Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:115029
Return-Path: <mike@newclarity.net>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 82420 invoked from network); 22 Jun 2021 15:17:38 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 22 Jun 2021 15:17:38 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 5D9C61804C3
	for <internals@lists.php.net>; Tue, 22 Jun 2021 08:35:54 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,
	RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_NONE autolearn=no
	autolearn_force=no version=3.4.2
X-Spam-Virus: No
X-Envelope-From: <mike@newclarity.net>
Received: from mail-qt1-f182.google.com (mail-qt1-f182.google.com [209.85.160.182])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Tue, 22 Jun 2021 08:35:53 -0700 (PDT)
Received: by mail-qt1-f182.google.com with SMTP id w26so11033705qto.13
        for <internals@lists.php.net>; Tue, 22 Jun 2021 08:35:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=newclarity-net.20150623.gappssmtp.com; s=20150623;
        h=from:message-id:mime-version:subject:date:in-reply-to:cc:to
         :references;
        bh=V1LuFWOvYCCkcKiYMxibewO4NM8VENHvf5OMNqNNUHo=;
        b=afSNNlv+G9EVDJvueXYv6QILxXA7cXsBEaHxZC6QTYfu/4zEUP/cjUUWLAOL70FQBR
         9iDz/WGp2iA/hRruvZdfUo8d5uPk8TYFph45FCRj2WG+MpPUY62fLX0UkcnVnm9NIhx9
         AXnc4mgAivCdLc1KKOKTnZkkwOWvb7NxBNztr0SHdUbZZl56Q9yF0Nj5Z04iPmrgbejE
         oRYwS0htXw9nF5VGiu94PfdA3hOrsfXqC8x3THVKCWfecRjAFzbSzFN2liCqze2PvCxZ
         tMFQ/VUZk8z/j3weUvDigxR/fqcd7GZ0h9fPrYZnsuTzIZWbIk3jy2bI4/QlzXcs/pnt
         1+xw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:message-id:mime-version:subject:date
         :in-reply-to:cc:to:references;
        bh=V1LuFWOvYCCkcKiYMxibewO4NM8VENHvf5OMNqNNUHo=;
        b=lElpzPJAH/jkqVRk0nIgxVJRFAsd7clZgMXwMwainn8bdZ2Yuvw0ecnDV65hz0YBQa
         PT7hvkgew1FoGCrUbMs8vY2z0mzQAEH2pWBe8xAlhjuDakIvmK3VDXjxmdX1q48P0xfc
         bHsEBhheGf76Nj0HBG0J9z6cl97D5/tD/kN/GUbcSFx5/LCPBoRux6ZIC5Amn/VB5cWV
         otriTw+RiHZW/mc6UkEKdDnNjDs6Uht445YD/rml1tQ185xLnm8P+C3AvYnFUJtp+/Jf
         pq+oyHVdBeYiwNIY1792uJXeOsCsfoT2njOel4I0oBE4FeFZdAZ0f9I4iSYCEEX0Jfpc
         tXzg==
X-Gm-Message-State: AOAM5303sAHxvc54Ymo7Nwo1uYicPP1BQ+oOch//s/4a2yBf1T3dOufi
	PL9Uucp+uf9LvbzAbYFOdUifeLKCb5FfZy7H
X-Google-Smtp-Source: ABdhPJwCynXLFcHEbJpzwnSQsWVIn1CIzdPRWNm9Wfwbi5Wo2GYdM5jQz455HGPEQHN4OQT3ZEvM6w==
X-Received: by 2002:ac8:5383:: with SMTP id x3mr3969094qtp.278.1624376149842;
        Tue, 22 Jun 2021 08:35:49 -0700 (PDT)
Received: from [192.168.1.10] (c-24-98-254-8.hsd1.ga.comcast.net. [24.98.254.8])
        by smtp.gmail.com with ESMTPSA id 11sm6200620qkv.53.2021.06.22.08.35.48
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Tue, 22 Jun 2021 08:35:49 -0700 (PDT)
Message-ID: <F8DAF477-25CE-4AD9-B9CB-F292C23DA276@newclarity.net>
Content-Type: multipart/alternative;
	boundary="Apple-Mail=_22E5CE17-167B-4A8B-B842-7CA57651C8F5"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.7\))
Date: Tue, 22 Jun 2021 11:35:48 -0400
In-Reply-To: <83D62559-0B87-4723-93B8-801905508E1F@koalephant.com>
Cc: PHP internals <internals@lists.php.net>
To: Stephen Reay <php-lists@koalephant.com>
References: <4FFA0160-1A05-4DA0-9C9A-79F778443A35@newclarity.net>
 <CAGBsUre=Asp+arHBWK0VdT-YdM=_3rR+WOhQQeghFVwsR+nGUg@mail.gmail.com>
 <F861461F-D070-4808-8B2E-A9BBF753CE6C@newclarity.net>
 <83D62559-0B87-4723-93B8-801905508E1F@koalephant.com>
X-Mailer: Apple Mail (2.3608.120.23.2.7)
Subject: Re: [PHP-DEV] Sql Object Model Parser & Sanitizer (was [RFC]
 is_literal)
From: mike@newclarity.net (Mike Schinkel)

