Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:106625
Return-Path: <craig@craigfrancis.co.uk>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 83022 invoked from network); 15 Aug 2019 20:34:04 -0000
Received: from unknown (HELO mail-wm1-f54.google.com) (209.85.128.54)
  by pb1.pair.com with SMTP; 15 Aug 2019 20:34:04 -0000
Received: by mail-wm1-f54.google.com with SMTP id i63so1970087wmg.4
        for <internals@lists.php.net>; Thu, 15 Aug 2019 11:03:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=craigfrancis.co.uk; s=default;
        h=mime-version:from:date:message-id:subject:to;
        bh=umkj9jdoN1rnPymJ1vRryN+2DDaqm6j8h+lE59q7jT4=;
        b=in9K/L2GZj/S0FGXUcAuFUkAWawPnl8iHYdZ7TyUo37k/mzgssDKwtJOaKigMxR7OW
         r8MRZE+DaPGbUTWfNZ7B4egmygYfEMr9bfTv+E6ttz0pK0MIXQmQ755Nqni3TSFZyEvH
         GnTheWksXGAXVQAY3PKc4sP9SMFJ7lEjBLHnc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
        bh=umkj9jdoN1rnPymJ1vRryN+2DDaqm6j8h+lE59q7jT4=;
        b=DI0uZhJ5yYjIPZ5EdW1ElFAWA0YwXskPRKd9CC2SDvFErOBwpPwgTOabWX3TG2dzVR
         poTfJeJhZbS3v4IOFPe3FMjMftA3fb3zzZNX4qavApTj2CMA5z1UEnblQGIKbCHiQ4yR
         QJc2Z+VEwH8a+MDetZGdVB0ikxqlMEOxIjNWnhce32wZtCbpTmnmzNWc0YH5p1/Oc4Af
         EGQN/uyH5E77is2lJv4J6jKRkaAZN8bvdBm8UP4rIBYFSzdekwmhcDbrRVDDB2vxZEfr
         Wa0tH0BY20vq9CIXIFGph/HT97/Ujkvq9uLG87nqnhQ6LLaSFlF8j6i3hUnlN6ZpDsvi
         D9Vg==
X-Gm-Message-State: APjAAAUUp7b/4NBz/NNBiSxAvinpNWer8KHOE77n11ehXfu9GQMXG5d+
	7udSL7fBLCqPM5kEKIVTkblQ7sK9f8phlKxzIiUfz2ohj9Jd5w==
X-Google-Smtp-Source: APXvYqz0aAU91KIwX3WDrb+TThpHFbSpPht4qlKBMS9/bbjZ+nziskBt1aHvT6wKLt5g6pT/H17Nie/ibkwkSvFDO/M=
X-Received: by 2002:a1c:2581:: with SMTP id l123mr3961977wml.10.1565892180146;
 Thu, 15 Aug 2019 11:03:00 -0700 (PDT)
MIME-Version: 1.0
Date: Thu, 15 Aug 2019 19:02:49 +0100
Message-ID: <CAFv4g+EG6f9e6yJqp1sesbJstYJwpdkVso3CKjAD_EAkcrtHqA@mail.gmail.com>
To: PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="00000000000027961f05902baffc"
Subject: Literal / Taint checking
From: craig@craigfrancis.co.uk (Craig Francis)

--00000000000027961f05902baffc
Content-Type: text/plain; charset="UTF-8"

Hi,

How likely would it be for PHP to do Literal tracking of variables?

This is something that's being discussed JavaScript TC39 at the moment [1],
and I think it would be even more useful in PHP.

We already know we should use parameterized/prepared SQL, but there is no
way to prove the SQL string hasn't been tainted by external data in large
projects, or even in an ORM.

This could also work for templating systems (blocking HTML injection) and
commands.

Internally it would need to introduce a flag on every variable, and a
single function to check if a given variable has only been created by
Literal(s).

Unlike the taint extension, there should be no way to override this (e.g.
no taint/untaint functions); and if it was part of the core language, it
will continue to work after every update.

One day certain functions (e.g. mysqli_query) might use this information to
generate a error/warning/notice; but for now, having it available for
checking would be more than enough.

Craig



    public function exec($sql, $parameters = []) {
        if (!*is_literal*($sql)) {
            throw new Exception('SQL must be a literal.');
        }
        $statement = $this->pdo->prepare($sql);
        $statement->execute($parameters);
        return $statement->fetchAll();
    }

...

    $sql = 'SELECT * FROM table WHERE id = ?';

    $result = $db->exec($sql, [$id]);



[1] https://github.com/tc39/proposal-array-is-template-object
https://github.com/mikewest/tc39-proposal-literals

--00000000000027961f05902baffc--