shell script to add parentheses around regex matches after user confirmation

Question

I have a file tree containing thousand php files. I want to decrease the effort required to upgrade it to PHP7.2, it is now PHP5.2 - PHP5.5. So I want to start by automatically replacing some syntax.

The first bit of syntax changed that I want to automatically replace are arrays which access a column by name. In PHP 7.2, there need to be quotation marks around the column-name. I came up with a grep command to find a lot of matches:

grep -rIC 2 "\$[A-Za-z]\{1,\}\[[A-Za-z]\{1,\}\]"

Results:

wws/tools/ttman001M0102.php-}
wws/tools/ttman001M0102.php:if($operator[osno]!=""){
wws/tools/ttman001M0102.php:    $where.=" and ".getWhereAnweisung("t10.osno",'',$operator[osno],$suche[osno]);
wws/tools/ttman001M0102.php-}
wws/tools/mwtxt_100L0100.php-while($r=$a->getNextRow()){
wws/tools/mwtxt_100L0100.php:   $r[txta]=htmlentities(substr($r[txta],0,40),ENT_QUOTES,ini_get("default_charset"));
wws/tools/mwtxt_100L0100.php-  $cust_array[$i]= $r;
wws/tools/updates.php-  {
wws/tools/updates.php:          //if(confirm('<?php  echo $label[a]?>'))
wws/tools/updates.php-  {
wws/tools/updates.php:          //if(confirm('<?php  echo $label[a]?>'))
wws/tools/mwtxt_103M0100.php-}
wws/tools/mwtxt_103M0100.php:if($suche[doku]!="")
wws/tools/mwtxt_103M0100.php:   $where.=" (dsca like '%".addslashes($suche[doku])."%' or doku like '".addslashes($suche[doku])."%') and ";
wws/tools/mwtxt_103M0100.php-if($sort_field)
wws/tools/mwtxt_103M0100.php-while($r=$Abf->getNextRow()){
wws/tools/mwtxt_103M0100.php:   $r[dsca]=htmlentities($r[dsca],ENT_QUOTES,ini_get("default_charset"));
wws/tools/mwtxt_103M0100.php-  $cust_array[$i]= $r;
wws/tools/mwtol_000M0000.php-  while($r=db_fetch_row(Array($result,"DB_GETMODE_ASSOC"))){
wws/tools/mwtol_000M0000.php:    $mhein_040 = new query_select("select * from mhein_040 where orno='$r[liid]' and mndn = '".$_SESSION['SES_CLIENT']."'");
wws/tools/mwtol_000M0000.php-    $kont=new CRM_Vorgang();
wws/tools/mwtol_000M0000.php-    $kont->message=array('meid'=>'mwdoc_002fristmhein_040invn','dspr_usid'=>array('mhein_040usid'=>$mhein_040->row[usid]),
wws/tools/mwtol_000M0000.php:    'text'=>'<a href="javascript:window.open(\'../distribution/mhein_040M0000.php?glob_order_no='.$r[liid].'&aktion=invn&invn='.$r[bnum].'\');void(0);">'.
wws/tools/mwtol_000M0000.php:        get_labelInLanguage('eka',$_SESSION['global_lang']).' '.$r[liid].
wws/tools/mwtol_000M0000.php:        get_labelInLanguage('re',$_SESSION['global_lang']).' '.$r[bnum].'</a>');
wws/tools/mwtol_000M0000.php-    $kont->crm_send_saved_message();
wws/tools/mwtol_000M0000.php-      $sql="select grou from mpart_003
wws/tools/mwtol_000M0000.php:            where item='$feld[item]' and tabl='msser_201' and grou in ('1','2','3') and mndn = '".$_SESSION['SES_CLIENT']."'";
wws/tools/mwtol_000M0000.php-      $gr=new query_select($sql);

which already outputs a suitable display of the code in question. I want to feed these results into a bash script which will ask me to replace by pressing y or n for each occurence. Is this a good approach or is there maybe a better one to speed up the process?

_"In PHP 7.2, there need to be quotation marks around the column-name."_ Note, this has always been a requirement. In 7.2 it simply changed from a `NOTICE` to a `WARNING`. — Alex Howansky, Feb 06 '19 at 15:37
You've also got some [**SQL injection**](https://en.wikipedia.org/wiki/SQL_injection) issues. Instead of building queries with string concatenation, use [**prepared statements**](https://secure.php.net/manual/en/pdo.prepare.php) with [**bound parameters**](https://secure.php.net/manual/en/pdostatement.bindparam.php). See [**this page**](https://phptherightway.com/#databases) and [**this post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) for some good examples. — Alex Howansky, Feb 06 '19 at 15:38
I know that the code is very messy, I didn't write this myself, I only want to upgrade it so that I am not vulnerable because of my old PHP version — siryx, Feb 06 '19 at 15:42
_"I only want to upgrade it so that I am not vulnerable"_ Being vulnerable to SQL injection is far more dangerous than being vulnerable to an old PHP version. — Alex Howansky, Feb 06 '19 at 15:44
"If you are upgrading from mysql to mysqli, beware lazy upgrade guides that suggest you can simply find and replace mysql_* with mysqli_*." Would this work to just replace it all with mysqli? I don't have the possibility right now to replace the database connector — siryx, Feb 06 '19 at 15:45
Regarding identifying issues, I'd recommend using a static analyzer like [PHPStan](https://github.com/phpstan/phpstan) -- at `--level 1` it will pick up these array index issues. — Alex Howansky, Feb 06 '19 at 15:45
No, simply replacing with mysqli is not sufficient. You must use prepared statements with bound parameters. — Alex Howansky, Feb 06 '19 at 15:46
Also note that the mysql driver goes away in 7.2, so if that's what you're currently using, then you'll *have to* replace the database connector. — Alex Howansky, Feb 06 '19 at 15:47

score 0 · Accepted Answer · answered Feb 06 '19 at 15:49

0

There are tools such a PHP-CS-Fixer and EasyCodingStandard that understand PHP syntax and can safely update a large number of potential styles and fixes.

For example, with ECS, to update from array() to short-arrays '[]':

services:
    PhpCsFixer\Fixer\ArrayNotation\ArraySyntaxFixer:
        syntax: short

answered Feb 06 '19 at 15:49

Alister Bulman

34,482
9
71
110

I actually had a look at PHP-CS-Fixer, but sadly code has to be 5.6 =( – siryx Feb 06 '19 at 16:15
Coming back to this randomly, this was the best thing to do: download the last supported version for my specific PHP version and run this to upgrade all code to a compatible version – siryx Jul 12 '23 at 13:36

shell script to add parentheses around regex matches after user confirmation

1 Answers1