--Apple-Mail=_22E5CE17-167B-4A8B-B842-7CA57651C8F5
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8

> On Jun 22, 2021, at 10:35 AM, Stephen Reay <php-lists@koalephant.com> =
wrote:
>=20
>> On 22 Jun 2021, at 20:39, Mike Schinkel <mike@newclarity.net> wrote:
>>=20
>>> On Jun 22, 2021, at 9:00 AM, Kamil Tekiela <tekiela246@gmail.com> =
wrote:
>>>=20
>>> Hi Mike,
>>>=20
>>> Please don't do this. We already have PDO with prepared statements. =
The data must be bound. This is the secure way of writing SQL queries.=20=

>>=20
>> The problem is that over 40% of the web currently runs on PHP code =
that using mysqli.  That CMS does not support PDO nor prepared =
statements, and is unlikely to switch to it anytime some in the =
foreseeable future. =20
>>=20
>> A SQL object model parser and sanitizer could more easily be used =
incrementally by that CMS since PDO does not share connections with =
mysqli (AFAIK, anyway.)
>>=20
>=20
> (Resending from on-list address)
>=20
> Apparently you didn't know mysqli supports parameterised queries?
> Wordpress could have adopted parameterised queries when they =
grudgingly switched to mysqli, years after both it and PDO were =
introduced.

Well, yes and no. =20

I admit I had forgotten it because frankly the WordPress wp-db object =
wrapper used by 99.7%[1] of WordPress developers does not support it and =
given I had long ago realized I could not use them in WP I guess my =
memory blocked out the existence of prepared statements in mysqli.

But it is not relevant in WordPress. Here is where (almost?) all SQL =
queries go to run in WordPress:

=
https://github.com/WordPress/WordPress/blob/master/wp-includes/wp-db.php#L=
2050=20

Note there are no bind_param() or execute() calls anywhere in that file. =
 Their is a prepare(), but WordPress rolled their own:

=
https://github.com/WordPress/WordPress/blob/master/wp-includes/wp-db.php#L=
1302=20

So saying that parameterized query is a solution leaves out 40% of the =
web.  Because some other guys are the intransigent ones here.=20

But also because of much legacy code exists in the form of plugins and =
themes that do not support parameterized queries.

HOWEVER, whether mysqli supports parameterised queries or not is all a =
moot point because parameterised queries do not allow for parameterizing =
field names or table names.  And the point of this thread was to discuss =
how to mark SQL that has been composed at run-time to be "safe."  =
Without being able to parameterize field names and table names =
parameterised queries are not a sufficiently complete solution. =20

At least not from an is_literal()/is_trusted() perspective.

> There=E2=80=99s zero reason to believe they would adopt this unless =
forced to.

Exactly! WordPress is not going to change, so that leaves it up to PHP =
developers using WordPress to protect themselves.=20

Since I am *assuming* that everyone on this list wants to minimize the =
number of security issues in PHP applications across the web by whatever =
reasonable means necessary, I also assume that pointing at WordPress and =
saying "It's their fault not ours" does not help achieve those security =
goals?  So I am also assuming that finding a pragmatic solution that =
would allow PHP to be able to empower the developer in a way that =
WordPress won't might be worth considering.
=20
But tell me if I am assuming wrongly here.

-Mike

[1] Yes, I made that up out of whole cloth. But honestly in 10+ years =
working with WP I have almost never seen anyone use anything but the =
$wpdb provided by WP =E2=80=94 except for one single plugin =E2=80=94 =
and $wpdb does not support parameterized queries.=

--Apple-Mail=_22E5CE17-167B-4A8B-B842-7CA57651C8F5--