Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:115090
Return-Path: <scott@paragonie.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 6407 invoked from network); 24 Jun 2021 00:23:26 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 24 Jun 2021 00:23:26 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 5C7DC1804C3
	for <internals@lists.php.net>; Wed, 23 Jun 2021 17:42:01 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS
	autolearn=no autolearn_force=no version=3.4.2
X-Spam-Virus: No
X-Envelope-From: <scott@paragonie.com>
Received: from mail-lf1-f52.google.com (mail-lf1-f52.google.com [209.85.167.52])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Wed, 23 Jun 2021 17:42:00 -0700 (PDT)
Received: by mail-lf1-f52.google.com with SMTP id i13so7210826lfc.7
        for <internals@lists.php.net>; Wed, 23 Jun 2021 17:42:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=paragonie-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=YB+MUWckRzGu2xGgJ7b0D7+n64AMsh66H8dfe0eM2CU=;
        b=1A/TWxAaET9diEjgz8EFg3/uoHI0bIy9iEV08+BaQ2YRuIKqQOyw5B2Pof1VdNkEIv
         TcEIT1fMwWfwlv19s35XAAEvAQ4ACDO+qUAdJWNrr1Cj+lkzuTSZ0TIdDsFLRiCdRjFO
         9OV9KEGQAQpNm+SX4xFTthcbnSuoMKxA9hh0de3tUQzrQn5sfylQybDUhr3lvYLpr+/Q
         q+wC1Aa2bmWWgXT2yDN0wzDW3a4bIjiCkNWUCb8gtgHo0sPV/AtFiQ2n/0taMKH1EiFH
         iPfua+RYDE9h8hZqgVSWSJv612hSmeUWwyQcvWvD1yYkTXdzniMdbNuw3f65wBAhi6ua
         Cm+Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=YB+MUWckRzGu2xGgJ7b0D7+n64AMsh66H8dfe0eM2CU=;
        b=stTeM9OOOrID+QhWZCUsWxp7QGXxyiDwwmZNJbvGUCSoTWJ4duPSvzWlajsMLXMVNU
         SRgarQ6zBsC8hIqbKraNkgGhtWWOCG8+2Uigo1UA4GCFiVUYMiEJ+Cz985A6DWJ8FSpS
         NPeCR5tV0jDahtdCvWIh/kibyv+MYXJcsPc3IHXDSrKJvdosTxpyC/L3OIp6jsIfyYs5
         5UCiXADeTJcgvjDRsm03GoZx1XJl9AVgNJA0gCx7e6sttr8fNQfL6+HnXOLDtpSkv+P0
         kp1IWc4eouzTHbmD9CNCfj2vOc8AQZC17Cjj5JGQudiYuQcy8HB+ub18n6XTzwwTtWvY
         sIGg==
X-Gm-Message-State: AOAM531Gt9kZvTfPi/dMzNk0HkjffjEJeqBBaOT+Pe3iymB5y+LJYsiF
	vPBrmv3FD3akm21ytuAyUSteHVWhggzM8YAeisN2RA==
X-Google-Smtp-Source: ABdhPJxf4bCeMw+BhMrjmHhj0BWIUyaIH7hqPCdJOx71HC82hYPZ9NJ8yDExpae07NAk8eZDo1UiEMloKvuTwYhXg4Y=
X-Received: by 2002:a05:6512:214a:: with SMTP id s10mr1712754lfr.661.1624495316067;
 Wed, 23 Jun 2021 17:41:56 -0700 (PDT)
MIME-Version: 1.0
References: <CAFv4g+Gv1qQ2Gtx2Qwo0Dx2Cb_gOXJ=rm7rVy+Jo89PmD-3jnA@mail.gmail.com>
 <CAEMvS4GRaqMBPn7ocBX-XU3jzrtpe+9uGfYpG10qc_iKZY80UA@mail.gmail.com>
 <03f7955c-69a8-4841-9245-449d7851e207@www.fastmail.com> <CAFv4g+EaT309KDWz63j3S7n8E58czEWTKUEw9hAvgt7s6R9eKQ@mail.gmail.com>
 <CAKws9z02yCZTb2_mw-5xUO5-QLc4jbOUcBRfJ8nFSNPP1rgO3g@mail.gmail.com> <CA+hqhpfUiOMLDZyXTqP+mm9jjG6v+K94Ug7K_zvuuZus_XhOaQ@mail.gmail.com>
In-Reply-To: <CA+hqhpfUiOMLDZyXTqP+mm9jjG6v+K94Ug7K_zvuuZus_XhOaQ@mail.gmail.com>
Date: Wed, 23 Jun 2021 20:41:46 -0400
Message-ID: <CAKws9z34nTT0_CXoo4Yq7zO2CZX622has23xmfHbWjfaDrgLqA@mail.gmail.com>
To: Bruce Weirdan <weirdan@gmail.com>
Cc: Craig Francis <craig@craigfrancis.co.uk>, Larry Garfield <larry@garfieldtech.com>, 
	php internals <internals@lists.php.net>
Content-Type: text/plain; charset="UTF-8"
Subject: Re: [PHP-DEV] [RFC] Name issue - is_literal/is_trusted
From: scott@paragonie.com (Scott Arciszewski)

On Wed, Jun 23, 2021 at 8:09 PM Bruce Weirdan <weirdan@gmail.com> wrote:
>
> > - String + int concatenation isn't an injection risk.
>
> I think this demonstrates it very well could be:
> https://externals.io/message/114988#115038
>
> --
>   Best regards,
>       Bruce Weirdan                                     mailto:weirdan@gmail.com

Respectfully, the example you linked is **not** an example of an
Injection vulnerability. The failure condition of this query is
"return all rows from the table already being queried", not "return
arbitrary data the attacker selects from any table that the
application can read".

Being able to arbitrarily select a column is a bad design (and you
should feel bad, as per the meme, if you let this happen in
production), but it differs from Injection vulnerabilities in one
fundamental way: The attacker cannot change the structure of the SQL
query being executed.

Here's an example of an injection vulnerability:

`$pdo->prepare("SELECT b, c, d, e FROM table WHERE a = '$foo'");`

If you set $foo to `' UNION SELECT NULL, NULL, NULL, pwhash FROM
accounts WHERE username = 'Admin`, you'll leak contents from *another
table* in the SQL result. This is the danger posted by
string-to-string concatenation, and what we mean by SQL Injection.

This doesn't have to stop all dumb things that PHP developers can do.
It's enough to only stop the catastrophically dumb things (especially
if we don't call the function `is_trusted()`).

You can still invent scenarios where int-to-string concatenation
results in buggy behavior, but it isn't the game-over security
vulnerability that string-to-string concatenation is. And that's the
entire point.