Merge remote-tracking branch 'upstream/develop' into 4.5

 Conflicts:
	user_guide_src/source/database/configuration.rst

phpstan.neon.dist

@@ -17,6 +17,7 @@ parameters:
 		- admin/starter/tests
 		- app
 		- system
+		- tests
 		- utils/PHPStan
 	excludePaths:
 		- app/Views/errors/cli/*
@@ -27,6 +28,7 @@ parameters:
 		- system/Test/Filters/CITestStreamFilter.php
 		- system/ThirdParty/*
 		- system/Validation/Views/single.php
+		- tests/system/View/Views/*
 	scanDirectories:
 		- system/Helpers
 	checkGenericClassInNonGenericObjectType: false

system/Validation/Validation.php

@@ -799,7 +799,9 @@ protected function fillPlaceholders(array $rules, array $data): array
                         // Check if the validation rule for the placeholder exists
                         if ($placeholderRules === null) {
                             throw new LogicException(
-                                'No validation rules for the placeholder: ' . $field
+                                'No validation rules for the placeholder: "' . $field
+                                . '". You must set the validation rules for the field.'
+                                . ' See <https://codeigniter4.github.io/userguide/libraries/validation.html#validation-placeholders>.'
                             );
                         }
 

tests/system/Validation/StrictRules/DatabaseRelatedRulesTest.php

@@ -19,6 +19,7 @@
 use Config\Database;
 use Config\Services;
 use InvalidArgumentException;
+use LogicException;
 use Tests\Support\Validation\TestRules;
 
 /**
@@ -152,6 +153,34 @@ public function testIsUniqueWithIgnoreValuePlaceholder(): void
         $this->assertTrue($this->validation->run($data));
     }
 
+    public function testIsUniqueWithPlaceholderAndNoValidationRulesForIt(): void
+    {
+        $this->expectException(LogicException::class);
+        $this->expectExceptionMessage('No validation rules for the placeholder: "id". You must set the validation rules for the field.');
+
+        $this->hasInDatabase('user', [
+            'name'    => 'Derek',
+            'email'   => '[email protected]',
+            'country' => 'GB',
+        ]);
+
+        $row = Database::connect()
+            ->table('user')
+            ->limit(1)
+            ->get()
+            ->getRow();
+
+        $data = [
+            'id'    => $row->id,
+            'email' => '[email protected]',
+        ];
+
+        $this->validation->setRules([
+            'email' => 'is_unique[user.email,id,{id}]',
+        ]);
+        $this->validation->run($data);
+    }
+
     public function testIsUniqueByManualRun(): void
     {
         Database::connect()

user_guide_src/source/database/configuration.rst

@@ -136,9 +136,9 @@ and decode it in the constructor in the Config class:
 
 .. _database-config-explanation-of-values:
 
-**********************
-Explanation of Values:
-**********************
+*********************
+Explanation of Values
+*********************
 
