<?php
/**
 * Copyright since 2007 PrestaShop SA and Contributors
 * PrestaShop is an International Registered Trademark & Property of PrestaShop SA
 *
 * NOTICE OF LICENSE
 *
 * This source file is subject to the Open Software License (OSL 3.0)
 * that is bundled with this package in the file LICENSE.md.
 * It is also available through the world-wide-web at this URL:
 * https://opensource.org/licenses/OSL-3.0
 * If you did not receive a copy of the license and are unable to
 * obtain it through the world-wide-web, please send an email
 * to license@prestashop.com so we can send you a copy immediately.
 *
 * DISCLAIMER
 *
 * Do not edit or add to this file if you wish to upgrade PrestaShop to newer
 * versions in the future. If you wish to customize PrestaShop for your
 * needs please refer to https://devdocs.prestashop.com/ for more information.
 *
 * @author    PrestaShop SA and Contributors <contact@prestashop.com>
 * @copyright Since 2007 PrestaShop SA and Contributors
 * @license   https://opensource.org/licenses/OSL-3.0 Open Software License (OSL 3.0)
 */

/**
 * Class RequestSqlCore.
 */
class RequestSqlCore extends ObjectModel
{
    public $name;
    public $sql;

    /**
     * @see ObjectModel::$definition
     */
    public static $definition = [
        'table' => 'request_sql',
        'primary' => 'id_request_sql',
        'fields' => [
            'name' => ['type' => self::TYPE_STRING, 'validate' => 'isString', 'required' => true, 'size' => 200],
            'sql' => ['type' => self::TYPE_SQL, 'validate' => 'isString', 'required' => true, 'size' => 4194303],
        ],
    ];

    /** @var array : List of params to tested */
    public $tested = [
        'required' => ['SELECT', 'FROM'],
        'option' => ['WHERE', 'ORDER', 'LIMIT', 'HAVING', 'GROUP', 'UNION'],
        'operator' => [
            'AND', '&&', 'BETWEEN', 'AND', 'BINARY', '&', '~', '|', '^', 'CASE', 'WHEN', 'END', 'DIV', '/', '<=>', '=', '>=',
            '>', 'IS', 'NOT', 'NULL', '<<', '<=', '<', 'LIKE', '-', '%', '!=', '<>', 'REGEXP', '!', '||', 'OR', '+', '>>', 'RLIKE', 'SOUNDS', '*',
            '-', 'XOR', 'IN',
        ],
        'function' => [
            'AVG', 'SUM', 'COUNT', 'MIN', 'MAX', 'STDDEV', 'STDDEV_SAMP', 'STDDEV_POP', 'VARIANCE', 'VAR_SAMP', 'VAR_POP',
            'GROUP_CONCAT', 'BIT_AND', 'BIT_OR', 'BIT_XOR',
        ],
        'unauthorized' => [
            'DELETE', 'ALTER', 'INSERT', 'REPLACE', 'CREATE', 'TRUNCATE', 'OPTIMIZE', 'GRANT', 'REVOKE', 'SHOW', 'HANDLER',
            'LOAD', 'LOAD_FILE', 'ROLLBACK', 'SAVEPOINT', 'UNLOCK', 'INSTALL', 'UNINSTALL', 'ANALZYE', 'BACKUP', 'CHECK', 'CHECKSUM', 'REPAIR', 'RESTORE', 'CACHE',
            'DESCRIBE', 'EXPLAIN', 'USE', 'HELP', 'SET', 'DUPLICATE', 'VALUES',  'INTO', 'RENAME', 'CALL', 'PROCEDURE',  'FUNCTION', 'DATABASE', 'SERVER',
            'LOGFILE', 'DEFINER', 'RETURNS', 'EVENT', 'TABLESPACE', 'VIEW', 'TRIGGER', 'DATA', 'DO', 'PASSWORD', 'USER', 'PLUGIN', 'FLUSH', 'KILL',
            'RESET', 'START', 'STOP', 'PURGE', 'EXECUTE', 'PREPARE', 'DEALLOCATE', 'LOCK', 'USING', 'DROP', 'FOR', 'UPDATE', 'BEGIN', 'BY', 'ALL', 'SHARE',
            'MODE', 'TO', 'KEY', 'DISTINCTROW', 'DISTINCT',  'HIGH_PRIORITY', 'LOW_PRIORITY', 'DELAYED', 'IGNORE', 'FORCE', 'STRAIGHT_JOIN',
            'SQL_SMALL_RESULT', 'SQL_BIG_RESULT', 'QUICK', 'SQL_BUFFER_RESULT', 'SQL_CACHE', 'SQL_NO_CACHE', 'SQL_CALC_FOUND_ROWS', 'WITH',
            'OUTFILE', 'DUMPFILE',
        ],
    ];

