Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:109215 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 80138 invoked from network); 23 Mar 2020 00:50:31 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 23 Mar 2020 00:50:31 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 5B23C1804F3 for ; Sun, 22 Mar 2020 16:14:32 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS15169 209.85.128.0/17 X-Spam-Virus: No X-Envelope-From: Received: from mail-wr1-f49.google.com (mail-wr1-f49.google.com [209.85.221.49]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Sun, 22 Mar 2020 16:14:31 -0700 (PDT) Received: by mail-wr1-f49.google.com with SMTP id a25so14781545wrd.0 for ; Sun, 22 Mar 2020 16:14:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=craigfrancis.co.uk; s=default; h=from:mime-version:subject:message-id:date:cc:to; bh=BoO07iyiR7RuVj24t6QNgKc7ixPCWBfSkHHKHmjwvus=; b=FBBZfNUY3dN4mzFW6SBDoSvGdc/E09rXJjg6Kx0Dq1Vzv5EpAi6VbZthTscfslh9aV VUZ682+Gkn69Ktr25dl5VKe8gQbFditO3BbkfXG+sFzLOZJv8lQ/KKhL5/AgpnCimTd8 FzPLnwBA7i9VW0dm0bLK+oT0JzNeHwJlmKbpA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:mime-version:subject:message-id:date:cc:to; bh=BoO07iyiR7RuVj24t6QNgKc7ixPCWBfSkHHKHmjwvus=; b=f48Xj8kL+Dz5k55jYM6Qf3NueNhCoIr3d7aPxj1zfYGTHm8LnmKtnotFmhj/b/R3kB 2hpKPLVS3ILiJpUrIUbSiT16t7RrGxkT53BvYdIZ6nnvTnK8wUkZOqssIBOBsqXQgBWp yaEdmjbncKoHUsK9gQ6N+VB3svxS/Hrb8doSuNbecxBTVJUsBRszioNXzlT8Jz+9LmXD jxYxpOO6QmbUMwJbhtjbUvxunMRCdydWDNRJ/47ZV18DgrE9/S/kwRZGrPiqjcmq2ONK +LbrgNBuF2lM20kjGWSUiGmvc3OvxvhCcXkKgcQuLSRpq3N36ZpJQUZE2K15xpujJxlp Y5oA== X-Gm-Message-State: ANhLgQ35ccuvyz23uPdcn8/BMN+M1Ge83jLgQNGJQAuGJlgLp02cubp6 BKqJPtGi0S5MIq1eP4fCOIvUwMNldKcQfR65 X-Google-Smtp-Source: ADFU+vtitEs5tVP9GIEfxFv7+DXa6hVZugVIugzsAqPpWnd5Qlt2OOzDwvlitzb3YHGgY0W+ztgIeA== X-Received: by 2002:a5d:6386:: with SMTP id p6mr25362380wru.194.1584918869133; Sun, 22 Mar 2020 16:14:29 -0700 (PDT) Received: from [192.168.1.10] ([92.237.247.170]) by smtp.gmail.com with ESMTPSA id u5sm13281170wrp.81.2020.03.22.16.14.28 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 22 Mar 2020 16:14:28 -0700 (PDT) Content-Type: multipart/alternative; boundary="Apple-Mail=_40F044F6-CF78-447F-AA62-FECD9907DE00" Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.60.0.2.5\)) Message-ID: Date: Sun, 22 Mar 2020 23:14:27 +0000 Cc: PHP internals To: mike@newclarity.net X-Mailer: Apple Mail (2.3608.60.0.2.5) Subject: [RFC] is_literal() From: craig@craigfrancis.co.uk (Craig Francis) --Apple-Mail=_40F044F6-CF78-447F-AA62-FECD9907DE00 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 On Sun, 22 Mar 2020 at 19:11, Mike Schinkel wrote: > I think it would be better to specify the problem(s) you are trying to = solve Thanks for your thoughts Mike, I've updated the RFC, tweaking the definition of a literal, and moving = that to the end of the introduction, so the problems are now in the = second paragraph (sorry this wasn't clear, this is my first RFC). https://wiki.php.net/rfc/is_literal = > Looking at my code [...] I pass to $wpdb->get_results() is in = variables, not literals. I think this is where Jakob's suggestion might help, to call it = `is_from_literal()`. Because you're right, the SQL/HTML/Command is often created by one or = more literals that get stored in a variable, and this proposal works = with that approach. > [...] introduce functionality that addresses the exact problem of SQL = injection I'm fairly confident this proposal does that, and more. By allowing frameworks/developers to check the SQL/HTML/Command is made = up of hard coded literals (from within the PHP script), it proves it's = not vulnerable to any kind of injection, as the other = variables/parameters must be provided separately. The examples in the RFC cover the issues that usually get raised when = discussing this. But I do need to address the performance question (ideally with some = help from someone who understands the PHP Internals, as I'm not = experienced enough in that area). > [...] hash out potential solutions on the list rather than propose a = specific one in advance. I must confess, I have been discussing this for a number of years, and = I've looked at a few different approaches, Taint checking got the = closest, and this proposal takes that idea a bit further to resolve the = last few issues (covered in the RFC, so I won't repeat them here). I've also been keeping this proposal in mind over the last couple of = years, just to see how it would effect my development practices (and I = really think it has helped). As to your idea of a "safe" MySQL class, fortunately mysqli already = stops multiple queries, so a SELECT cannot have an = UPDATE/DELETE/TRUNCATE appended on to the end, but it can still do = things like UNION another SELECT query, so the original query returns = nothing, then the attackers query gets appended, potentially allowing = them to extract everything from the database. Craig On 22 Mar 2020, at 19:10, Mike Schinkel wrote: > BTW, I did not comment on your is_literal() proposal because I try not = to comment on things where others are addressing concerns and where I do = not feel very strongly about adding or avoiding the feature. I created = this thread as a new thread to expliclty separate discussions because = they are orthogonal and I did not want to imply that I supported = is_literal() as currently proposed. >=20 > But since you brought it up let me comment on is_literal(). I = recognize the problem I think you are trying to solve =E2=80=94 to be = able to guard against SQL injection attacks =E2=80=94 but I don't think = is_literal() is a viable solution for that problem. >=20 > 1. Looking at my code most of my dynamic values use to compose SQL = that I pass to $wpdb->get_results() is in variables, not literals. In = fact I rarely use literals. So I don't see that it would help me (or = many others?) much at all. >=20 > 2. Focusing on it being literal or not seems to me to be focusing on = wrong thing. Something could be non-literal but still be safe. And a = code hack could introduce a tainted literal (but with a code hack all = bets are off.) is_taint() makes more sense to me, but even then I am not = sure it directly addresses the use-case. >=20 > 3. I feel like we might be better to introduce functionality that = addresses the exact problem of SQL injection and not one that dances = around its edges. Maybe we need a MySQL class as an alternative to the = mysqli functions that has a "safe" property and when that "safe" = property is true you can't run DDL, TRUNCATE, or DELETE? Not sure how = to protect against injection for UPDATE but maybe someone else has an = idea? >=20 > 4. Lastly, I think it would be better to specify the problem(s) you = are trying to solve and then hash out potential solutions on the list = rather than propose a specific one in advance, maybe even creating an = ad-hoc working group to come up with a solution that is likely to be = accepted? >=20 > Anyway, #jmtcw on is_literal(). >=20 > -Mike --Apple-Mail=_40F044F6-CF78-447F-AA62-FECD9907DE00--