From 7c53c9da407599a4225abd0810baf7f440146fd7 Mon Sep 17 00:00:00 2001
From: cgocast <c.gouttebroze@castsoftware.com>
Date: Fri, 21 Jun 2024 09:30:18 +0200
Subject: [PATCH] Add mysqli.execute-query as sink for TaintedSql

---
 stubs/extensions/mysqli.phpstub | 10 ++++++++++
 tests/TaintTest.php             | 16 ++++++++++++++++
 2 files changed, 26 insertions(+)

diff --git a/stubs/extensions/mysqli.phpstub b/stubs/extensions/mysqli.phpstub
index 39566bc9592..370db68690b 100644
--- a/stubs/extensions/mysqli.phpstub
+++ b/stubs/extensions/mysqli.phpstub
@@ -126,6 +126,11 @@ class mysqli
      * @var int<-1, max>|numeric-string
      */
     public int|string $affected_rows;
+
+    /**
+    * @psalm-taint-sink sql $query
+    */
+    public function execute_query(string $query, ?array $params = null): mysqli_result|bool {}
 }
 
 /**
@@ -190,6 +195,11 @@ class mysqli_stmt
     public string $sqlstate;
 }
 
+/**
+ * @psalm-taint-sink sql $query
+ */
+function mysqli_execute_query(mysqli $mysql, string $query, ?array $params = null): mysqli_result|bool {}
+
 /**
  * @psalm-taint-sink callable $class
  *
diff --git a/tests/TaintTest.php b/tests/TaintTest.php
index 6439b366c1d..27ea0a7a134 100644
--- a/tests/TaintTest.php
+++ b/tests/TaintTest.php
@@ -2511,6 +2511,22 @@ public static function getPrevious(string $s): string {
                     $function->invoke();',
                 'error_message' => 'TaintedCallable',
             ],
+            'taintedExecuteQueryFunction' => [
+                'code' => '<?php
+                    $userId = $_GET["user_id"];
+                    $query = "delete from users where user_id = " . $userId;
+                    $link = mysqli_connect("localhost", "my_user", "my_password", "world");
+                    $result = mysqli_execute_query($link, $query);',
+                'error_message' => 'TaintedSql',
+            ],
+            'taintedExecuteQueryMethod' => [
+                'code' => '<?php
+                    $userId = $_GET["user_id"];
+                    $query = "delete from users where user_id = " . $userId;
+                    $mysqli = new mysqli("localhost", "my_user", "my_password", "world");
+                    $result = $mysqli->execute_query($query);',
+                'error_message' => 'TaintedSql',
+            ],
         ];
     }