    public $attributes = [
        'passwd' => '*******************',
        'secure_key' => '*******************',
    ];

    /** @var array : list of errors */
    public $error_sql = [];

    /**
     * Get list of request SQL.
     *
     * @return array|bool
     */
    public static function getRequestSql()
    {
        if (!$result = Db::getInstance(_PS_USE_SQL_SLAVE_)->executeS('SELECT * FROM `' . _DB_PREFIX_ . 'request_sql` ORDER BY `id_request_sql`')) {
            return false;
        }

        $requestSql = [];
        foreach ($result as $row) {
            $requestSql[] = $row['sql'];
        }

        return $requestSql;
    }

    /**
     * Get list of request SQL by id request.
     *
     * @param int $id
     *
     * @return array
     */
    public static function getRequestSqlById($id)
    {
        return Db::getInstance()->executeS('SELECT `sql` FROM `' . _DB_PREFIX_ . 'request_sql` WHERE `id_request_sql` = ' . (int) $id);
    }

    /**
     * Call the parserSQL() method in Tools class
     * Cut the request in table for check it.
     *
     * @param string $sql
     *
     * @return array|bool
     */
    public function parsingSql($sql)
    {
        return Tools::parserSQL($sql);
    }

    /**
     * Check if the parsing of the SQL request is good or not.
     *
     * @param array $tab
     * @param bool $in
     * @param string $sql
     *
     * @return bool
     */
    public function validateParser($tab, $in, $sql)
    {
        if (!$tab) {
            return false;
        } elseif (isset($tab['UNION'])) {
            $union = $tab['UNION'];
            foreach ($union as $tab) {
                if (!$this->validateSql($tab, $in, $sql)) {
                    return false;
                }
            }

            return true;
        } else {
            return $this->validateSql($tab, $in, $sql);
        }
    }

    /**
     * Cut the request for check each cutting.
     *
     * @param array<string, array> $tab
     * @param bool $in
     * @param string $sql
     *
     * @return bool
     */
    public function validateSql($tab, $in, $sql)
    {
        if (!$this->testedRequired($tab)) {
            return false;
        } elseif (!$this->testedUnauthorized($tab)) {
            return false;
        } elseif (!$this->checkedFrom($tab['FROM'])) {
            return false;
        } elseif (!$this->checkedSelect($tab['SELECT'], $tab['FROM'], $in)) {
            return false;
        } elseif (isset($tab['WHERE'])) {
            if (!$this->checkedWhere($tab['WHERE'], $tab['FROM'], $sql)) {
                return false;
            }
        } elseif (isset($tab['HAVING'])) {
            if (!$this->checkedHaving($tab['HAVING'], $tab['FROM'])) {
                return false;
            }
        } elseif (isset($tab['ORDER'])) {
            if (!$this->checkedOrder($tab['ORDER'], $tab['FROM'])) {
                return false;
            }
        } elseif (isset($tab['GROUP'])) {
            if (!$this->checkedGroupBy($tab['GROUP'], $tab['FROM'])) {
                return false;
            }
        } elseif (isset($tab['LIMIT'])) {
            if (!$this->checkedLimit($tab['LIMIT'])) {
                return false;
            }
        }

        if (empty($this->_errors) && !Db::getInstance()->executeS($sql)) {
            return false;
        }

        return true;
    }

    /**
     * Get list of all tables.
     *
     * @return array
     */
    public function getTables()
    {
        $results = Db::getInstance()->executeS('SHOW TABLES');
        $tables = [];
        foreach ($results as $result) {
            $key = array_keys($result);
            $tables[] = $result[$key[0]];
        }

        return $tables;
    }

    /**
     * Get list of all attributes by an table.
     *
     * @param string $table
     *
     * @return array
     */
    public function getAttributesByTable($table)
    {
        return Db::getInstance()->executeS('DESCRIBE ' . pSQL($table));
    }