 ================ ===========================================================================================================
  Name Config     Description
@@ -159,31 +159,25 @@ Explanation of Values:
 **pConnect**     true/false (boolean) - Whether to use a persistent connection.
 **DBDebug**      true/false (boolean) - Whether to throw exceptions or not when database errors occur.
 **charset**      The character set used in communicating with the database.
-**DBCollat**     The character collation used in communicating with the database (``MySQLi`` only).
+**DBCollat**     (``MySQLi`` only) The character collation used in communicating with the database.
 **swapPre**      A default table prefix that should be swapped with ``DBPrefix``. This is useful for distributed
                  applications where you might run manually written queries, and need the prefix to still be
                  customizable by the end user.
-**schema**       The database schema, default value varies by driver. (Used by ``Postgre`` and ``SQLSRV``.)
-**encrypt**      Whether or not to use an encrypted connection.
-                 ``SQLSRV`` driver accepts true/false
-                 ``MySQLi`` driver accepts an array with the following options:
-                 * ``ssl_key``    - Path to the private key file
-                 * ``ssl_cert``   - Path to the public key certificate file
-                 * ``ssl_ca``     - Path to the certificate authority file
-                 * ``ssl_capath`` - Path to a directory containing trusted CA certificates in PEM format
-                 * ``ssl_cipher`` - List of *allowed* ciphers to be used for the encryption, separated by colons (``:``)
-                 * ``ssl_verify`` - true/false; Whether to verify the server certificate or not (``MySQLi`` only)
-**compress**     Whether or not to use client compression (``MySQLi`` only).
-**strictOn**     true/false (boolean) - Whether to force "Strict Mode" connections, good for ensuring strict SQL
-                 while developing an application (``MySQLi`` only).
+**schema**       (``Postgre`` and ``SQLSRV`` only) The database schema, default value varies by driver.
+**encrypt**      (``MySQLi`` and ``SQLSRV`` only) Whether or not to use an encrypted connection.
+                 See :ref:`MySQLi encrypt <mysqli-encrypt>` for ``MySQLi`` settings.
+                 ``SQLSRV`` driver accepts true/false.
+**compress**     (``MySQLi`` only) Whether or not to use client compression.
+**strictOn**     (``MySQLi`` only) true/false (boolean) - Whether to force "Strict Mode" connections, good for ensuring
+                 strict SQL while developing an application.
 **port**         The database port number - Empty string ``''`` for default port (or dynamic port with ``SQLSRV``).
-**foreignKeys**  true/false (boolean) - Whether or not to enable Foreign Key constraint (``SQLite3`` only).
+**foreignKeys**  (``SQLite3`` only) true/false (boolean) - Whether or not to enable Foreign Key constraint.
 
                  .. important:: SQLite3 Foreign Key constraint is disabled by default.
                      See `SQLite documentation <https://www.sqlite.org/pragma.html#pragma_foreign_keys>`_.
                      To enforce Foreign Key constraint, set this config item to true.
-**busyTimeout**  milliseconds (int) - Sleeps for a specified amount of time when a table is locked (``SQLite3`` only).
-**numberNative** true/false (boolean) - Whether or not to enable MYSQLI_OPT_INT_AND_FLOAT_NATIVE (``MySQLi`` only).
+**busyTimeout**  (``SQLite3`` only) milliseconds (int) - Sleeps for a specified amount of time when a table is locked.
+**numberNative** (``MySQLi`` only) true/false (boolean) - Whether or not to enable MYSQLI_OPT_INT_AND_FLOAT_NATIVE.
 **dateFormat**   The default date/time formats as PHP's `DateTime format`_.
                  * ``date``        - date format
                  * ``datetime``    - date and time format
@@ -216,4 +210,18 @@ the ``'hostname'`` setting. CodeIgniter's MySQLi driver will notice this and con
 connection properly.
 
 .. literalinclude:: configuration/011.php
-    :lines: 11-18
+    :lines: 11-18
+
+.. _mysqli-encrypt:
+
+encrypt
+-------
+
+MySQLi driver accepts an array with the following options:
+
+* ``ssl_key``    - Path to the private key file
+* ``ssl_cert``   - Path to the public key certificate file
+* ``ssl_ca``     - Path to the certificate authority file
+* ``ssl_capath`` - Path to a directory containing trusted CA certificates in PEM format
+* ``ssl_cipher`` - List of *allowed* ciphers to be used for the encryption, separated by colons (``:``)
+* ``ssl_verify`` - true/false; Whether to verify the server certificate or not

user_guide_src/source/libraries/validation.rst

@@ -543,15 +543,18 @@ Validation Placeholders
 =======================
 
 The Validation class provides a simple method to replace parts of your rules based on data that's being passed into it. This
-sounds fairly obscure but can be especially handy with the ``is_unique`` validation rule. Placeholders are simply
+sounds fairly obscure but can be especially handy with the ``is_unique`` validation rule.
+
+Placeholders are simply
 the name of the field (or array key) that was passed in as ``$data`` surrounded by curly brackets. It will be
 replaced by the **value** of the matched incoming field. An example should clarify this:
 
 .. literalinclude:: validation/020.php
    :lines: 2-
 
-.. note:: Since v4.3.5, you must set the validation rules for the placeholder
-    field (the ``id`` field in the sample code above) for security.
+.. warning:: Since v4.3.5, you must set the validation rules for the placeholder
+    field (the ``id`` field in the sample code above) for security reasons. Because
+    attackers can send any data to your application.
 
