Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:106626
Return-Path: <kontakt@beberlei.de>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 84684 invoked from network); 15 Aug 2019 20:37:00 -0000
Received: from unknown (HELO mail-lj1-f172.google.com) (209.85.208.172)
  by pb1.pair.com with SMTP; 15 Aug 2019 20:37:00 -0000
Received: by mail-lj1-f172.google.com with SMTP id t3so2965893ljj.12
        for <internals@lists.php.net>; Thu, 15 Aug 2019 11:05:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=beberlei-de.20150623.gappssmtp.com; s=20150623;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=WFJGhdhlZWy5lDQtPHU6uYNYkmRwlNHYG7A/bpuYV8s=;
        b=YA+1UDUR30rUOKHUFWDhrNr2E5wANDa+rPnEQBpO38Xdlnge3p2+KqIv0PNsJ/qYd+
         d3JG5zA2V3zJ/FuJPAdnEaZFb72E1QVmy6BeaKZM/DHS8ZalGbFxp2Nk0oJIVcBInFob
         7/70N49hDCNkiuLuP86rC737/9Xz6B1DAQruYgPeY0PdYqLRJO+s8HwD3Yjeyh082RaQ
         AlAPjof7UFrnoou1L1SO49sTG1uvd4GHoUt7ce7jLo6/T7x2k1ao8hbSca89a0YywVLb
         GY0lZG7vjlsQJ/zCuKd6pDCi5Ds/03so4IWc+iqX1Lv01QpHBGu9Cpse5nz9iya3y/UF
         evYw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=WFJGhdhlZWy5lDQtPHU6uYNYkmRwlNHYG7A/bpuYV8s=;
        b=dZqxgcmJB1sdErXhB8743bO7tHPsdUiXSUzF13dCUM+uHZCUOo3owy0UWBz/sqtxae
         t4a1lvB5enTb/zJUB0CtQxp/qyTiqiSQViCyDF6mkeI+MLY3owlmogYRuNREFMDfweUC
         z0lBpJuPdfIRbUzLMZZdjqi2FBRq9KXyH5tYfQMn3dfVIxE/5rlyDfiTRg1OBY/glLvj
         bN1U7IF67mgLMuqBUjrnff6QNjoirQYxidpVl6qn/6NTFItVf0Vx/IY5r/KyQuJqFlBC
         +HROes4+JefmvevDJ37rsLz6rYZtmsHpS+l/no4FXnGUp7fq8CFLwMun71uWwqBS/3YL
         cGkQ==
X-Gm-Message-State: APjAAAXWZ6ZyLcXk8OsaBDtlQtkTKYVNS2j5VU5YIw7kASk7c9Yglrk8
	llYCSuJzrU7iWeiloh3jhwO1lU6ra5gJU/pSvKcVmQ==
X-Google-Smtp-Source: APXvYqwUXA8IKTk0Kx6U4l1HRQbQvqFOnMT5l2hDISR6IGuLzjiQFcW/C2R4Z5fWo0bws8OmseBaY6yXuW5SJkpLKW0=
X-Received: by 2002:a2e:5dc6:: with SMTP id v67mr3329710lje.240.1565892356731;
 Thu, 15 Aug 2019 11:05:56 -0700 (PDT)
MIME-Version: 1.0
References: <CAFv4g+EG6f9e6yJqp1sesbJstYJwpdkVso3CKjAD_EAkcrtHqA@mail.gmail.com>
In-Reply-To: <CAFv4g+EG6f9e6yJqp1sesbJstYJwpdkVso3CKjAD_EAkcrtHqA@mail.gmail.com>
Date: Thu, 15 Aug 2019 20:05:45 +0200
Message-ID: <CAEPJdukdKRCixwfHoyXbPpJkSsDPt1Or9UND-9p_WsgzODc26g@mail.gmail.com>
To: Craig Francis <craig@craigfrancis.co.uk>
Cc: PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="000000000000ae123605902bb968"
Subject: Re: [PHP-DEV] Literal / Taint checking
From: kontakt@beberlei.de (Benjamin Eberlei)

--000000000000ae123605902bb968
Content-Type: text/plain; charset="UTF-8"

On Thu, Aug 15, 2019 at 8:03 PM Craig Francis <craig@craigfrancis.co.uk>
wrote:

> Hi,
>
> How likely would it be for PHP to do Literal tracking of variables?
>
> This is something that's being discussed JavaScript TC39 at the moment [1],
> and I think it would be even more useful in PHP.
>
> We already know we should use parameterized/prepared SQL, but there is no
> way to prove the SQL string hasn't been tainted by external data in large
> projects, or even in an ORM.
>
> This could also work for templating systems (blocking HTML injection) and
> commands.
>
> Internally it would need to introduce a flag on every variable, and a
> single function to check if a given variable has only been created by
> Literal(s).
>
> Unlike the taint extension, there should be no way to override this (e.g.
> no taint/untaint functions); and if it was part of the core language, it
> will continue to work after every update.
>
> One day certain functions (e.g. mysqli_query) might use this information to
> generate a error/warning/notice; but for now, having it available for
> checking would be more than enough.
>
> Craig
>
>
It is an interesting topic indeed! I remember that laruence wrote an
extension for this a while ago, I have never tried it myself though. You
can find it here: https://github.com/laruence/taint


>
>     public function exec($sql, $parameters = []) {
>         if (!*is_literal*($sql)) {
>             throw new Exception('SQL must be a literal.');
>         }
>         $statement = $this->pdo->prepare($sql);
>         $statement->execute($parameters);
>         return $statement->fetchAll();
>     }
>
> ...
>
>     $sql = 'SELECT * FROM table WHERE id = ?';
>
>     $result = $db->exec($sql, [$id]);
>
>
>
> [1] https://github.com/tc39/proposal-array-is-template-object
> https://github.com/mikewest/tc39-proposal-literals
>

--000000000000ae123605902bb968--