    /**
     * Cut an join sentence.
     *
     * @param array $attrs
     * @param array $from
     *
     * @return array
     */
    public function cutJoin($attrs, $from)
    {
        $tab = [];

        foreach ($attrs as $attr) {
            if (in_array($attr['expr_type'], ['operator', 'const'])) {
                continue;
            }

            if (!empty($attr['sub_tree'])) {
                foreach ($attr['sub_tree'] as $treeItem) {
                    if ($treeItem['expr_type'] !== 'colref') {
                        continue;
                    }
                    if ($attribut = $this->cutAttribute($treeItem['base_expr'], $from)) {
                        $tab[] = $attribut;
                    }
                }
            } else {
                if ($attribut = $this->cutAttribute($attr['base_expr'], $from)) {
                    $tab[] = $attribut;
                }
            }
        }

        return $tab;
    }

    /**
     * Cut an attribute with or without the alias.
     *
     * @param string $attr
     * @param array $from
     *
     * @return array|bool
     */
    public function cutAttribute($attr, $from)
    {
        $matches = [];
        if (preg_match('/((`(\()?([a-z0-9_])+`(\))?)|((\()?([a-z0-9_])+(\))?))\.((`(\()?([a-z0-9_])+`(\))?)|((\()?([a-z0-9_])+(\))?))$/i', $attr, $matches, PREG_OFFSET_CAPTURE)) {
            $tab = explode('.', str_replace(['`', '(', ')'], '', $matches[0][0]));
            if ($table = $this->returnNameTable($tab[0], $from)) {
                return [
                    'table' => $table,
                    'alias' => $tab[0],
                    'attribut' => $tab[1],
                    'string' => $attr,
                ];
            }
        } elseif (preg_match('/((`(\()?([a-z0-9_])+`(\))?)|((\()?([a-z0-9_])+(\))?))$/i', $attr, $matches, PREG_OFFSET_CAPTURE)) {
            $attribut = str_replace(['`', '(', ')'], '', $matches[0][0]);
            if ($table = $this->returnNameTable(false, $from, $attr)) {
                return [
                    'table' => $table,
                    'attribut' => $attribut,
                    'string' => $attr,
                ];
            }
        }

        return false;
    }

    /**
     * Get name of table by alias.
     *
     * @param string|false $alias
     * @param array $tables
     *
     * @return array|bool
     */
    public function returnNameTable($alias, $tables, $attr = null)
    {
        if ($alias) {
            foreach ($tables as $table) {
                if (!isset($table['alias']) || !isset($table['table'])) {
                    continue;
                }
                /** @var string|array{'parts': array<int, bool>} $tableAlias */
                $tableAlias = $table['alias']['no_quotes'];
                if ($tableAlias == $alias || $tableAlias['parts'][0] == $alias) {
                    return [$table['table']];
                }
            }
        } elseif (count($tables) > 1) {
            if ($attr !== null) {
                $tab = [];
                foreach ($tables as $table) {
                    if ($this->attributExistInTable($attr, $table['table'])) {
                        $tab = $table['table'];
                    }
                }
                if (count($tab) == 1) {
                    return $tab;
                }
            }

            $this->error_sql['returnNameTable'] = false;

            return false;
        }

        $tab = [];
        foreach ($tables as $table) {
            $tab[] = $table['table'];
        }

        return $tab;
    }

    /**
     * Check if an attributes exists in a table.
     *
     * @param string $attr
     * @param array $table
     *
     * @return bool
     */
    public function attributExistInTable($attr, $table)
    {
        if (!$attr) {
            return true;
        }
        if (is_array($table) && (count($table) == 1)) {
            $table = $table[0];
        }
        $attributs = $this->getAttributesByTable($table);
        foreach ($attributs as $attribut) {
            if ($attribut['Field'] == trim($attr, ' `')) {
                return true;
            }
        }

        return false;
    }

    /**
     * Check if all required sentence existing.
     *
     * @param array $tab
     *
     * @return bool
     */
    public function testedRequired($tab)
    {
        foreach ($this->tested['required'] as $key) {
            if (!array_key_exists($key, $tab)) {
                $this->error_sql['testedRequired'] = $key;

