQUIRESOC', '1');
if (! defined('NOREQUIRETRAN'))  define('NOREQUIRETRAN', '1');
if (! defined('NOCSRFCHECK'))    define('NOCSRFCHECK', '1');
if (! defined('NOTOKENRENEWAL')) define('NOTOKENRENEWAL', '1');
if (! defined('NOREQUIREMENU'))  define('NOREQUIREMENU', '1'); // If there is no menu to show
if (! defined('NOREQUIREHTML'))  define('NOREQUIREHTML', '1'); // If we don't need to load the html.form.class.php
if (! defined('NOREQUIREAJAX'))  define('NOREQUIREAJAX', '1');
if (! defined("NOLOGIN"))        define("NOLOGIN", '1');       // If this page is public (can be called outside logged session)

if (empty($user->id))
{
    print "Load permissions for admin user nb 1\n";
    $user->fetch(1);
    $user->getrights();
}
$conf->global->MAIN_DISABLE_ALL_MAILS=1;


/**
 * Class for PHPUnit tests
 *
 * @backupGlobals disabled
 * @backupStaticAttributes enabled
 * @remarks	backupGlobals must be disabled to have db,conf,user and lang not erased.
 */
class CodingPhpTest extends PHPUnit\Framework\TestCase
{
    protected $savconf;
    protected $savuser;
    protected $savlangs;
    protected $savdb;

    /**
     * Constructor
     * We save global variables into local variables
     *
     * @return SecurityTest
     */
    public function __construct()
    {
        parent::__construct();

        //$this->sharedFixture
        global $conf,$user,$langs,$db;
        $this->savconf=$conf;
        $this->savuser=$user;
        $this->savlangs=$langs;
        $this->savdb=$db;

        print __METHOD__." db->type=".$db->type." user->id=".$user->id;
        //print " - db ".$db->db;
        print "\n";
    }

    /**
     * setUpBeforeClass
     *
     * @return void
     */
    public static function setUpBeforeClass()
    {
        global $conf,$user,$langs,$db;
        $db->begin(); // This is to have all actions inside a transaction even if test launched without suite.

        print __METHOD__."\n";
    }

    /**
     * tearDownAfterClass
     *
     * @return	void
     */
    public static function tearDownAfterClass()
    {
        global $conf,$user,$langs,$db;
        $db->rollback();

        print __METHOD__."\n";
    }

    /**
     * Init phpunit tests
     *
     * @return  void
     */
    protected function setUp()
    {
        global $conf,$user,$langs,$db;
        $conf=$this->savconf;
        $user=$this->savuser;
        $langs=$this->savlangs;
        $db=$this->savdb;

        print __METHOD__."\n";
    }

    /**
     * End phpunit tests
     *
     * @return  void
     */
    protected function tearDown()
    {
        print __METHOD__."\n";
    }

    /**
     * testSql
     *
     * @return string
     */
    public function testPHP()
    {
        global $conf,$user,$langs,$db;
        $conf=$this->savconf;
        $user=$this->savuser;
        $langs=$this->savlangs;
        $db=$this->savdb;

        include_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php';
        $filesarray = dol_dir_list(DOL_DOCUMENT_ROOT, 'files', 1, '\.php', null, 'fullname');

        foreach($filesarray as $key => $file)
        {
            if (preg_match('/\/htdocs\/includes\//', $file['fullname'])) continue;
            if (preg_match('/\/htdocs\/custom\//', $file['fullname'])) continue;
            if (preg_match('/\/htdocs\/dolimed/', $file['fullname'])) continue;
            if (preg_match('/\/htdocs\/nltechno/', $file['fullname'])) continue;
            if (preg_match('/\/htdocs\/teclib/', $file['fullname'])) continue;

            print 'Check php file '.$file['fullname']."\n";
            $filecontent=file_get_contents($file['fullname']);


