Fortify Scan - Possible Variable Overwrite: Global Scope - codeigniter

We had Forify scan for our website code and fortify reported few issues. We are using CodeIgniter 3.1.9 framework. One of the issue they mentioned as
Possible Variable Overwrite' for function 'extract()' in file mysqli_utility.php.
As this is core file of CI framework, I'm not using this function directly and also I do not know where this function getting used by CI.
Will you please help to resolve the issue reported by Fortify? What could be the solution?

extract() imports variables from an array into the current symbol table. The phrase "current symbol table" basically means into the current scope of the code. For the usage in question, extract() is called inside a class method. So the current scope for the extracted vars will be in that method and that method only for that instance of the class.
CodeIgniter's core code does not define or use global variables. Unless code developed for the application uses globals (which it should not as "globals" are more of a "procedural programming" thing) the possibility of overwriting is exceedingly low.
I'm curious as to why the scan didn't pick up all the other times extract is used by CodeIgniter.

Related

Global Variables in Laravel for Views, Controllers, Models etc

I know this question has been asked before, but I am struggling to find an answer that fits my needs, or is for the most up to date version of Laravel.
Basically, I have a load of variables that will be created using data from the Route and the database. For example, I need to use the Route to set a variable called "current_page" which extracts details from the "pages" table using the unique url column. ($current_page = Page::where('url', <url-taken-from-route>)->first();)
$current_page will need to contain several relationships. There are also other global variables such as $current_site (this is a kind of multi-site environment with one home page and nested microsites) etc.
I feel the configuration files are not the right place to create these variables as a) the value of the variables can be nested and complicated and b) they are not constants but data retrieved from a database.
View Composers obviously only work with views, and a Helper class just feels too generic considering we are dealing with pages, sites, and possibly other global variables.
I gather global variables are frowned upon, but these truly are global. The values will always be the same (albeit dynamic) on every occasion, and will be required by most views and controllers.
I have also thought about putting methods in my already existing Page and Site controllers so I can call Page::current(), but am not sure putting static methods in a mostly non-static controller is the right thing to do. Also, this would make a database call every time I called Page::current() rather than having the current page stored in memory somewhere.
For now, I have created a BaseController which all other controllers extend from. I have put these variables in the constructor and manually passed them to the view in each method. (I know that is messy and doesn't work for models).
So what is the best solution here? Where to declare a global variable that can be used anywhere, but doesn't feel hacky?
Thanks

Avoid function duplication of dump function by psysh

I am developer of imi-conrun and have a problem: We use the psySh package we would like not to drop and defines the global scope function "dump" and have to initialize the Contao core which defines the global scope function "dump" as well without checking if the function is registered and then crashes.
Is there any possibility to only remove the dump function from psySh without making a fork?
I think there is no real solution for this.
In the end it turn's out I do not need PsySH - so I removed it - problem solved.
Might make the suggestion to Contao to not blindly defined the dump function without a function_exists() call
On the other hand I could ensure that Contao is loaded first, then PsySH and thus would not define the dump() function again which would mean to run the composer autoload before the Contao init.
TL;DR: global name space functions are bad.

Basic on Codeigniter controller

I am new in codeigniter framework.I have some question.When we write some controller class then we call constructor.I am loading some library and some helper.I want to know what is the perfect way for loading this helper and library under construct class or under other functions.If i load everything in construct class then what is the disadvantages for it?if i use more controller class for one project then it is good or bad.Like i want to use some controller class for ajax functionalities,some for form submission,some for other sector.My english is not so good.Please help me.
For common libraries and helpers used by all functions of your controller try to load it in constructor or autoload. Except that for specific libraries e.g. payment gateway load inside the function.
How you use or how many controllers you are using depends upon your needs. But I would suggest you to build separate controllers for separate functions. Like admin for admin functions, users for user related functions, and so on. It build a user friendly URL too.
Well! everything depends on your requirements.
If you need any library , model or helper globally you can autoload it autoload.php.
It means the loading will be done on each request.
if you need any library , model or helper throughout your controller methods you can load them in constructor.
It means loading will be done on each method of controller.
if you need any library , model or helper for specific method you can load them in method.
It means loading will be done in method only.
For example let suppose you nees session and database library throughout your application so you can autoload it.
For a specific controller you need priviliges library so load it in constructor.
For email you need to send load email library in function.
These are only examples. You can explore SO to find more.
Loading takes time and performance. Not noticeable time by human standards, but time regardless. In order to cut of some slack to your server in the future, you do it a favor by only loading whatever is it you require for each page/controller method.
Used (almost) always
You can use application/config/autoload.php for things you almost always use. I usually include the helper url here.
Used (almost) always inside specific controller
Load it inside controller __construct. Don't forget to include parent::__construct();.
Used inside specific page
Load it inside method/function.
Used inside specific function
Load it at beginning or inside if-statement in function. You can load it numerous of times, it will only execute first time.

