Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:114564 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 15097 invoked from network); 24 May 2021 13:41:11 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 24 May 2021 13:41:11 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id DCF781804D9 for ; Mon, 24 May 2021 06:52:12 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.2 X-Spam-Virus: No X-Envelope-From: Received: from mail-lf1-f50.google.com (mail-lf1-f50.google.com [209.85.167.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Mon, 24 May 2021 06:52:12 -0700 (PDT) Received: by mail-lf1-f50.google.com with SMTP id i9so40769648lfe.13 for ; Mon, 24 May 2021 06:52:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=fzx1G1TO3AGYdjArbkVoLLZwGt7GwVxypSokiEHDKrI=; b=bk+kyk0pCkfV/FZmPhnDaM1l+XUw5kxUIx5D3gHcDh05mEk4eAt/gG2qFD3CotvKz3 3x9O4xw21O+XdfPOVOHnrr9gt9yR+iBK0JQO5F8PEm3zQhcwpUaNh7P/IgbD4qSAA3e/ fB1ULKhz/swLdVVzrcSfNw+ad7i/A9uNXI8KLD90gSwZhMvh34fXFgIU7DHupJWBMjWf EveyFWZgXwOQTzqVWykFlqyV1V/1IgMbYxePeJ03HwgJIL0SVSQduDIIJ3Bk1WeYZivj uANnjFwDqgJ6b945e0M/M28r7ELthf2wcEYbIEndy52cyd8SkO0UjC0Gx1lJXMM5Zx/D DIBQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=fzx1G1TO3AGYdjArbkVoLLZwGt7GwVxypSokiEHDKrI=; b=KrWzzaf+gGtOYXUd+MAPWsITx8Qc+Se4DH8Iy2HgkmyiR5GG+fM9ijWEY/PoBn4o8X RyRG6/1Cqef3qGvPjl03yqx532uod3fmAzshnHsSRX/qVtWBD1kmp3nKwzIE/sXaVerF 7gND7JVWkykvRMSpHSZJZ41aObba/lkUYazeWqsXgRWTvec+8lhQJnJbHG7jT/u/O2QL KZmsXlOt8OUFjDOzqClx7hwaisgJqv5aXUiqpbTOlXrt//6+NAulLpNkURLmqSiPyKDl tiB2iGC9YVyy04xq5LRV1dAcyuS8TNpHlSVsqtaIOg5AaOqQQZ79pNW4KI/f+F2CawFA lolA== X-Gm-Message-State: AOAM533hkEZL6NPjgDV3LYctAxllYKM5LHF9wUlx2COs7DBEsi9gqaqU 7pMxGGrV4MTN8o0vLuDK7jN8tlk74zD8RwJ4dtt1IzNeMOE0 X-Google-Smtp-Source: ABdhPJy/02MZMoZmNLOztJ8P5nA2M7UsO2SbQldYtW9D/xZdinWBtHbzbFdK2lEOqatJiDu/jQAem2fcAWAgrngvNz0= X-Received: by 2002:a05:6512:10c4:: with SMTP id k4mr9387130lfg.124.1621864329825; Mon, 24 May 2021 06:52:09 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: Date: Mon, 24 May 2021 15:52:01 +0200 Message-ID: To: Craig Francis Cc: PHP internals Content-Type: multipart/alternative; boundary="00000000000040d05f05c313b77c" Subject: Re: [PHP-DEV] Re: Injection vulnerabilities From: guilliam.xavier@gmail.com (Guilliam Xavier) --00000000000040d05f05c313b77c Content-Type: text/plain; charset="UTF-8" On Fri, May 21, 2021 at 11:21 PM Craig Francis wrote: > [...] > > We need something that libraries will (in the future) be able to use to > protect themselves against these mistakes... by all programmers, especially > those who aren't using static analysis. > Hi, Not sure what kind of answer you expect... Are you suggesting to provide one or both of: 1. a way to forbid "dynamic" strings (or at least detect them)? 2. "safe" HTML, SQL and OS-command builder/generator/executor APIs (that would internally restrict/validate their "static" parts and quote/escape the dynamic parameters)? Regards, -- Guilliam Xavier --00000000000040d05f05c313b77c--