From ab9bf78ecfdcc21464d3b38b642a6430e4d5a390 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20FRANCE?= <frederic.france@free.fr>
Date: Sat, 1 Sep 2018 17:42:16 +0200
Subject: [PATCH] replace test_sql_and_script_inject

---
 htdocs/core/class/html.form.class.php |  8 +--
 htdocs/main.inc.php                   |  4 +-
 test/phpunit/CoreTest.php             | 79 +++++++++++++--------------
 3 files changed, 45 insertions(+), 46 deletions(-)

diff --git a/htdocs/core/class/html.form.class.php b/htdocs/core/class/html.form.class.php
index 0419e2cfc68..38bf8289ed5 100644
--- a/htdocs/core/class/html.form.class.php
+++ b/htdocs/core/class/html.form.class.php
@@ -51,12 +51,12 @@ class Form
      * @var DoliDB Database handler.
      */
     public $db;
-	
+
 	/**
 	 * @var string Error code (or message)
 	 */
 	public $error='';
-	
+
 	var $num;
 
 	// Cache arrays
@@ -1099,8 +1099,8 @@ class Form
 		else if (!is_array($selected)) $selected = array($selected);
 
 		// Clean $filter that may contains sql conditions so sql code
-		if (function_exists('test_sql_and_script_inject')) {
-			if (test_sql_and_script_inject($filter, 3)>0) {
+		if (function_exists('testSqlAndScriptInject')) {
+			if (testSqlAndScriptInject($filter, 3)>0) {
 				$filter ='';
 			}
 		}
diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index 26dcb94a0ba..8af8147d552 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -75,7 +75,7 @@ if (function_exists('get_magic_quotes_gpc'))	// magic_quotes_* deprecated in PHP
  * @param		string		$type		1=GET, 0=POST, 2=PHP_SELF, 3=GET without sql reserved keywords (the less tolerant test)
  * @return		int						>0 if there is an injection, 0 if none
  */
-function test_sql_and_script_inject($val, $type)
+function testSqlAndScriptInject($val, $type)
 {
 	$inj = 0;
 	// For SQL Injection (only GET are used to be included into bad escaped SQL requests)
@@ -158,7 +158,7 @@ function analyseVarsForSqlAndScriptsInjection(&$var, $type)
 	}
 	else
 	{
-		return (test_sql_and_script_inject($var, $type) <= 0);
+		return (testSqlAndScriptInject($var, $type) <= 0);
 	}
 }
 
diff --git a/test/phpunit/CoreTest.php b/test/phpunit/CoreTest.php
index c29adf0861f..14493d3dbae 100644
--- a/test/phpunit/CoreTest.php
+++ b/test/phpunit/CoreTest.php
@@ -257,8 +257,7 @@ class CoreTest extends PHPUnit_Framework_TestCase
          * @param       string $type    1=GET, 0=POST, 2=PHP_SELF
          * @return      int             >0 if there is an injection
          */
-        // phpcs:ignore PEAR.NamingConventions.ValidFunctionName.NotCamelCaps
-        function test_sql_and_script_inject($val, $type)
+        function testSqlAndScriptInject($val, $type)
         {
 		    $inj = 0;
 		    // For SQL Injection (only GET and POST are used to be included into bad escaped SQL requests)
@@ -307,55 +306,55 @@ class CoreTest extends PHPUnit_Framework_TestCase
         $expectedresult=0;
 
         $_SERVER["PHP_SELF"]='/DIR WITH SPACE/htdocs/admin/index.php?mainmenu=home&leftmenu=setup&username=weservices';
-        $result=test_sql_and_script_inject($_SERVER["PHP_SELF"], 2);
-        $this->assertEquals($expectedresult, $result, 'Error on test_sql_and_script_inject 1a');
+        $result=testSqlAndScriptInject($_SERVER["PHP_SELF"], 2);
+        $this->assertEquals($expectedresult, $result, 'Error on testSqlAndScriptInject 1a');
 
         // Should detect XSS
         $expectedresult=1;
 
         $_SERVER["PHP_SELF"]='/DIR WITH SPACE/htdocs/admin/index.php?mainmenu=home&leftmenu=setup&username=weservices;badaction';
-        $result=test_sql_and_script_inject($_SERVER["PHP_SELF"], 2);
-        $this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on test_sql_and_script_inject 1b');
+        $result=testSqlAndScriptInject($_SERVER["PHP_SELF"], 2);
+        $this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject 1b');
 
         $test="<img src='1.jpg' onerror =javascript:alert('XSS')>";
-        $result=test_sql_and_script_inject($test, 0);
-        $this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on test_sql_and_script_inject aaa');
+        $result=testSqlAndScriptInject($test, 0);
+        $this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject aaa');
 