CodeIgniter: Decision making for creating of library & helper in CodeIgniter

After developing in CodeIgniter for awhile, I find it difficult to make decisions when to create a custom library and when to create a custom helper.
I do understand that both allow having business logic in it and are reusable across the framework (calling from different controller etc.)
But I strongly believe that the fact that CI core developers are separating libraries from helpers, there has to be a reason behind it and I guess, this is the reason waiting for me to discover and get enlightened.
CI developers out there, pls advise.
i think it's better to include an example.
I could have a
class notification_lib {
function set_message() { /*...*/}
function get_message() {/*...*/}
function update_message() {/*...*/}
}
Alternatively, i could also include all the functions into a helper.
In a notification_helper.php file, i will include set_message(), get_message(), update_message()..
Where either way, it still can be reused. So this got me thinking about the decision making point about when exactly do we create a library and a helper particularly in CI.
In a normal (framework-less) php app, the choice is clear as there is no helper, you will just need to create a library in order to reuse codes. But here, in CI, I would like to understand the core developers seperation of libraries and helpers
Well the choice comes down to set of functions or class. The choice is almost the same as a instance class verses a static class.
If you have just a simply group of functions then you only need to make a group of functions. If these group of functions share a lot of data, then you need to make a class that has an instance to store this data in between the method (class function) calls.
Do you have many public or private properties to store relating to your notification messages?
If you use a class, you could set multiple messages through the system then get_messages() could return a private array of messages. That would make it perfect for being a library.
There is a question I ask myself when deciding this that I think will help you as well. The question is: Am I providing a feature to my framework or am I consolidating?
If you have a feature that you are adding to your framework, then you'll want to create a library for that. Form validation, for example, is a feature that you are adding to a framework. Even though you can do form validation without this library, you're creating a standard system for validation which is a feature.
However, there is also a form helper which helps you create the HTML of forms. The big difference from the form validation library is that the form helper isn't creating a new feature, its just a set of related functions that help you write the HTML of forms properly.
Hopefully this differentiation will help you as it has me.
First of all, you should be sure that you understand the difference between CI library and helper class. Helper class is anything that helps any pre-made thing such as array, string, uri, etc; they are there and PHP already provides functions for them but you still create a helper to add more functionality to them.
On the other hand, library can be anything like something you are creating for the first time, any solution which might not be necessarily already out there.
Once you understand this difference fully, taking decision must not be that difficult.
Helper contains a group of functions to help you do a particular task.
Available helpers in CI
Libraries usually contain non-CI specific functionality. Like an image library. Something which is portable between applications.
Available libraries in CI
Source link
If someone ask me what the way you follow when time comes to create Helpers or Libraries.
I think these differences:
Class : In a nutshell, a Class is a blueprint for an object. And an object encapsulates conceptually related State and Responsibility of something in your Application and usually offers an programming interface with which to interact with these. This fosters code reuse and improves maintainability.
Functions : A function is a piece of code which takes one more input in the form of parameter and does some processing and returns a value. You already have seen many functions like fopen() and fread() etc. They are built-in functions but PHP gives you option to create your own functions as well.
So go for Class i.e. libraries if any one point matches
global variable need to use in two or more functions or even one, I hate using Global keyword
default initialization as per each time call or load
some tasks are private to entity not publicly open, think of functions never have public modifiers why?
function to function dependencies i.e. tasks are separated but two or more tasks needs it. Think of validate_email check only for email sending script for to,cc,bcc,etc. all of these needs validate_email.
And Lastly not least all related tasks i.e. functions should be placed in single object or file, it's easier for reference and remembrance.
For Helpers : any point which not matches with libraries
Personally I use libraries for big things, say an FTP-library I built that is a lot faster than CodeIgniters shipped library. This is a class with a lot of methods that share data with each other.
I use helpers for smaller tasks that are not related to a lot of other functionality. Small functions like decorating strings might be an example. Or copying a directory recursively to another location.

No need to extend class/library in codeigniter

I would like to check if my assumption about codeigniter is right ?
We would normally extend a class when we are trying to include more functionality to the core, such as MY_Controller extends Controller, MY_Model extends Model etc...
But for example, if we are in the checkout library retrieving some checkout info(eg, product_id), we can just $this->load->library('product_lib',array('product_id'=>$product_id)) and we can easily $this->product_lib->product_name etc... from the checkout library right?
The $this->load thing is kind of equivalent to "hard code" checkout library to extend product_lib(class checkout_lib extends product_lib) to be able to use whatever methods/variables there is in the product_lib.
Please enlighten me.
In CodeIgniter $this->load is like having a resource manager (e.g. resourceManager->load("path/to/file")) and it takes care of loading the library, and passing any arguments you specify and such, easily allowing you to quickly get to using it.
So if you have a variable named product_name in your product_lib then yes calling $this->product_lib->product_name will be accessing that variable.
Really it just places the library into an array with the library name as the key and the instance of the library as the value so calling $this->product_lib is really calling something similar to $loadedLibraries['product_lib'] and returning the instance.
I hope that answers what you are asking, I'm quite tired and could have miss understood you question.
I think you misunderstood the OO paradigm and the way CI work.
$this->load is same with instantiate an object of the library/model, or load the helper file. CI have some sort of management to see if the helper/library/model already uploaded or not.
In other hand, the extends is used when defining a class, to tell PHP that the class will be inherit the parent class properties and method. A class is a blue print of object it will produce.
Maybe you can start by understanding the OO concept first. You can read this as a start, and see the reference used there.

Resources