                return false;
            }
        }

        return true;
    }

    /**
     * Check if an unauthorized existing in an array.
     *
     * @param array $tab
     *
     * @return bool
     */
    public function testedUnauthorized($tab)
    {
        foreach ($this->tested['unauthorized'] as $key) {
            if (array_key_exists($key, $tab)) {
                $this->error_sql['testedUnauthorized'] = $key;

                return false;
            }
        }

        return true;
    }

    /**
     * Check a "FROM" sentence.
     *
     * @param array<int, array<string, mixed>> $from
     *
     * @return bool
     */
    public function checkedFrom($from)
    {
        $nb = count($from);
        for ($i = 0; $i < $nb; ++$i) {
            $table = $from[$i];

            if (isset($table['table']) && !in_array(str_replace('`', '', $table['table']), $this->getTables())) {
                $this->error_sql['checkedFrom']['table'] = $table['table'];

                return false;
            }
            if ($table['ref_type'] == 'ON' && (trim($table['join_type']) == 'LEFT' || trim($table['join_type']) == 'JOIN')) {
                $attrs = $this->cutJoin($table['ref_clause'], $from);
                foreach ($attrs as $attr) {
                    if (!$this->attributExistInTable($attr['attribut'], $attr['table'])) {
                        $this->error_sql['checkedFrom']['attribut'] = [$attr['attribut'], implode(', ', $attr['table'])];

                        return false;
                    }
                }
            }
        }

        return true;
    }

    /**
     * Check a "SELECT" sentence.
     *
     * @param array<int, array<string, mixed>> $select
     * @param array $from
     * @param bool $in
     *
     * @return bool
     */
    public function checkedSelect($select, $from, $in = false)
    {
        $nb = count($select);
        for ($i = 0; $i < $nb; ++$i) {
            $attribut = $select[$i];
            if ($attribut['base_expr'] != '*' && !preg_match('/\.\*$/', $attribut['base_expr'])) {
                if ($attribut['expr_type'] == 'colref') {
                    if ($attr = $this->cutAttribute(trim($attribut['base_expr']), $from)) {
                        if (!$this->attributExistInTable($attr['attribut'], $attr['table'])) {
                            $this->error_sql['checkedSelect']['attribut'] = [$attr['attribut'], implode(', ', $attr['table'])];

                            return false;
                        }
                    } else {
                        if (isset($this->error_sql['returnNameTable'])) {
                            $this->error_sql['checkedSelect'] = $this->error_sql['returnNameTable'];

                            return false;
                        } else {
                            $this->error_sql['checkedSelect'] = false;

                            return false;
                        }
                    }
                }

                while (is_array($attribut['sub_tree'])) {
                    if ($attribut['expr_type'] === 'function' && in_array(strtoupper($attribut['base_expr']), $this->tested['unauthorized'])) {
                        $this->error_sql['checkedSelect']['function'] = $attribut['base_expr'];

                        return false;
                    }
                    $attribut = $attribut['sub_tree'][0];
                }
            } elseif ($in) {
                $this->error_sql['checkedSelect']['*'] = false;

                return false;
            }
        }

        return true;
    }

    /**
     * Check a "WHERE" sentence.
     *
     * @param array<int, array<string, mixed>> $where
     * @param array $from
     * @param string $sql
     *
     * @return bool
     */
    public function checkedWhere($where, $from, $sql)
    {
        $nb = count($where);
        for ($i = 0; $i < $nb; ++$i) {
            $attribut = $where[$i];
            if ($attribut['expr_type'] == 'colref') {
                if ($attr = $this->cutAttribute(trim($attribut['base_expr']), $from)) {
                    if (!$this->attributExistInTable($attr['attribut'], $attr['table'])) {
                        $this->error_sql['checkedWhere']['attribut'] = [$attr['attribut'], implode(', ', $attr['table'])];

