Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:106630 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 9044 invoked from network); 15 Aug 2019 23:08:07 -0000 Received: from unknown (HELO mail-yw1-f52.google.com) (209.85.161.52) by pb1.pair.com with SMTP; 15 Aug 2019 23:08:07 -0000 Received: by mail-yw1-f52.google.com with SMTP id z63so1118464ywz.9 for ; Thu, 15 Aug 2019 13:37:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=3+aby+GAV8CqdhKqw0w7JbDTWiv+exNwdGIwX466rFI=; b=Vx0yqSMaEB64GdkTigwwU+0jPDnwQ7jysLMjCfZI+2NuOc78jo5TwR7OTxhPF0HqJl tROYFDwngKdfPHYU25PE5kiF1gCSh9iwGreqoO5f7+epQLv3HbIloCRUexz3a/NNIHCg RLosP+L3pwz78Kog5pOooe+Ua3UtcgGScfDwtjqab3y099tzjOWTm7X9yMJ3DE5z+CqK q3CZ858yKHoLFu0DWxEUsUbSd+56+/glFhRNIZO7PLeScPvy/VQWNz+pftXvzNXJ9bo1 NWWGtM7dmEKZlLEFGoiVkkM7eKKl3R+fhYD3jLNtVGVKS41+Mz5qZiokxjMNmnxbJTaV V9BQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=3+aby+GAV8CqdhKqw0w7JbDTWiv+exNwdGIwX466rFI=; b=Imk5pmB2QJR6TKFQ7c5tCWqV3ChjJsygxQhTAOwD46MCRKhDxj1xT0ITArE1Gxr4Xv bE/qriLT4AyxnRqyqkGI01rb5n9iV40dOxOMNdwxmBXqoMbpAqyM8afqXYLOHgeLxGf4 v+rjaYPJK23pr0Trxcwl4Qt8g5ZQf3vnZKUwHLs0Grs0u6nHtrDhRDGxAbR4Jw3lNz1j YhdP6c6wlUgJprNExwIf0EbqkF9XvplQXIo5sGAeR+jQBzIsDMI3F8i12HDDJBDMQ4/S VUQjUA69muVWg8oIk/k0d3c4TCV9k/jlEtPvolaxmKo73wCAsUqbhR5zwHGkZvtys2Qn ovJw== X-Gm-Message-State: APjAAAU1twzkCdBBYXjgG6qOhpgn4Fks+sNRCLFNjXnscDDAzDcsZRwC CzFYoEZNQG47a5iJWhUyN0Roo3Rg9Hp/W0BEqj5m3H7h X-Google-Smtp-Source: APXvYqyN63VqIvDnILySH77+ZtKjRcbPn/daHw5Ne1rPRsP9z3CRpQNkTjH0YgJRSXc+NVjTjxh6QOFA6qJmalvSoGU= X-Received: by 2002:a81:6286:: with SMTP id w128mr4266486ywb.272.1565901425405; Thu, 15 Aug 2019 13:37:05 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: Date: Thu, 15 Aug 2019 16:36:54 -0400 Message-ID: To: Craig Francis Cc: PHP internals Content-Type: multipart/alternative; boundary="00000000000036f43b05902dd6ee" Subject: Re: [PHP-DEV] Literal / Taint checking From: matthewmatthew@gmail.com (Matthew Brown) --00000000000036f43b05902dd6ee Content-Type: text/plain; charset="UTF-8" > If anything, this proposal would help user-land solutions (it gives them > more information while the code is in running). > Well, it might help runtime-based user-land solutions, but not static analysis-based solutions. In our bug disclosure program at Vimeo we've had no SQL injection issues reported, but a number of XSS issues (echoing attacker-controlled data), and those issues cannot so easily be prevented by this technique as there's generally little reason to echo literal values. I can also think of a number of user-constructed SQL queries (e.g. WHERE ... IN) that require non-literal values to work (if this were to come to pass there might be a set of special `unsafe` methods). --00000000000036f43b05902dd6ee--