The following is written in the PHP custom configuration.
{
"S3649": {
"sanitizers": [
{
"methodId": "intval",
"args": [
1
]
},
However, the following code is still detected as a suspected SQL injection.
<?php
$arType = explode(",", $_GET["type"]);
$arType = array_map(intval(...), $arType);
$sql = "select a from b where id in (" . implode(",", $arType) . ")";
echo $sql;
mysql_query($sql);
I think that if array_map is used, it may not be recognized as a sanitizer, but is there any way to deal with this in the PHP custom configuration?
I searched the ucfg file, but couldn’t find intval, so I think this is probably a problem that cannot be addressed by custom configuration.
Hi Inui Takeshi, welcome to our community! 
Thanks for reaching out to us, and pointing out this problem.
You guessed it right, it cannot be addressed with custom configuration, as currently array_map
is simply considered a passthrough for the second argument.
I’ve created an internal ticket to fix this, but I can’t give you a timeline.
Best regards,
Renaud
Thank you for your response.
I would appreciate it if you could implement the fix. I look forward to your update.