Merge pull request #11078 from kamil-tekiela/mysqli_real_escape_string

vimeo · Sep 7, 2024 · 4324122 · 4324122
2 parents 3ff52fb + 3e1165d
commit 4324122
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 6 deletions.
diff --git a/stubs/CoreGenericFunctions.phpstub b/stubs/CoreGenericFunctions.phpstub
@@ -1674,15 +1674,15 @@ function stream_select(null|array &$read, null|array &$write, null|array &$excep
  * @psalm-taint-escape sql
  * @psalm-flow ($string) -> return
  */
-function mysqli_escape_string($string) {}
+function mysqli_escape_string(mysqli $mysqli, $string) {}
 
 /**
  * @psalm-pure
  *
  * @psalm-taint-escape sql
  * @psalm-flow ($string) -> return
  */
-function mysqli_real_escape_string($string) {}
+function mysqli_real_escape_string(mysqli $mysqli, $string) {}
 
 /**
  * @psalm-pure

diff --git a/tests/TaintTest.php b/tests/TaintTest.php
@@ -744,9 +744,9 @@ function bar(array $arr): void {
                     $mysqli = new mysqli();
 
                     $a = $mysqli->escape_string($_GET["a"]);
-                    $b = mysqli_escape_string($_GET["b"]);
+                    $b = mysqli_escape_string($mysqli, $_GET["b"]);
                     $c = $mysqli->real_escape_string($_GET["c"]);
-                    $d = mysqli_real_escape_string($_GET["d"]);
+                    $d = mysqli_real_escape_string($mysqli, $_GET["d"]);
 
                     $mysqli->query("$a$b$c$d");',
             ],
@@ -2434,12 +2434,14 @@ public static function getPrevious(string $s): string {
             ],
             'assertMysqliOnlyEscapesSqlTaints3' => [
                 'code' => '<?php
-                    echo mysqli_escape_string($_GET["a"]);',
+                    $mysqli = new mysqli();
+                    echo mysqli_escape_string($mysqli, $_GET["a"]);',
                 'error_message' => 'TaintedHtml',
             ],
             'assertMysqliOnlyEscapesSqlTaints4' => [
                 'code' => '<?php
-                    echo mysqli_real_escape_string($_GET["a"]);',
+                    $mysqli = new mysqli();
+                    echo mysqli_real_escape_string($mysqli, $_GET["a"]);',
                 'error_message' => 'TaintedHtml',
             ],
             'assertDb2OnlyEscapesSqlTaints' => [