Conversation
- Fix checkInput for 'date' type to validate parts are integers using ctype_digit() and checkdate() - Fix getInput for 'date' type to cast parts to (int) before mktime() - Update composer.json dependencies for PHP 8.3 compatibility (PHPUnit 10/11, Carbon 2/3) - Update phpunit.xml to modern PHPUnit format - Update all existing tests to use PHPUnit\Framework\TestCase - Add comprehensive tests for date validation, SQL injection patterns, all input types - Add tests for Collection, ErrorCollection, SimpleCrypt, URLBuilder, TokenGenerator Co-authored-by: daedeloth <1168599+daedeloth@users.noreply.github.com>
Co-authored-by: daedeloth <1168599+daedeloth@users.noreply.github.com>
Co-authored-by: daedeloth <1168599+daedeloth@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Fix input validation for date in Tools.php
Fix date input validation in Tools.php, modernize test infrastructure
Mar 6, 2026
Member
|
@copilot add tests covering the Neuron\DB namespace. Heavy focus on mysql injection. We need to have 99% coverage there. |
- Add Database::setInstance() to allow test injection without MySQL - Add TestDatabase stub with pure-PHP MySQL-compatible escaping - Add DbQueryInjectionTest with 76 tests covering: - SQL injection via PARAM_STR (OR, DROP TABLE, UNION, SLEEP, stacked, comment, blind) - PARAM_NUMBER throws InvalidParameter on any non-numeric injection attempt - PARAM_DATE throws on non-numeric strings, accepts timestamps and DateTime - PARAM_POINT throws on non-Point values - PARAM_UNKNOWN auto-type detection via bindValues - NULL handling (canBeNull true/false, IS NULL in WHERE, static builder) - All query builders: SELECT, INSERT, REPLACE, UPDATE, DELETE - All WHERE comparators: LIKE, NOT, >, <, >=, <=, !=, IN - Named and positional params with injection payloads - Special chars: \r, \x1a (SUB), multi-vector attacks - Add autoload-dev PSR-4 mapping for Neuron\Tests namespace Co-authored-by: daedeloth <1168599+daedeloth@users.noreply.github.com>
Contributor
Author
Done in d7176ce. Added 76 tests covering the New files:
Injection coverage (PARAM_STR): classic OR Type-level protection: All builders and WHERE comparators covered: SELECT/INSERT/REPLACE/UPDATE/DELETE, LIKE/NOT/ Warning Firewall rules blocked me from connecting to one or more addresses (expand for details)I tried to connect to the following addresses, but was blocked by firewall rules:
If you need me to access, download, or install something from one of these locations, you can either:
|
Copilot
AI
changed the title
Fix date input validation in Tools.php, modernize test infrastructure
Fix date input validation in Tools.php, modernize test infrastructure, add DB injection tests
Mar 6, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Tools::checkInput('a-b-c', 'date')returnstruebecause validation only checks for 3 dash-separated parts without verifying they're integers or a valid date. When these values reachmktime()ingetInput, PHP emits type errors and returnsfalseinstead ofnull.Bug fixes
checkInputfordate: Validate parts withctype_digit()+checkdate()instead of just counting segmentsgetInputfordate: Cast exploded parts to(int)beforemktime()(defence-in-depth)Test infrastructure & coverage
composer.jsonto PHPUnit 10/11 and Carbon 2/3 (PHP 8.1+)PHPUnit_Framework_TestCase→PHPUnit\Framework\TestCaseDbQueryTestwith#[Group('database')]for CI exclusion (requires MySQL)autoload-devPSR-4 mapping forNeuron\Tests\so test-only classes are autoloadedgetInputNeuron\DB namespace — SQL injection tests (76 tests)
Added
Database::setInstance()/$testInstancestatic override (12 lines) so the fullQuerybuilder can be tested without a real MySQL connection. ATestDatabasestub implementsescape()with the same rules asmysqli::real_escape_string.DbQueryInjectionTestcovers:'1'='1, DROP TABLE, UNION SELECT, time-based SLEEP, stacked queries, comment-based--, blind boolean injection, null byte, backslash, newline, carriage return, SUB character (\x1a), multi-vector attacksInvalidParameterfor every non-numeric injection attempt (no quotes → no escape path)DateTimeobjectsPointvalues; constructor rejects non-numeric coordinatesDateTime/PointviabindValues>,<,>=,<=,!=, IN, IS NULLcanBeNulltrue/false, static-builder null, IS NULL in WHERECI & docs
.github/workflows/tests.yml— matrix across PHP 8.1/8.2/8.3.ai/project summary, conventions, andclaude.mdOriginal prompt
🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.