            $ok=true;
            $matches=array();
            // Check string   ='".$this->xxx   with xxx that is not 'escape'. It means we forget a db->escape when forging sql request.
            preg_match_all('/'.preg_quote('get_class($this)."::".__METHOD__', '/').'/', $filecontent, $matches, PREG_SET_ORDER);
            foreach($matches as $key => $val)
            {
           		$ok=false;
           		break;
            }
            //print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n";
            $this->assertTrue($ok, 'Found string get_class($this)."::".__METHOD__ that must be replaced with __METHOD__ only in '.$file['fullname']);
            //exit;

            $ok=true;
            $matches=array();
            // Check string   ='".$this->xxx   with xxx that is not 'escape'. It means we forget a db->escape when forging sql request.
            preg_match_all('/(..)\s*\.\s*\$this->db->idate\(/', $filecontent, $matches, PREG_SET_ORDER);
            foreach($matches as $key => $val)
            {
                if ($val[1] != '\'"' && $val[1] != '\'\'')
                {
                    $ok=false;
                    break;
                }
                //if ($reg[0] != 'db') $ok=false;
            }
            //print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n";
            $this->assertTrue($ok, 'Found a $this->db->idate to forge a sql request without quotes around this date field '.$file['fullname'].' :: '.$val[0]);
            //exit;


            $ok=true;
            $matches=array();
            // Check string   ='".$this->xxx   with xxx that is not 'escape'. It means we forget a db->escape when forging sql request.
            preg_match_all('/(=|sql.+)\s*\'"\s*\.\s*\$this->(....)/', $filecontent, $matches, PREG_SET_ORDER);
            foreach($matches as $key => $val)
            {
                if ($val[2] != 'db->' && $val[2] != 'esca')
                {
                    $ok=false;
                    break;
                }
                //if ($reg[0] != 'db') $ok=false;
            }
            //print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n";
            $this->assertTrue($ok, 'Found non escaped string in building of a sql request '.$file['fullname'].' ('.$val[0].'). Bad.');
            //exit;


            // Test that output of $_SERVER\[\'QUERY_STRING\'\] is escaped.
            $ok=true;
            $matches=array();
            // Check string   ='".$this->xxx   with xxx that is not 'escape'. It means we forget a db->escape when forging sql request.
            preg_match_all('/(..............)\$_SERVER\[\'QUERY_STRING\'\]/', $filecontent, $matches, PREG_SET_ORDER);
            foreach($matches as $key => $val)
            {
                if ($val[1] != 'scape_htmltag(' && $val[1] != 'ing_nohtmltag(' && $val[1] != 'dol_escape_js(')
                {
                    $ok=false;
                    break;
                }
            }
            $this->assertTrue($ok, 'Found a $_SERVER[\'QUERY_STRING\'] without dol_escape_htmltag neither dol_string_nohtmltag around it, in file '.$file['fullname'].' ('.$val[1].'$_SERVER[\'QUERY_STRING\']). Bad.');


            // Test that first param of print_liste_field_titre is a translation key and not the translated value
            $ok=true;
            $matches=array();
            // Check string   ='".$this->xxx   with xxx that is not 'escape'. It means we forget a db->escape when forging sql request.
            preg_match_all('/print_liste_field_titre\(\$langs/', $filecontent, $matches, PREG_SET_ORDER);
            foreach($matches as $key => $val)
            {
                   $ok=false;
                   break;
            }
            $this->assertTrue($ok, 'Found a use of print_liste_field_titre with first parameter that is a translated value instead of just the translation key in file '.$file['fullname'].'. Bad.');


            // Test we don't have <br />
            $ok=true;
            $matches=array();
            // Check string   ='".$this->xxx   with xxx that is not 'escape'. It means we forget a db->escape when forging sql request.
            preg_match_all('/<br \/>/', $filecontent, $matches, PREG_SET_ORDER);
            foreach($matches as $key => $val)
            {
                if ($file['name'] != 'functions.lib.php')
                {
                    $ok=false;
                    break;
                }
            }
            $this->assertTrue($ok, 'Found a tag <br /> that is for xml in file '.$file['fullname'].'. You may use html syntax <br> instead.');


