Missed catch of SQL injection in PHP code with SonarQube Developer Edition

Username1 · November 15, 2021, 5:04am

SonarQube 9.1.0

The Developer Edition doesn’t catch the case:
the project uses Zend Framework 2, has two php files:

First file:

Class A {
 protected function getP($b) {
  $q = //some insecure SQL call with $b in block " ... ' ) AND ' . $b "
  $r = //call of "query" with $q
 }
}

Second file:

$p = new A();
$pp = $p -> getP(*some value to be inserted into SQL*)

No catch in either first, or second file. Logs don’t show any WARN or ERR on these files.

How can I debug the case?
Is there a full list of sinks? Maybe the code uses something, that SQ doesn’t understand.

Nils_Werner · December 6, 2021, 9:12am

Hello Alex,

many thanks for your question. Please excuse the late response.

Unfortunately I can’t see from this example where the source of user input is, which should lead to SQL injection in the insecure SQL method. Can you provide a better reproducer where it is recognizable at which point input is processed?

Best,