diff --git a/build/.phan/plugin-checker.php b/build/.phan/plugin-checker.php index 92eb3496ed..f7946fc2a4 100644 --- a/build/.phan/plugin-checker.php +++ b/build/.phan/plugin-checker.php @@ -20,17 +20,17 @@ */ $expected = <<emit( 'SqlInjectionChecker', - 'Potential SQL injection detected', + 'Potential SQL injection detected - ' . $hint, [], \Phan\Issue::SEVERITY_CRITICAL ); @@ -64,6 +64,8 @@ class SqlInjectionCheckerVisitor extends PluginAwareAnalysisVisitor { 'createNamedParameter', 'createPositionalParameter', 'createParameter', + 'createFunction', + 'func', ]; $functionsToSearch = [ @@ -84,7 +86,7 @@ class SqlInjectionCheckerVisitor extends PluginAwareAnalysisVisitor { // For set actions if(isset($node->children['method']) && in_array($node->children['method'], $functionsToSearch, true) && !is_string($subChild)) { if(!isset($subChild->children['method']) || !in_array($subChild->children['method'], $safeFunctions, true)) { - $this->throwError(); + $this->throwError('method: ' . ($subChild->children['method'] ?? 'no child method')); } } @@ -115,7 +117,7 @@ class SqlInjectionCheckerVisitor extends PluginAwareAnalysisVisitor { // If it is an IParameter or a pure string no error is thrown if((string)$expandedNode !== '\OCP\DB\QueryBuilder\IParameter' && !is_string($secondParameterNode)) { - $this->throwError(); + $this->throwError('neither a parameter nor a string'); } } }