Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:109218 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 95139 invoked from network); 23 Mar 2020 01:41:02 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 23 Mar 2020 01:41:02 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 608511804C6 for ; Sun, 22 Mar 2020 17:05:02 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS15169 209.85.128.0/17 X-Spam-Virus: No X-Envelope-From: Received: from mail-qk1-f182.google.com (mail-qk1-f182.google.com [209.85.222.182]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Sun, 22 Mar 2020 17:05:01 -0700 (PDT) Received: by mail-qk1-f182.google.com with SMTP id l25so8704726qki.7 for ; Sun, 22 Mar 2020 17:05:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=newclarity-net.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=NRrvDcZZQO4YAx7OXUpl1fC4tgXxsjGqT0ycS9Nx4f4=; b=X+whoLbPflK7K2vzabWzZQvYs0gD8jeRcG9M7R+jO1H4lTZ1I6UjW0gx0gBVgQ7crt yNTdcmjlza2AW+B0+L9dl72/bvDOApDznvL7GksPisTcods4GbvvOaDEnbiIf7ehsKf+ YlM3vLqqpLwQgMB9DxS8uDaxfKMWib7r507OY3FOR1SILmrKAWHq8L7blDvnO7JUM1Dk mXM+YUmiMkLB02flYp37NZhSCZFqkO/0WDY0w8mr7LMGDmGx0obNt54ZGP9NSsEbvf8K GS+xL4X72nlYGnPN2uyz41UxfftIC1Uwq3Y0X9AfYBpnFFZhlAUOyIbEziEmemc8AYJe 8ngg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=NRrvDcZZQO4YAx7OXUpl1fC4tgXxsjGqT0ycS9Nx4f4=; b=NPReSAmKS3hqPbk/3d66woB/2R+Q2UwireAhJrZGLcwG4chiDse/+YVAp8+1j31Pg6 8eVeEgQKJaZXxCPtkHbB2YSM4HGCsjRXdBBQ1N8uwPjxMBOyOhwG/4RdlzZylbMYgwWD 0ieyv4Of2Pk9UaRFdwcX5MZTZKMskKlTRTtfJXN/MCewz7mzcmy26+aNNaqAEy5dK+D0 Dinqw8miB29FKiHM6zcaMWiYCYrnxYEuwa3KdJd6xSSZESSPEU5JxiDrbvL5T46ztR/+ wHFA2llOwDYNk53eFqQppqVD9sxGkweQ7PESMGg5Ruk8kXoAz2yN58zXxFgqYefZD4iN 7+LQ== X-Gm-Message-State: ANhLgQ2QNTxsidPF9La/AWZpghkLkhhz75s2mnbt3PrVG5L7urJ2pef/ 9YEclHyJfOuJsBUwsgje4Qjdxm+PL0gNhg== X-Google-Smtp-Source: ADFU+vu7l6YI0DFB40qB6Repu0KBkrJ+te8NUaMn0sr4L7bidqwxVBGrSfpdImaUO3CXGhnMQUFUiw== X-Received: by 2002:a37:4648:: with SMTP id t69mr17505097qka.299.1584921900286; Sun, 22 Mar 2020 17:05:00 -0700 (PDT) Received: from ?IPv6:2601:c0:c680:5cc0:b161:bce7:21ab:aa25? ([2601:c0:c680:5cc0:b161:bce7:21ab:aa25]) by smtp.gmail.com with ESMTPSA id b145sm10057319qkg.52.2020.03.22.17.04.59 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 22 Mar 2020 17:04:59 -0700 (PDT) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\)) In-Reply-To: Date: Sun, 22 Mar 2020 20:04:58 -0400 Cc: PHP internals Content-Transfer-Encoding: quoted-printable Message-ID: <9AD96E46-8379-45C0-8912-2CA062702999@newclarity.net> References: To: Craig Francis X-Mailer: Apple Mail (2.3445.104.11) Subject: Re: [RFC] is_literal() From: mike@newclarity.net (Mike Schinkel) > On Mar 22, 2020, at 7:14 PM, Craig Francis = wrote: >=20 > On Sun, 22 Mar 2020 at 19:11, Mike Schinkel = wrote: >> [...] hash out potential solutions on the list rather than propose a = specific one in advance. >=20 > As to your idea of a "safe" MySQL class, fortunately mysqli already = stops multiple queries, so a SELECT cannot have an = UPDATE/DELETE/TRUNCATE appended on to the end, but it can still do = things like UNION another SELECT query, so the original query returns = nothing, then the attackers query gets appended, potentially allowing = them to extract everything from the database. To follow up, a "safe" MySQL class *could* disallow UNION then, no? In addition, it could possible have flags for every type of query and = require you set on only the aspects you need. Unions, Updates, Deletes, = Truncates, Joins, Where, etc. much like firewalls start will all ports = closed. Just spitballing, anyway. -Mike=20=