added PdoStatementExecuteErrorMethodRule (#58)

Co-authored-by: Markus Staab <m.staab@complex-it.de>

Author: staabm

config/dba.neon

@@ -3,6 +3,10 @@ includes:
 	- extensions.neon
 
 services:
+	-
+		class: staabm\PHPStanDba\Rules\PdoStatementExecuteErrorMethodRule
+		tags: [phpstan.rules.rule]
+
 	-
 		class: staabm\PHPStanDba\Rules\SyntaxErrorInQueryMethodRule
 		tags: [phpstan.rules.rule]

src/QueryReflection/QueryReflection.php

@@ -89,6 +89,9 @@ public function resolvePreparedQueryString(Expr $queryExpr, Type $parameterTypes
         }
 
         $parameters = $this->resolveParameters($parameterTypes);
+        if (null === $parameters) {
+            return null;
+        }
 
         return $this->replaceParameters($queryString, $parameters);
     }
@@ -154,7 +157,7 @@ private function getQueryType(string $query): ?string
     /**
      * @return array<string|int, scalar|null>
      */
-    private function resolveParameters(Type $parameterTypes): array
+    public function resolveParameters(Type $parameterTypes): ?array
     {
         $parameters = [];
 
@@ -179,9 +182,11 @@ private function resolveParameters(Type $parameterTypes): array
                     }
                 }
             }
+
+            return $parameters;
         }
 