            // Test we don't have @var array(
            $ok=true;
            $matches=array();
            // Check string   ='".$this->xxx   with xxx that is not 'escape'. It means we forget a db->escape when forging sql request.
            preg_match_all('/@var\s+array\(/', $filecontent, $matches, PREG_SET_ORDER);
            foreach($matches as $key => $val)
            {
                $ok=false;
                break;
            }
            $this->assertTrue($ok, 'Found a declaration @var array() instead of @var array in file '.$file['fullname'].'.');
        }

        return;
    }
}
Add phpunit to detect SQL not escaped string. 2017-05-12 15:45:00 +02:00			`<?php`
			`/* Copyright (C) 2013 Laurent Destailleur <eldy@users.sourceforge.net>`
			`*`
			`* This program is free software; you can redistribute it and/or modify`
			`* it under the terms of the GNU General Public License as published by`
			`* the Free Software Foundation; either version 3 of the License, or`
			`* (at your option) any later version.`
			`*`
			`* This program is distributed in the hope that it will be useful,`
			`* but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`* GNU General Public License for more details.`
			`*`
			`* You should have received a copy of the GNU General Public License`
Move Gnu.org to https 2019-09-23 21:55:30 +02:00			`* along with this program. If not, see <https://www.gnu.org/licenses/>.`
			`* or see https://www.gnu.org/`
Add phpunit to detect SQL not escaped string. 2017-05-12 15:45:00 +02:00			`*/`

			`/**`
			`* \file test/phpunit/SqlTest.php`
			`* \ingroup test`
			`* \brief PHPUnit test`
			`* \remarks To run this script as CLI: phpunit filename.php`
			`*/`

			`global $conf,$user,$langs,$db;`
			`//define('TEST_DB_FORCE_TYPE','mysql'); // This is to force using mysql driver`
			`//require_once 'PHPUnit/Autoload.php';`
			`require_once dirname(__FILE__).'/../../htdocs/master.inc.php';`
			`require_once dirname(__FILE__).'/../../htdocs/core/lib/security.lib.php';`
			`require_once dirname(__FILE__).'/../../htdocs/core/lib/security2.lib.php';`

wip 2019-01-27 13:07:22 +01:00			`if (! defined('NOREQUIREUSER')) define('NOREQUIREUSER', '1');`
			`if (! defined('NOREQUIREDB')) define('NOREQUIREDB', '1');`
			`if (! defined('NOREQUIRESOC')) define('NOREQUIRESOC', '1');`
			`if (! defined('NOREQUIRETRAN')) define('NOREQUIRETRAN', '1');`
			`if (! defined('NOCSRFCHECK')) define('NOCSRFCHECK', '1');`
			`if (! defined('NOTOKENRENEWAL')) define('NOTOKENRENEWAL', '1');`
			`if (! defined('NOREQUIREMENU')) define('NOREQUIREMENU', '1'); // If there is no menu to show`
			`if (! defined('NOREQUIREHTML')) define('NOREQUIREHTML', '1'); // If we don't need to load the html.form.class.php`
			`if (! defined('NOREQUIREAJAX')) define('NOREQUIREAJAX', '1');`
			`if (! defined("NOLOGIN")) define("NOLOGIN", '1'); // If this page is public (can be called outside logged session)`
Add phpunit to detect SQL not escaped string. 2017-05-12 15:45:00 +02:00
			`if (empty($user->id))`
			`{`
			`print "Load permissions for admin user nb 1\n";`
			`$user->fetch(1);`
			`$user->getrights();`
			`}`
			`$conf->global->MAIN_DISABLE_ALL_MAILS=1;`


			`/**`
			`* Class for PHPUnit tests`
			`*`
			`* @backupGlobals disabled`
			`* @backupStaticAttributes enabled`
			`* @remarks backupGlobals must be disabled to have db,conf,user and lang not erased.`
			`*/`
Compatibility with phpunit v6 2019-07-05 21:28:27 +02:00			`class CodingPhpTest extends PHPUnit\Framework\TestCase`
Add phpunit to detect SQL not escaped string. 2017-05-12 15:45:00 +02:00			`{`
			`protected $savconf;`
			`protected $savuser;`
			`protected $savlangs;`
			`protected $savdb;`

