Merge pull request #11021 from cgocast/5.x

Add mysqli.execute-query as sink for TaintedSql

stubs/extensions/mysqli.phpstub

@@ -126,6 +126,11 @@ class mysqli
      * @var int<-1, max>|numeric-string
      */
     public int|string $affected_rows;
+
+    /**
+    * @psalm-taint-sink sql $query
+    */
+    public function execute_query(string $query, ?array $params = null): mysqli_result|bool {}
 }
 
 /**
@@ -190,6 +195,11 @@ class mysqli_stmt
     public string $sqlstate;
 }
 
+/**
+ * @psalm-taint-sink sql $query
+ */
+function mysqli_execute_query(mysqli $mysql, string $query, ?array $params = null): mysqli_result|bool {}
+
 /**
  * @psalm-taint-sink callable $class
  *

tests/TaintTest.php

@@ -2511,6 +2511,22 @@ public static function getPrevious(string $s): string {
                     $function->invoke();',
                 'error_message' => 'TaintedCallable',
             ],
+            'taintedExecuteQueryFunction' => [
+                'code' => '<?php
+                    $userId = $_GET["user_id"];
+                    $query = "delete from users where user_id = " . $userId;
+                    $link = mysqli_connect("localhost", "my_user", "my_password", "world");
+                    $result = mysqli_execute_query($link, $query);',
+                'error_message' => 'TaintedSql',
+            ],
+            'taintedExecuteQueryMethod' => [
+                'code' => '<?php
+                    $userId = $_GET["user_id"];
+                    $query = "delete from users where user_id = " . $userId;
+                    $mysqli = new mysqli("localhost", "my_user", "my_password", "world");
+                    $result = $mysqli->execute_query($query);',
+                'error_message' => 'TaintedSql',
+            ],
         ];
     }