 In this set of rules, it states that the email address should be unique in the database, except for the row
 that has an id matching the placeholder's value. Assuming that the form POST data had the following:

user_guide_src/source/tutorial/news_section.rst

@@ -98,7 +98,7 @@ some additional tools to make working with data simpler. Add the
 following code to your model.
 
 .. literalinclude:: news_section/002.php
-    :lines: 11-18
+    :lines: 11-23
 
 With this code, you can perform two different queries. You can get all
 news records, or get a news item by its slug. You might have

user_guide_src/source/tutorial/news_section/002.php

@@ -8,6 +8,11 @@ class NewsModel extends Model
 {
     protected $table = 'news';
 
+    /**
+     * @param false|string $slug
+     *
+     * @return array|null
+     */
     public function getNews($slug = false)
     {
         if ($slug === false) {

user_guide_src/source/tutorial/news_section/003.php

@@ -10,10 +10,10 @@ public function index()
     {
         $model = model(NewsModel::class);
 
-        $data['news'] = $model->getNews();
+        $data['news_list'] = $model->getNews();
     }
 
-    public function show($slug = null)
+    public function show(?string $slug = null)
     {
         $model = model(NewsModel::class);
 

user_guide_src/source/tutorial/news_section/004.php

@@ -11,8 +11,8 @@ public function index()
         $model = model(NewsModel::class);
 
         $data = [
-            'news'  => $model->getNews(),
-            'title' => 'News archive',
+            'news_list' => $model->getNews(),
+            'title'     => 'News archive',
         ];
 
         return view('templates/header', $data)

user_guide_src/source/tutorial/news_section/005.php

@@ -1,8 +1,8 @@
 <h2><?= esc($title) ?></h2>
 
-<?php if (! empty($news) && is_array($news)): ?>
+<?php if ($news_list !== []): ?>
 
-    <?php foreach ($news as $news_item): ?>
+    <?php foreach ($news_list as $news_item): ?>
 
         <h3><?= esc($news_item['title']) ?></h3>
 

user_guide_src/source/tutorial/news_section/006.php

@@ -9,13 +9,13 @@ class News extends BaseController
 {
     // ...
 
-    public function show($slug = null)
+    public function show(?string $slug = null)
     {
         $model = model(NewsModel::class);
 
         $data['news'] = $model->getNews($slug);
 
-        if (empty($data['news'])) {
+        if ($data['news'] === null) {
             throw new PageNotFoundException('Cannot find the news item: ' . $slug);
         }
 

user_guide_src/source/tutorial/static_pages.rst

@@ -159,7 +159,7 @@ If the requested page doesn't exist, a "404 Page not found" error is shown.
 The first line in this method checks whether the page actually exists.
 PHP's native ``is_file()`` function is used to check whether the file
 is where it's expected to be. The ``PageNotFoundException`` is a CodeIgniter
-exception that causes the default error page to show.
+exception that causes the 404 Page Not Found error page to show.
 
 In the header template, the ``$title`` variable was used to customize the
 page title. The value of title is defined in this method, but instead of

user_guide_src/source/tutorial/static_pages/001.php

@@ -9,7 +9,7 @@ public function index()
         return view('welcome_message');
     }
 
-    public function view($page = 'home')
+    public function view(string $page = 'home')
     {
         // ...
     }

user_guide_src/source/tutorial/static_pages/002.php

@@ -8,7 +8,7 @@ class Pages extends BaseController
 {
     // ...
 
-    public function view($page = 'home')
+    public function view(string $page = 'home')
     {
         if (! is_file(APPPATH . 'Views/pages/' . $page . '.php')) {
             // Whoops, we don't have a page for that!