			`/**`
			`* Constructor`
			`* We save global variables into local variables`
			`*`
			`* @return SecurityTest`
			`*/`
wip 2019-02-25 00:56:48 +01:00			`public function __construct()`
Add phpunit to detect SQL not escaped string. 2017-05-12 15:45:00 +02:00			`{`
wip 2019-02-25 00:56:48 +01:00			`parent::__construct();`
Prepare phpunit 6.1 compatibility 2018-09-02 14:23:52 +02:00
wip 2019-02-25 00:56:48 +01:00			`//$this->sharedFixture`
Add phpunit to detect SQL not escaped string. 2017-05-12 15:45:00 +02:00			`global $conf,$user,$langs,$db;`
			`$this->savconf=$conf;`
			`$this->savuser=$user;`
			`$this->savlangs=$langs;`
			`$this->savdb=$db;`

			`print __METHOD__." db->type=".$db->type." user->id=".$user->id;`
			`//print " - db ".$db->db;`
			`print "\n";`
			`}`

Major doxygen fix 2020-05-03 22:47:43 +02:00			`/**`
			`* setUpBeforeClass`
			`*`
			`* @return void`
			`*/`
Add phpunit to detect SQL not escaped string. 2017-05-12 15:45:00 +02:00			`public static function setUpBeforeClass()`
			`{`
			`global $conf,$user,$langs,$db;`
			`$db->begin(); // This is to have all actions inside a transaction even if test launched without suite.`

			`print __METHOD__."\n";`
			`}`

Major doxygen fix 2020-05-03 22:47:43 +02:00			`/**`
			`* tearDownAfterClass`
			`*`
			`* @return void`
			`*/`
Add phpunit to detect SQL not escaped string. 2017-05-12 15:45:00 +02:00			`public static function tearDownAfterClass()`
			`{`
			`global $conf,$user,$langs,$db;`
			`$db->rollback();`

			`print __METHOD__."\n";`
			`}`

			`/**`
			`* Init phpunit tests`
			`*`
			`* @return void`
			`*/`
			`protected function setUp()`
			`{`
			`global $conf,$user,$langs,$db;`
			`$conf=$this->savconf;`
			`$user=$this->savuser;`
			`$langs=$this->savlangs;`
			`$db=$this->savdb;`

			`print __METHOD__."\n";`
			`}`

			`/**`
			`* End phpunit tests`
			`*`
			`* @return void`
			`*/`
			`protected function tearDown()`
			`{`
			`print __METHOD__."\n";`
			`}`

			`/**`
			`* testSql`
			`*`
			`* @return string`
			`*/`
			`public function testPHP()`
			`{`
			`global $conf,$user,$langs,$db;`
			`$conf=$this->savconf;`
			`$user=$this->savuser;`
			`$langs=$this->savlangs;`
			`$db=$this->savdb;`

Fix remove warning 2017-05-18 19:19:55 +02:00			`include_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php';`
Add phpunit to detect SQL not escaped string. 2017-05-12 15:45:00 +02:00			`$filesarray = dol_dir_list(DOL_DOCUMENT_ROOT, 'files', 1, '\.php', null, 'fullname');`