-        return $parameters;
+        return null;
     }
 
     /**

src/Rules/PdoStatementExecuteErrorMethodRule.php

@@ -0,0 +1,168 @@
+<?php
+
+declare(strict_types=1);
+
+namespace staabm\PHPStanDba\Rules;
+
+use PDOStatement;
+use PhpParser\Node;
+use PhpParser\Node\Expr\MethodCall;
+use PHPStan\Analyser\Scope;
+use PHPStan\Reflection\MethodReflection;
+use PHPStan\Rules\Rule;
+use PHPStan\Rules\RuleError;
+use PHPStan\Rules\RuleErrorBuilder;
+use PHPStan\ShouldNotHappenException;
+use staabm\PHPStanDba\PdoReflection\PdoStatementReflection;
+use staabm\PHPStanDba\QueryReflection\QueryReflection;
+
+/**
+ * @implements Rule<MethodCall>
+ *
+ * @see PdoStatementExecuteErrorMethodRuleTest
+ */
+final class PdoStatementExecuteErrorMethodRule implements Rule
+{
+    public function getNodeType(): string
+    {
+        return MethodCall::class;
+    }
+
+    public function processNode(Node $methodCall, Scope $scope): array
+    {
+        if (!$methodCall->name instanceof Node\Identifier) {
+            return [];
+        }
+
+        $methodReflection = $scope->getMethodReflection($scope->getType($methodCall->var), $methodCall->name->toString());
+        if (null === $methodReflection) {
+            return [];
+        }
+
+        if (PdoStatement::class !== $methodReflection->getDeclaringClass()->getName()) {
+            return [];
+        }
+
+        if ('execute' !== $methodReflection->getName()) {
+            return [];
+        }
+
+        return $this->checkErrors($methodReflection, $methodCall, $scope);
+    }
+
+    /**
+     * @return RuleError[]
+     */
+    private function checkErrors(MethodReflection $methodReflection, MethodCall $methodCall, Scope $scope): array
+    {
+        $stmtReflection = new PdoStatementReflection();
+        $queryExpr = $stmtReflection->findPrepareQueryStringExpression($methodReflection, $methodCall);
+
+        if (null === $queryExpr) {
+            return [];
+        }
+
+        $queryReflection = new QueryReflection();
+        $queryString = $queryReflection->resolveQueryString($queryExpr, $scope);
+        if (null === $queryString) {
+            return [];
+        }
+
+        $args = $methodCall->getArgs();
+        $placeholderCount = $this->countPlaceholders($queryString);
+
+        if (0 === \count($args)) {
+            if (0 === $placeholderCount) {
+                return [];
+            }
+
+            return [
+                RuleErrorBuilder::message(sprintf('Query expects %s placeholders, but no values are given to execute().', $placeholderCount))->line($methodCall->getLine())->build(),
+            ];
+        }
+
+        return $this->checkParameterValues($methodCall, $scope, $queryString, $placeholderCount);
+    }
+
+    /**
+     * @return RuleError[]
+     */
+    private function checkParameterValues(MethodCall $methodCall, Scope $scope, string $queryString, int $placeholderCount): array
+    {
+        $queryReflection = new QueryReflection();
+        $args = $methodCall->getArgs();
+
+        $parameterTypes = $scope->getType($args[0]->value);
+        $parameters = $queryReflection->resolveParameters($parameterTypes);
+        if (null === $parameters) {
+            return [];
+        }
+        $parameterCount = \count($parameters);
+
+        if ($parameterCount !== $placeholderCount) {
+            if (1 === $parameterCount) {
+                return [
+                    RuleErrorBuilder::message(sprintf('Query expects %s placeholders, but %s value is given to execute().', $placeholderCount, $parameterCount))->line($methodCall->getLine())->build(),
+                ];
+            }
+
+            return [
+                RuleErrorBuilder::message(sprintf('Query expects %s placeholders, but %s values are given to execute().', $placeholderCount, $parameterCount))->line($methodCall->getLine())->build(),
+            ];
+        }
+
+        $errors = [];
+        $namedPlaceholders = $this->extractNamedPlaceholders($queryString);
+        foreach ($namedPlaceholders as $namedPlaceholder) {
+            if (!\array_key_exists($namedPlaceholder, $parameters)) {
+                $errors[] = RuleErrorBuilder::message(sprintf('Query expects placeholder %s, but it is missing from values given to execute().', $namedPlaceholder))->line($methodCall->getLine())->build();
+            }
+        }
+
+        foreach ($parameters as $placeholderKey => $value) {
+            if (!\in_array($placeholderKey, $namedPlaceholders)) {
+                $errors[] = RuleErrorBuilder::message(sprintf('Value %s is given to execute(), but the query does not containt this placeholder.', $placeholderKey))->line($methodCall->getLine())->build();
+            }
+        }
+
+        return $errors;
+    }
+
+    /**
+     * @return 0|positive-int
+     */
+    private function countPlaceholders(string $queryString): int
+    {
+        $numPlaceholders = substr_count($queryString, '?');
+
+        if (0 !== $numPlaceholders) {
+            return $numPlaceholders;
+        }
+
+        $numPlaceholders = preg_match_all('{:[a-z]+}', $queryString);
+        if (false === $numPlaceholders || $numPlaceholders < 0) {
+            throw new ShouldNotHappenException();
+        }
+
+        return $numPlaceholders;
+    }
+
+    /**
+     * @return list<string>
+     */
+    private function extractNamedPlaceholders(string $queryString): array
+    {
+        // pdo does not support mixing of named and '?' placeholders
+        $numPlaceholders = substr_count($queryString, '?');
+
+        if (0 !== $numPlaceholders) {
+            return [];
+        }
+
+        if (preg_match_all('{:[a-z]+}', $queryString, $matches) > 0) {
+            return $matches[0];
+        }
+
+        return [];
+    }
+}

src/Rules/SyntaxErrorInQueryFunctionRule.php

@@ -11,9 +11,12 @@
 use PHPStan\Rules\Rule;
 use PHPStan\Rules\RuleErrorBuilder;
 use staabm\PHPStanDba\QueryReflection\QueryReflection;
+use staabm\PHPStanDba\Tests\SyntaxErrorInQueryFunctionRuleTest;
 
 /**
  * @implements Rule<FuncCall>
+ *
+ * @see SyntaxErrorInQueryFunctionRuleTest
  */
 final class SyntaxErrorInQueryFunctionRule implements Rule
 {

src/Rules/SyntaxErrorInQueryMethodRule.php

@@ -13,6 +13,8 @@
 
 /**
  * @implements Rule<MethodCall>
+ *
+ * @see SyntaxErrorInQueryMethodRuleTest
  */
 final class SyntaxErrorInQueryMethodRule implements Rule
 {

