PHPackages                             klebann/moodle-psalm-plugin - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Testing &amp; Quality](/categories/testing)
4. /
5. klebann/moodle-psalm-plugin

ActivePsalm-plugin[Testing &amp; Quality](/categories/testing)

klebann/moodle-psalm-plugin
===========================

A Psalm plugin to detect unsafe usage of $DB methods with SQL

v2.2(5y ago)0241MITPHPPHP ^7.1

Since Jan 8Pushed 5y ago1 watchersCompare

[ Source](https://github.com/klebann/moodle-psalm-plugin)[ Packagist](https://packagist.org/packages/klebann/moodle-psalm-plugin)[ RSS](/packages/klebann-moodle-psalm-plugin/feed)WikiDiscussions main Synced 3w ago

READMEChangelog (4)Dependencies (2)Versions (5)Used By (0)

moodle-psalm-plugin
===================

[](#moodle-psalm-plugin)

Moodle Psalm-Plugin (MPP) is a [Psalm](https://github.com/vimeo/psalm) plugin, that finds all vulnerable to SQL injection $DB-&gt;methods and displays content of SQL query.

The script is just for finding and showing you code that you should review.

Installation:
-------------

[](#installation)

```
$ composer require --dev klebann/moodle-psalm-plugin
$ vendor/bin/psalm-plugin enable klebann/moodle-psalm-plugin
```

Usage:
------

[](#usage)

Copy [psalm-plugin.xml](psalm-plugin.xml) and [issueHandlers.xml](issueHandlers.xml) to Psalm root directory and modify it for your specific usuage.

Run Psalm from /path/to/moodle/local/psalm and scan /path/to/moodle/mod/checklist plugin:

```
$ ./vendor/bin/psalm --config=psalm-plugin.xml --no-diff --show-info=true ../../mod/checklist
```

Run Psalm from /path/to/moodle/local/psalm and scan /path/to/moodle/mod/checklist/lib.php file:

```
$ ./vendor/bin/psalm --config=psalm-plugin.xml --no-diff --show-info=true ../../mod/checklist/lib.php
```

Run Psalm for [Testing](tests) in psalm/vendor/klebann/moodle-psalm-plugin:

```
$ ../../bin/psalm --config=psalm.xml --no-diff --show-info=true
```

Explanation:
------------

[](#explanation)

Created to automate Security-focused code review for moodle plugins:

"In order to prevent SQL injection, always use data placeholders in your queries (? or :named) to pass data from users into the queries." ~ [Data Manipulation API - Placeholders](https://docs.moodle.org/dev/Data_manipulation_API#Placeholders)

Example:
--------

[](#example)

PHP:

```
if ($checklist->teacheredit == CHECKLIST_MARKING_STUDENT) {
    $date = ', MAX(c.usertimestamp) AS datesubmitted';
    $where = 'c.usertimestamp > 0';
} else {
    $date = ', MAX(c.teachertimestamp) AS dategraded';
    $where = 'c.teachermark = '.CHECKLIST_TEACHERMARK_YES;
}

$total = count($items);

list($usql, $uparams) = $DB->get_in_or_equal($users);
list($isql, $iparams) = $DB->get_in_or_equal(array_keys($items));

$namefields = get_all_user_name_fields(true, 'u');

$sql = 'SELECT u.id AS userid, (SUM(CASE WHEN '.$where.' THEN 1 ELSE 0 END) * ? / ? ) AS rawgrade'.$date;
$sql .= ' , '.$namefields;
$sql .= ' FROM {user} u LEFT JOIN {checklist_check} c ON u.id = c.userid';
$sql .= " WHERE u.id $usql";
$sql .= " AND c.item $isql";
$sql .= ' GROUP BY u.id, '.$namefields;

$params = array_merge($uparams, $iparams);
$params = array_merge(array($checklist->maxgrade, $total), $params);

$grades = $DB->get_records_sql($sql, $params);
```

Output (This example will be skiped in next release because is safe):

```
INFO: PossibleSqlInjection - ../../mod/checklist/lib.php:342:24 - Calling unsafe sql method $DB->get_records_sql
Description:
    Safe variable $namefields: created by get_all_user_name_fields()
    Safe variable $usql: created by get_in_or_equal()
    Safe variable $isql: created by get_in_or_equal()
SQL:
    SELECT u.id AS userid, (SUM(CASE WHEN $namefields([c.usertimestamp > 0][c.teachermark = CHECKLIST_TEACHERMARK_YES]) THEN 1 ELSE 0 END) * ? / ? ) AS rawgrade $date([, MAX(c.usertimestamp) AS datesubmitted][, MAX(c.teachertimestamp) AS dategraded]) , $namefields FROM {user} u LEFT JOIN {checklist_check} c ON u.id = c.userid WHERE u.id $usql AND c.item $isql GROUP BY u.id, $namefields
Documentation -
        $grades = $DB->get_records_sql($sql, $params);
```

###  Health Score

24

—

LowBetter than 31% of packages

Maintenance20

Infrequent updates — may be unmaintained

Popularity7

Limited adoption so far

Community8

Small or concentrated contributor base

Maturity52

Maturing project, gaining track record

 Bus Factor1

Top contributor holds 100% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~2 days

Total

4

Last Release

1996d ago

### Community

Maintainers

![](https://www.gravatar.com/avatar/9a2c35063645c75498be48ec3b705d72b89870c1d47ff5c9eb47f33747ea2174?d=identicon)[klebann](/maintainers/klebann)

---

Top Contributors

[![klebann](https://avatars.githubusercontent.com/u/22200025?v=4)](https://github.com/klebann "klebann (15 commits)")

###  Code Quality

Static AnalysisPsalm

Type Coverage Yes

### Embed Badge

![Health badge](/badges/klebann-moodle-psalm-plugin/health.svg)

```
[![Health](https://phpackages.com/badges/klebann-moodle-psalm-plugin/health.svg)](https://phpackages.com/packages/klebann-moodle-psalm-plugin)
```

###  Alternatives

[dms/phpunit-arraysubset-asserts

This package provides ArraySubset and related asserts once deprecated in PHPUnit 8

14429.2M359](/packages/dms-phpunit-arraysubset-asserts)[phpbenchmark/phpbenchmark

Easy to use benchmark toolkit for your PHP-application. This library contains classes for comparing algorithms as well as benchmarking application responses

8011.5k2](/packages/phpbenchmark-phpbenchmark)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