Merge branch '5.0' of git@github.com:Dolibarr/dolibarr.git into develop Conflicts: ChangeLog htdocs/admin/tools/index.php htdocs/bookmarks/bookmarks.lib.php htdocs/compta/facture.php htdocs/core/tpl/passwordforgotten.tpl.php htdocs/fourn/ajax/getSupplierPrices.php htdocs/main.inc.php htdocs/product/stats/card.php htdocs/public/paypal/paymentko.php 2017-06-18 21:13:48 +02:00			`foreach($filesarray as $key => $file)`
Add phpunit to detect SQL not escaped string. 2017-05-12 15:45:00 +02:00			`{`
			`if (preg_match('/\/htdocs\/includes\//', $file['fullname'])) continue;`
			`if (preg_match('/\/htdocs\/custom\//', $file['fullname'])) continue;`
			`if (preg_match('/\/htdocs\/dolimed/', $file['fullname'])) continue;`
Fix against SQL injection. Add phpunit to detect missing escapement. 2017-05-12 16:55:11 +02:00			`if (preg_match('/\/htdocs\/nltechno/', $file['fullname'])) continue;`
			`if (preg_match('/\/htdocs\/teclib/', $file['fullname'])) continue;`
Merge branch '5.0' of git@github.com:Dolibarr/dolibarr.git into develop Conflicts: ChangeLog htdocs/admin/tools/index.php htdocs/bookmarks/bookmarks.lib.php htdocs/compta/facture.php htdocs/core/tpl/passwordforgotten.tpl.php htdocs/fourn/ajax/getSupplierPrices.php htdocs/main.inc.php htdocs/product/stats/card.php htdocs/public/paypal/paymentko.php 2017-06-18 21:13:48 +02:00
Add phpunit to detect SQL not escaped string. 2017-05-12 15:45:00 +02:00			`print 'Check php file '.$file['fullname']."\n";`
			`$filecontent=file_get_contents($file['fullname']);`
Merge branch '5.0' of git@github.com:Dolibarr/dolibarr.git into develop Conflicts: ChangeLog htdocs/admin/tools/index.php htdocs/bookmarks/bookmarks.lib.php htdocs/compta/facture.php htdocs/core/tpl/passwordforgotten.tpl.php htdocs/fourn/ajax/getSupplierPrices.php htdocs/main.inc.php htdocs/product/stats/card.php htdocs/public/paypal/paymentko.php 2017-06-18 21:13:48 +02:00
FIX pgsql compatibility. Add PHPUnit to avoid using dates without quotes 2017-07-26 21:22:53 +02:00
FIX duplicate class name into some log lines 2020-02-17 12:34:00 +01:00			`$ok=true;`
			`$matches=array();`
			`// Check string ='".$this->xxx with xxx that is not 'escape'. It means we forget a db->escape when forging sql request.`
			`preg_match_all('/'.preg_quote('get_class($this)."::".__METHOD__', '/').'/', $filecontent, $matches, PREG_SET_ORDER);`
			`foreach($matches as $key => $val)`
			`{`
			`$ok=false;`
			`break;`
			`}`
			`//print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n";`
			`$this->assertTrue($ok, 'Found string get_class($this)."::".__METHOD__ that must be replaced with __METHOD__ only in '.$file['fullname']);`
			`//exit;`

FIX pgsql compatibility. Add PHPUnit to avoid using dates without quotes 2017-07-26 21:22:53 +02:00			`$ok=true;`
			`$matches=array();`
			`// Check string ='".$this->xxx with xxx that is not 'escape'. It means we forget a db->escape when forging sql request.`
			`preg_match_all('/(..)\s\.\s\$this->db->idate\(/', $filecontent, $matches, PREG_SET_ORDER);`
			`foreach($matches as $key => $val)`
			`{`
wip 2019-02-25 00:56:48 +01:00			`if ($val[1] != '\'"' && $val[1] != '\'\'')`
			`{`
			`$ok=false;`
			`break;`
			`}`
			`//if ($reg[0] != 'db') $ok=false;`
FIX pgsql compatibility. Add PHPUnit to avoid using dates without quotes 2017-07-26 21:22:53 +02:00			`}`
			`//print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n";`
			`$this->assertTrue($ok, 'Found a $this->db->idate to forge a sql request without quotes around this date field '.$file['fullname'].' :: '.$val[0]);`
			`//exit;`