                        return false;
                    }
                } else {
                    $this->error_sql['checkedWhere'] = $this->error_sql['returnNameTable'] ?? false;

                    return false;
                }
            } elseif ($attribut['expr_type'] == 'reserved') {
                if ($attribut['base_expr'] !== 'EXISTS' || !isset($where[$i + 1]) || $where[$i + 1]['expr_type'] !== 'subquery') {
                    $this->error_sql['checkedWhere'] = $this->error_sql['returnNameTable'] ?? false;

                    return false;
                }
            } elseif ($attribut['expr_type'] == 'operator') {
                if (!in_array(strtoupper($attribut['base_expr']), $this->tested['operator'])) {
                    $this->error_sql['checkedWhere']['operator'] = [$attribut['base_expr']];

                    return false;
                }
            } elseif ($attribut['expr_type'] == 'subquery') {
                $tab = $attribut['sub_tree'];

                return $this->validateParser($tab, true, $sql);
            }
        }

        return true;
    }

    /**
     * Check a "HAVING" sentence.
     *
     * @param array<int, array<string, mixed>> $having
     * @param array $from
     *
     * @return bool
     */
    public function checkedHaving($having, $from)
    {
        $nb = count($having);
        for ($i = 0; $i < $nb; ++$i) {
            $attribut = $having[$i];
            if ($attribut['expr_type'] == 'colref') {
                if ($attr = $this->cutAttribute(trim($attribut['base_expr']), $from)) {
                    if (!$this->attributExistInTable($attr['attribut'], $attr['table'])) {
                        $this->error_sql['checkedHaving']['attribut'] = [$attr['attribut'], implode(', ', $attr['table'])];

                        return false;
                    }
                } else {
                    if (isset($this->error_sql['returnNameTable'])) {
                        $this->error_sql['checkedHaving'] = $this->error_sql['returnNameTable'];

                        return false;
                    } else {
                        $this->error_sql['checkedHaving'] = false;

                        return false;
                    }
                }
            }

            if ($attribut['expr_type'] == 'operator') {
                if (!in_array(strtoupper($attribut['base_expr']), $this->tested['operator'])) {
                    $this->error_sql['checkedHaving']['operator'] = [$attribut['base_expr']];

                    return false;
                }
            }
        }

        return true;
    }

    /**
     * Check a "ORDER" sentence.
     *
     * @param array $order
     * @param array $from
     *
     * @return bool
     */
    public function checkedOrder($order, $from)
    {
        $order = $order[0];
        if (array_key_exists('expression', $order) && $order['type'] == 'expression') {
            if ($attr = $this->cutAttribute(trim($order['base_expr']), $from)) {
                if (!$this->attributExistInTable($attr['attribut'], $attr['table'])) {
                    $this->error_sql['checkedOrder']['attribut'] = [$attr['attribut'], implode(', ', $attr['table'])];

                    return false;
                }
            } else {
                if (isset($this->error_sql['returnNameTable'])) {
                    $this->error_sql['checkedOrder'] = $this->error_sql['returnNameTable'];

                    return false;
                } else {
                    $this->error_sql['checkedOrder'] = false;

                    return false;
                }
            }
        }

        return true;
    }

    /**
     * Check a "GROUP BY" sentence.
     *
     * @param array $group
     * @param array $from
     *
     * @return bool
     */
    public function checkedGroupBy($group, $from)
    {
        $group = $group[0];
        if ($group['expr_type'] == 'colref') {
            if ($attr = $this->cutAttribute(trim($group['base_expr']), $from)) {
                if (!$this->attributExistInTable($attr['attribut'], $attr['table'])) {
                    $this->error_sql['checkedGroupBy']['attribut'] = [$attr['attribut'], implode(', ', $attr['table'])];

                    return false;
                }
            } else {
                if (isset($this->error_sql['returnNameTable'])) {
                    $this->error_sql['checkedGroupBy'] = $this->error_sql['returnNameTable'];

                    return false;
                } else {
                    $this->error_sql['checkedGroupBy'] = false;

                    return false;
                }
            }
        }

        return true;
    }

    /**
     * Check a "LIMIT" sentence.
     *
     * @param array $limit
     *
     * @return bool
     */
    public function checkedLimit($limit)
    {
        if (!preg_match('#^[0-9]+$#', trim($limit['offset'])) || !preg_match('#^[0-9]+$#', trim($limit['rowcount']))) {
            $this->error_sql['checkedLimit'] = false;

            return false;
        }

        return true;
    }
}