How to make a function specified in array_map be recognized as a sanitizer in PHP custom configurati

The following is written in the PHP custom configuration.

{
"S3649": {
"sanitizers": [
{
"methodId": "intval",
"args": [
1
]
},

However, the following code is still detected as a suspected SQL injection.

<?php

$arType = explode(",", $_GET["type"]);

$arType = array_map(intval(...), $arType);

$sql = "select a from b where id in (" . implode(",", $arType) . ")";

echo $sql;

mysql_query($sql);

I think that if array_map is used, it may not be recognized as a sanitizer, but is there any way to deal with this in the PHP custom configuration?

I searched the ucfg file, but couldn’t find intval, so I think this is probably a problem that cannot be addressed by custom configuration.

Hi Inui Takeshi, welcome to our community! :slight_smile:

Thanks for reaching out to us, and pointing out this problem.

You guessed it right, it cannot be addressed with custom configuration, as currently array_map is simply considered a passthrough for the second argument.

I’ve created an internal ticket to fix this, but I can’t give you a timeline.

Best regards,

Renaud

Thank you for your response.

I would appreciate it if you could implement the fix. I look forward to your update.