Add phpunit to detect SQL not escaped string. 2017-05-12 15:45:00 +02:00			`$ok=true;`
			`$matches=array();`
Code comment 2017-05-29 13:29:27 +02:00			`// Check string ='".$this->xxx with xxx that is not 'escape'. It means we forget a db->escape when forging sql request.`
Add more robust php unit to detect not escaped sql. Fix not escaped sql 2017-09-15 15:41:07 +02:00			`preg_match_all('/(=\|sql.+)\s\'"\s\.\s*\$this->(....)/', $filecontent, $matches, PREG_SET_ORDER);`
Add phpunit to detect SQL not escaped string. 2017-05-12 15:45:00 +02:00			`foreach($matches as $key => $val)`
			`{`
Add more robust php unit to detect not escaped sql. Fix not escaped sql 2017-09-15 15:41:07 +02:00			`if ($val[2] != 'db->' && $val[2] != 'esca')`
Add phpunit to detect SQL not escaped string. 2017-05-12 15:45:00 +02:00			`{`
			`$ok=false;`
			`break;`
			`}`
			`//if ($reg[0] != 'db') $ok=false;`
			`}`
			`//print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n";`
Fix against SQL injection. Add phpunit to detect missing escapement. 2017-05-12 16:55:11 +02:00			`$this->assertTrue($ok, 'Found non escaped string in building of a sql request '.$file['fullname'].' ('.$val[0].'). Bad.');`
Add phpunit to detect SQL not escaped string. 2017-05-12 15:45:00 +02:00			`//exit;`
Merge branch '5.0' of git@github.com:Dolibarr/dolibarr.git into develop Conflicts: ChangeLog htdocs/admin/tools/index.php htdocs/bookmarks/bookmarks.lib.php htdocs/compta/facture.php htdocs/core/tpl/passwordforgotten.tpl.php htdocs/fourn/ajax/getSupplierPrices.php htdocs/main.inc.php htdocs/product/stats/card.php htdocs/public/paypal/paymentko.php 2017-06-18 21:13:48 +02:00
FIX pgsql compatibility. Add PHPUnit to avoid using dates without quotes 2017-07-26 21:22:53 +02:00
Fix security: Check _SERVER["QUERY_STRING"] is escaped. 2017-06-18 21:27:49 +02:00			`// Test that output of $_SERVER\[\'QUERY_STRING\'\] is escaped.`
Merge branch '5.0' of git@github.com:Dolibarr/dolibarr.git into develop Conflicts: ChangeLog htdocs/admin/tools/index.php htdocs/bookmarks/bookmarks.lib.php htdocs/compta/facture.php htdocs/core/tpl/passwordforgotten.tpl.php htdocs/fourn/ajax/getSupplierPrices.php htdocs/main.inc.php htdocs/product/stats/card.php htdocs/public/paypal/paymentko.php 2017-06-18 21:13:48 +02:00			`$ok=true;`
			`$matches=array();`
			`// Check string ='".$this->xxx with xxx that is not 'escape'. It means we forget a db->escape when forging sql request.`
Fix phpunit 2018-02-14 22:17:53 +01:00			`preg_match_all('/(..............)\$_SERVER\[\'QUERY_STRING\'\]/', $filecontent, $matches, PREG_SET_ORDER);`
Merge branch '5.0' of git@github.com:Dolibarr/dolibarr.git into develop Conflicts: ChangeLog htdocs/admin/tools/index.php htdocs/bookmarks/bookmarks.lib.php htdocs/compta/facture.php htdocs/core/tpl/passwordforgotten.tpl.php htdocs/fourn/ajax/getSupplierPrices.php htdocs/main.inc.php htdocs/product/stats/card.php htdocs/public/paypal/paymentko.php 2017-06-18 21:13:48 +02:00			`foreach($matches as $key => $val)`
			`{`
wip 2019-02-25 00:56:48 +01:00			`if ($val[1] != 'scape_htmltag(' && $val[1] != 'ing_nohtmltag(' && $val[1] != 'dol_escape_js(')`
Merge branch 'new_numbering_module_supplier_payment' of https://github.com/atm-ph/dolibarr into atm-ph-new_numbering_module_supplier_payment Conflicts: htdocs/accountancy/admin/productaccount.php htdocs/install/mysql/migration/3.9.0-4.0.0.sql 2016-02-15 00:31:33 +01:00			`{`
Merge branch '5.0' of git@github.com:Dolibarr/dolibarr.git into develop Conflicts: ChangeLog htdocs/admin/tools/index.php htdocs/bookmarks/bookmarks.lib.php htdocs/compta/facture.php htdocs/core/tpl/passwordforgotten.tpl.php htdocs/fourn/ajax/getSupplierPrices.php htdocs/main.inc.php htdocs/product/stats/card.php htdocs/public/paypal/paymentko.php 2017-06-18 21:13:48 +02:00			`$ok=false;`
			`break;`
Merge branch 'new_numbering_module_supplier_payment' of https://github.com/atm-ph/dolibarr into atm-ph-new_numbering_module_supplier_payment Conflicts: htdocs/accountancy/admin/productaccount.php htdocs/install/mysql/migration/3.9.0-4.0.0.sql 2016-02-15 00:31:33 +01:00			`}`
WIP PSR2 2015-01-06 17:54:36 +01:00			`}`
Fix phpunit 2017-09-14 09:16:57 +02:00			`$this->assertTrue($ok, 'Found a $_SERVER[\'QUERY_STRING\'] without dol_escape_htmltag neither dol_string_nohtmltag around it, in file '.$file['fullname'].' ('.$val[1].'$_SERVER[\'QUERY_STRING\']). Bad.');`
Fix security: Check _SERVER["QUERY_STRING"] is escaped. 2017-06-18 21:27:49 +02:00
Fix translation done twice into field title of array 2017-08-02 13:31:53 +02:00
			`// Test that first param of print_liste_field_titre is a translation key and not the translated value`
			`$ok=true;`
			`$matches=array();`
			`// Check string ='".$this->xxx with xxx that is not 'escape'. It means we forget a db->escape when forging sql request.`
			`preg_match_all('/print_liste_field_titre\(\$langs/', $filecontent, $matches, PREG_SET_ORDER);`
			`foreach($matches as $key => $val)`
			`{`
wip 2019-02-25 00:56:48 +01:00			`$ok=false;`
			`break;`
Fix translation done twice into field title of array 2017-08-02 13:31:53 +02:00			`}`
Fix bad var name 2019-03-09 01:13:15 +01:00			`$this->assertTrue($ok, 'Found a use of print_liste_field_titre with first parameter that is a translated value instead of just the translation key in file '.$file['fullname'].'. Bad.');`
Fix translation done twice into field title of array 2017-08-02 13:31:53 +02:00