         $test="<img src='1.jpg' onerror =javascript:alert('XSS')>";
-        $result=test_sql_and_script_inject($test, 2);
-        $this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on test_sql_and_script_inject aaa2');
+        $result=testSqlAndScriptInject($test, 2);
+        $this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject aaa2');
 
         $test='<IMG SRC=# onmouseover="alert(1)">';
-        $result=test_sql_and_script_inject($test, 0);
-        $this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on test_sql_and_script_inject aaa3');
+        $result=testSqlAndScriptInject($test, 0);
+        $this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject aaa3');
         $test='<IMG SRC onmouseover="alert(1)">';
-        $result=test_sql_and_script_inject($test, 0);
-        $this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on test_sql_and_script_inject aaa4');
+        $result=testSqlAndScriptInject($test, 0);
+        $this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject aaa4');
         $test='<IMG onmouseover="alert(1)">';
-        $result=test_sql_and_script_inject($test, 0);
-        $this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on test_sql_and_script_inject aaa5');
+        $result=testSqlAndScriptInject($test, 0);
+        $this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject aaa5');
         $test='<IMG SRC=/ onerror="alert(1)">';
-        $result=test_sql_and_script_inject($test, 0);
-        $this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on test_sql_and_script_inject aaa6');
+        $result=testSqlAndScriptInject($test, 0);
+        $this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject aaa6');
 		$test='<IMG SRC=" &#14;  javascript:alert(1);">';
-		$result=test_sql_and_script_inject($test, 0);
-		$this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on test_sql_and_script_inject aaa7');
+		$result=testSqlAndScriptInject($test, 0);
+		$this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject aaa7');
 
 		$test='<IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>';
-		$result=test_sql_and_script_inject($test, 0);
-        $this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on test_sql_and_script_inject bbb');
+		$result=testSqlAndScriptInject($test, 0);
+        $this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject bbb');
 
         $test='<SCRIPT SRC=http://xss.rocks/xss.js></SCRIPT>';
-        $result=test_sql_and_script_inject($test, 0);
-        $this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on test_sql_and_script_inject ccc');
+        $result=testSqlAndScriptInject($test, 0);
+        $this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject ccc');
 
         $test='<IMG SRC="javascript:alert(\'XSS\');">';
-        $result=test_sql_and_script_inject($test, 1);
-        $this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on test_sql_and_script_inject ddd');
+        $result=testSqlAndScriptInject($test, 1);
+        $this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject ddd');
 
         $test='<IMG """><SCRIPT>alert("XSS")</SCRIPT>">';
-        $result=test_sql_and_script_inject($test, 0);
-        $this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on test_sql_and_script_inject eee');
+        $result=testSqlAndScriptInject($test, 0);
+        $this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject eee');
 
         $test='<!-- Google analytics -->
 			<script>
@@ -368,30 +367,30 @@ class CoreTest extends PHPUnit_Framework_TestCase
 			  ga(\'send\', \'pageview\');
 
 			</script>';
-        $result=test_sql_and_script_inject($test, 0);
-        $this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on test_sql_and_script_inject eee');
+        $result=testSqlAndScriptInject($test, 0);
+        $this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject eee');
 
         $test="<IMG SRC=\"jav\tascript:alert('XSS');\">";		// Is locked by some brwoser like chrome because the default directive no-referrer-when-downgrade is sent when requesting the SRC and then refused because of browser protection on img src load without referrer.
 		$test="<IMG SRC=\"jav&#x0D;ascript:alert('XSS');\">";	// Same
 
 		$test='<SCRIPT/XSS SRC="http://xss.rocks/xss.js"></SCRIPT>';
-		$result=test_sql_and_script_inject($test, 0);
-		$this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on test_sql_and_script_inject fff1');
+		$result=testSqlAndScriptInject($test, 0);
+		$this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject fff1');
 		$test='<SCRIPT/SRC="http://xss.rocks/xss.js"></SCRIPT>';
-		$result=test_sql_and_script_inject($test, 0);
-		$this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on test_sql_and_script_inject fff2');
+		$result=testSqlAndScriptInject($test, 0);
+		$this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject fff2');
 
 		// This case seems to be filtered by browsers now.
 		$test='<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(1)>';
-		//$result=test_sql_and_script_inject($test, 0);
-		//$this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on test_sql_and_script_inject ggg');
+		//$result=testSqlAndScriptInject($test, 0);
+		//$this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject ggg');
 
 		$test='<iframe src=http://xss.rocks/scriptlet.html <';
-		$result=test_sql_and_script_inject($test, 0);
-		$this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on test_sql_and_script_inject hhh');
+		$result=testSqlAndScriptInject($test, 0);
+		$this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject hhh');
 
 		$test='Set.constructor`alert\x281\x29```';
-		$result=test_sql_and_script_inject($test, 0);
-		$this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on test_sql_and_script_inject iii');
+		$result=testSqlAndScriptInject($test, 0);
+		$this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject iii');
     }
 }