Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:115038
Return-Path: <php-lists@koalephant.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 7832 invoked from network); 22 Jun 2021 18:21:03 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 22 Jun 2021 18:21:03 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id B55871804DA
	for <internals@lists.php.net>; Tue, 22 Jun 2021 11:39:19 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,HTML_MESSAGE,
	SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.2
X-Spam-Virus: No
X-Envelope-From: <php-lists@koalephant.com>
Received: from mail1.25mail.st (mail1.25mail.st [206.123.115.54])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Tue, 22 Jun 2021 11:39:19 -0700 (PDT)
Received: from smtpclient.apple (unknown [49.48.241.143])
	by mail1.25mail.st (Postfix) with ESMTPSA id C74A460419;
	Tue, 22 Jun 2021 18:39:02 +0000 (UTC)
Message-ID: <358756DC-87F9-4FD9-AE62-CB27BA296F33@koalephant.com>
Content-Type: multipart/alternative;
	boundary="Apple-Mail=_527E1459-17AB-424C-949E-ECE4AAAC4BC0"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.100.0.2.22\))
Date: Wed, 23 Jun 2021 01:38:57 +0700
In-Reply-To: <CAFv4g+GuqPYHjAzQ2YzdBh2R5+62xneZCz-Wdj5cE8On4BpHog@mail.gmail.com>
Cc: Benjamin Morel <benjamin.morel@gmail.com>,
 Derick Rethans <derick@php.net>,
 PHP Internals <internals@lists.php.net>,
 Yasuo Ohgaki <yohgaki@ohgaki.net>
To: Craig Francis <craig@craigfrancis.co.uk>
References: <CAFv4g+GjXqiZkA2fawt7jHDtDAKjB0rv=Lfbcobu7bn8B=wvpw@mail.gmail.com>
 <CAGa2bXbGv33zHfRpu-hN_wNcNKPpFw_ed1ZRnn96tpDf0ROcLg@mail.gmail.com>
 <0CD1762E-6094-4DEB-B1B5-22CFBDAAFF44@php.net>
 <CAG9XoMQUUYGhA6QL3Se4FNJgydjzX0MAeR_CWr5O1SH8xgypLA@mail.gmail.com>
 <CAFv4g+ET4YDpygjKqGbAwxt+jkA8kWTeUrmTcR3hbFGEGNgmDg@mail.gmail.com>
 <BFFD3FBB-721B-491B-ADDB-DE3CA535BB52@koalephant.com>
 <CAFv4g+GJrX6uNSAq=kAXDk2Lx=NLx=GxAw9Qh+cpZwbaVdgtJA@mail.gmail.com>
 <9B304735-E0AD-4CC0-98BF-AAF4CE5FA52C@koalephant.com>
 <CAFv4g+GuqPYHjAzQ2YzdBh2R5+62xneZCz-Wdj5cE8On4BpHog@mail.gmail.com>
X-Mailer: Apple Mail (2.3654.100.0.2.22)
Subject: Re: [PHP-DEV] [RFC] is_trusted - was is_literal
From: php-lists@koalephant.com (Stephen Reay)

--Apple-Mail=_527E1459-17AB-424C-949E-ECE4AAAC4BC0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8



> On 22 Jun 2021, at 21:38, Craig Francis <craig@craigfrancis.co.uk> =
wrote:
>=20
> If you can point me to an example where including integers in this has
> introduced a security vulnerability then please do, and I mean it, =
that=E2=80=99s
> what this process is for, I genuinely want people to come forward with =
them
> so we can refine this.


It took me about a minute to think of this:

 "select * from customer_purchases where {$column} =3D :value=E2=80=9D.=20=


The developer inadvertently passes the same =E2=80=9Ctrusted value=E2=80=9D=
 in as the `$column` substitute and the value parameter. It must be safe =
because we ran it through `is_trusted`!

 The query now executes as:

 "select * from customer_purchases where 12345 =3D 12345=E2=80=9D


You cannot magically make all dynamically generated queries safe - they =
tried that about a quarter of a century ago. Hint: it did not end well - =
and explicitly allowing some user input is just mind boggling given the =
stated goals.




--Apple-Mail=_527E1459-17AB-424C-949E-ECE4AAAC4BC0--