Fix <br /> (xml) into <br> (html) 2018-01-17 13:26:57 +01:00			`// Test we don't have <br />`
			`$ok=true;`
Fix security: Check _SERVER["QUERY_STRING"] is escaped. 2017-06-18 21:27:49 +02:00			`$matches=array();`
			`// Check string ='".$this->xxx with xxx that is not 'escape'. It means we forget a db->escape when forging sql request.`
Fix <br /> (xml) into <br> (html) 2018-01-17 13:26:57 +01:00			`preg_match_all('/<br \/>/', $filecontent, $matches, PREG_SET_ORDER);`
Fix security: Check _SERVER["QUERY_STRING"] is escaped. 2017-06-18 21:27:49 +02:00			`foreach($matches as $key => $val)`
			`{`
wip 2019-02-25 00:56:48 +01:00			`if ($file['name'] != 'functions.lib.php')`
Fix security: Check _SERVER["QUERY_STRING"] is escaped. 2017-06-18 21:27:49 +02:00			`{`
			`$ok=false;`
			`break;`
			`}`
			`}`
Enhance phpunit 2019-04-01 18:16:50 +02:00			`$this->assertTrue($ok, 'Found a tag <br /> that is for xml in file '.$file['fullname'].'. You may use html syntax <br> instead.');`


			`// Test we don't have @var array(`
			`$ok=true;`
			`$matches=array();`
			`// Check string ='".$this->xxx with xxx that is not 'escape'. It means we forget a db->escape when forging sql request.`
			`preg_match_all('/@var\s+array\(/', $filecontent, $matches, PREG_SET_ORDER);`
			`foreach($matches as $key => $val)`
			`{`
			`$ok=false;`
			`break;`
			`}`
			`$this->assertTrue($ok, 'Found a declaration @var array() instead of @var array in file '.$file['fullname'].'.');`
Add phpunit to detect SQL not escaped string. 2017-05-12 15:45:00 +02:00			`}`

			`return;`
			`}`
			`}`