tests/PdoStatementExecuteErrorMethodRuleTest.php

@@ -0,0 +1,68 @@
+<?php
+
+namespace staabm\PHPStanDba\Tests;
+
+use PHPStan\Rules\Rule;
+use staabm\PHPStanDba\Rules\PdoStatementExecuteErrorMethodRule;
+use Symplify\PHPStanExtensions\Testing\AbstractServiceAwareRuleTestCase;
+
+/**
+ * @extends AbstractServiceAwareRuleTestCase<PdoStatementExecuteErrorMethodRule>
+ */
+class PdoStatementExecuteErrorMethodRuleTest extends AbstractServiceAwareRuleTestCase
+{
+    protected function getRule(): Rule
+    {
+        return $this->getRuleFromConfig(PdoStatementExecuteErrorMethodRule::class, __DIR__.'/../config/dba.neon');
+    }
+
+    public function testSyntaxErrorInQueryRule(): void
+    {
+        require_once __DIR__.'/data/pdo-stmt-execute-error.php';
+
+        $this->analyse([__DIR__.'/data/pdo-stmt-execute-error.php'], [
+            [
+                'Query expects placeholder :adaid, but it is missing from values given to execute().',
+                12,
+            ],
+            [
+                'Value :wrongParamName is given to execute(), but the query does not containt this placeholder.',
+                12,
+            ],
+            [
+                'Query expects placeholder :adaid, but it is missing from values given to execute().',
+                15,
+            ],
+            [
+                'Value :wrongParamName is given to execute(), but the query does not containt this placeholder.',
+                15,
+            ],
+            /*
+            [
+                'Query expects placeholder :adaid, but it is missing from values given to execute().',
+                18,
+            ],
+            [
+                'Value :wrongParamValue is given to execute(), but the query does not containt this placeholder.',
+                18,
+            ],
+            */
+            [
+                'Query expects 1 placeholders, but no values are given to execute().',
+                21,
+            ],
+            [
+                'Query expects 2 placeholders, but 1 value is given to execute().',
+                24,
+            ],
+            [
+                'Query expects 2 placeholders, but 1 value is given to execute().',
+                27,
+            ],
+            [
+                'Query expects 2 placeholders, but 1 value is given to execute().',
+                30,
+            ],
+        ]);
+    }
+}

tests/data/pdo-stmt-execute-error.php

@@ -0,0 +1,32 @@
+<?php
+
+namespace PdoStatementExecuteErrorMethodRuleTest;
+
+use PDO;
+
+class Foo
+{
+    public function errors(PDO $pdo)
+    {
+        $stmt = $pdo->prepare('SELECT email, adaid FROM ada WHERE adaid = :adaid');
+        $stmt->execute(['wrongParamName' => 1]);
+
+        $stmt = $pdo->prepare('SELECT email, adaid FROM ada WHERE adaid = :adaid');
+        $stmt->execute([':wrongParamName' => 1]);
+
+        // $stmt = $pdo->prepare('SELECT email, adaid FROM ada WHERE adaid = :adaid');
+        // $stmt->execute([':adaid' => 'hello world']); // wrong param type
+
+        $stmt = $pdo->prepare('SELECT email, adaid FROM ada WHERE adaid = :adaid');
+        $stmt->execute(); // missing parameter
+
+        $stmt = $pdo->prepare('SELECT email, adaid FROM ada WHERE adaid = ? and email = ?');
+        $stmt->execute([1]); // wrong number of parameters
+
+        $stmt = $pdo->prepare('SELECT email, adaid FROM ada WHERE adaid = :adaid and email = :email');
+        $stmt->execute(['adaid' => 1]); // wrong number of parameters
+
+        $stmt = $pdo->prepare('SELECT email, adaid FROM ada WHERE adaid = :adaid and email = :email');
+        $stmt->execute([':email' => 'email@example.org']); // wrong number of parameters
+    }
+}

tests/data/pdo-stmt-execute.php

@@ -56,10 +56,5 @@ public function errors(PDO $pdo)
         assertType('PDOStatement', $stmt);
         $stmt->execute(); // missing parameter
         assertType('PDOStatement', $stmt);
-
-        $stmt = $pdo->prepare('SELECT email, adaid FROM ada WHERE adaid = :adaid');
-        assertType('PDOStatement', $stmt);
-        $stmt->execute([]); // missing parameter
-        assertType('PDOStatement', $stmt);
     }
 }