@ 2023-02-07T11:54:18Z <?php
class sqli_protected_db {
private $db;
public function __construct() {
// $this->db = new mysqli('localhost', 'username', 'password', 'database');
}
public function query(String $sql, Array $parameters = [], Array $aliases = []) {
if (!is_literal($sql)) {
echo '[WRONG] ';
}
foreach ($aliases as $name => $value) {
$sql = str_replace('{' . $name . '}', '`' . str_replace('`', '``', $value) . '`', $sql);
}
echo $sql . "\n\n";
// print_r(iterator_to_array($this->db->execute_query($sql, $parameters)));
}
}
$db = new sqli_protected_db();
$id = ($_GET['id'] ?? chr(53)); // non-LiteralString '5'
$order = ($_GET['order'] ?? chr(110)); // non-LiteralString 'n'
$db->query('SELECT name FROM user WHERE id = ?', [$id]); // Correct
$db->query('SELECT name FROM user WHERE id = ' . $id); // WRONG
$db->query('SELECT name FROM user ORDER BY {o}', [], ['o' => $order]); // Correct
$db->query('SELECT name FROM user ORDER BY ' . $order); // WRONG
echo "-----\n\n";
class query_builder {
public function where(String $column, ?String $operator = null, $value = null) {
if (!is_literal($column) || (!is_literal($operator) && $operator !== null)) {
echo '[WRONG] ';
}
echo $column . ($operator === null ? '' : ' ' . $operator) . ($value === null ? '' : ' ?') . "\n\n";
}
}
$qb = new query_builder();
$name = ($_GET['name'] ?? chr(110)); // non-LiteralString 'n'
$field = ($_GET['field'] ?? chr(102)); // non-LiteralString 'f'
$value = ($_GET['value'] ?? chr(118)); // non-LiteralString 'v'
$qb->where('CONCAT(name_first, " ", name_last)', 'LIKE', $name); // Correct
$qb->where('CONCAT(name_first, " ", name_last) LIKE "' . $name . '"'); // WRONG
$qb->where('some_value IS NULL'); // Correct
$qb->where($field, '=', $value); // WRONG
echo "-----\n\n";
// https://github.com/doctrine/orm/blob/2.12.x/lib/Doctrine/ORM/Query/Expr/Func.php
class Func {
protected $name;
protected $arguments;
public function __construct($name, $arguments) {
$this->name = $name;
$this->arguments = $arguments;
}
public function __toString() {
return $this->name . '(' . implode(', ', $this->arguments) . ')';
}
}
function check_func(Func $func) {
$sql = (string) $func;
if (!is_literal($sql)) {
echo '[WRONG] ';
}
echo $sql . "\n\n";
}
$func = ($_GET['func'] ?? chr(102)); // non-LiteralString 'f'
$value = ($_GET['value'] ?? chr(118)); // non-LiteralString 'v'
check_func(new Func('MIN', ['field1', 'field2'])); // Correct
check_func(new Func($func, ['field1', 'field2'])); // WRONG
check_func(new Func('MIN', ['field1', $value])); // WRONG
?>
Enable javascript to submit You have javascript disabled. You will not be able to edit any code.
Here you find the average performance (time & memory) of each version. A grayed out version indicates it didn't complete successfully (based on exit-code).
Version System time (s) User time (s) Memory (MiB) 8.3.6 0.009 0.006 18.68 8.3.5 0.012 0.006 18.50 8.3.4 0.014 0.000 20.32 8.3.3 0.003 0.013 18.83 8.3.2 0.008 0.000 24.18 8.3.1 0.000 0.008 24.66 8.3.0 0.004 0.004 26.16 8.2.18 0.014 0.007 17.00 8.2.17 0.012 0.003 19.04 8.2.16 0.013 0.000 22.96 8.2.15 0.000 0.008 25.66 8.2.14 0.005 0.003 24.66 8.2.13 0.005 0.003 26.16 8.2.12 0.003 0.006 19.66 8.2.11 0.000 0.009 22.13 8.2.10 0.003 0.006 22.13 8.1.28 0.011 0.004 25.92 8.1.27 0.000 0.008 23.90 8.1.26 0.008 0.000 26.35 8.1.25 0.012 0.003 28.09 8.1.24 0.003 0.007 20.71 8.1.23 0.003 0.013 18.51
preferences:dark mode live preview
43.03 ms | 400 KiB | 5 Q