Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:115092
Return-Path: <scott@paragonie.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 11192 invoked from network); 24 Jun 2021 01:12:35 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 24 Jun 2021 01:12:35 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id C368F1804DA
	for <internals@lists.php.net>; Wed, 23 Jun 2021 18:31:13 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,
	SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.2
X-Spam-Virus: No
X-Envelope-From: <scott@paragonie.com>
Received: from mail-lj1-f176.google.com (mail-lj1-f176.google.com [209.85.208.176])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Wed, 23 Jun 2021 18:31:13 -0700 (PDT)
Received: by mail-lj1-f176.google.com with SMTP id r16so5477884ljk.9
        for <internals@lists.php.net>; Wed, 23 Jun 2021 18:31:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=paragonie-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=K/6+eb3KiTiqm9BK9haTzdI9MLxoDGWQrONMDFBHhSE=;
        b=bQzAFiat6Vb61Cw3vcFHSnPdVh3+ifxXc3TDGjbSeS7IaoR53WZjh4w7/6Eo6XUq46
         i7fhlz301Fq90Ay4Py1sLtnvHLviOfIt81qyhY6WXWSY4nOpI325HFiHB55PCq1f5ZFA
         fVaexk+MFRTB0f+gYBssaAe8TOvz0r+LwrPiVFQ2bRTkYPdrZ+07/1XdfqXHr4xaWw9l
         m2hqERy5aMVf6N8IB01WhkTfRr/U8Wlu3DEX37JZWirtTR+SkKsdOXWgChNvdu0dNDph
         mmGpWSZ2di/kn+GWF/p2kz+KwpYmxi3BMead2wKPrmFpYLV2+GvLA+9084feldENeBKk
         m93Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=K/6+eb3KiTiqm9BK9haTzdI9MLxoDGWQrONMDFBHhSE=;
        b=STFm7tNI+B2fSwA6WVaYaaJkN7whNze5AB3Be8+q8uRdQULsWW0DQ5MG99kAJ2Sjc8
         F6zgE3uTRcGwqpLnfSlbyjrXXpFILHO0Z+v7WizwuVcdyvQYTZRACjvSPpeAH7MoMhEn
         nEZXRc/jgSwwIl21YFv9vz1zPfQ9ecQB7Nzw3H5yxag8NVRtflFyonF0FcmfvODwAEUo
         lhUsVR8X3Tf/8weT8wOJ7WscCk6PyLZGLr0S5wmcS4Z0vn1VH55TBCXzu4RNUP8MiVhU
         ZI892xjCgxxDuETFdoOsIJ6Yl9az3HH0AE5Ds9NmTT7hGJ6l9zoT0+P8mjaTE6p+5lJX
         IpJA==
X-Gm-Message-State: AOAM532EexKLsQxXgTluiM1Ae9+yDbNTqLw6evysrat1uErsv/yXfIMb
	uOcLGYr3vcWABPMrrL3gjCtG0ofz3Aym1/y9jW0mgA==
X-Google-Smtp-Source: ABdhPJxIYw2zyMUCHlIgSXpv0TSLRIO8gaKSAALF1CTX0wJQ/zrc0FPSLIeqpfAWQQHa7v1AGiY+YqOlO7QPqG8QMhw=
X-Received: by 2002:a2e:a229:: with SMTP id i9mr1846347ljm.203.1624498269559;
 Wed, 23 Jun 2021 18:31:09 -0700 (PDT)
MIME-Version: 1.0
References: <CAFv4g+Gv1qQ2Gtx2Qwo0Dx2Cb_gOXJ=rm7rVy+Jo89PmD-3jnA@mail.gmail.com>
 <CAEMvS4GRaqMBPn7ocBX-XU3jzrtpe+9uGfYpG10qc_iKZY80UA@mail.gmail.com>
 <03f7955c-69a8-4841-9245-449d7851e207@www.fastmail.com> <CAFv4g+EaT309KDWz63j3S7n8E58czEWTKUEw9hAvgt7s6R9eKQ@mail.gmail.com>
 <CAKws9z02yCZTb2_mw-5xUO5-QLc4jbOUcBRfJ8nFSNPP1rgO3g@mail.gmail.com>
 <CA+hqhpfUiOMLDZyXTqP+mm9jjG6v+K94Ug7K_zvuuZus_XhOaQ@mail.gmail.com>
 <CAKws9z34nTT0_CXoo4Yq7zO2CZX622has23xmfHbWjfaDrgLqA@mail.gmail.com> <CA+hqhpdR=W8nbWy8UBgLtKdvb_KCss5mpzturS67HhqRj4q6BQ@mail.gmail.com>
In-Reply-To: <CA+hqhpdR=W8nbWy8UBgLtKdvb_KCss5mpzturS67HhqRj4q6BQ@mail.gmail.com>
Date: Wed, 23 Jun 2021 21:30:58 -0400
Message-ID: <CAKws9z1=6fmCxJWYVfN+xKT+u=_ZTq0m7C0nZPT6LB5scbfpXQ@mail.gmail.com>
To: Bruce Weirdan <weirdan@gmail.com>
Cc: Craig Francis <craig@craigfrancis.co.uk>, Larry Garfield <larry@garfieldtech.com>, 
	php internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="0000000000004bb0ab05c578fab0"
Subject: Re: [PHP-DEV] [RFC] Name issue - is_literal/is_trusted
From: scott@paragonie.com (Scott Arciszewski)

--0000000000004bb0ab05c578fab0
Content-Type: text/plain; charset="UTF-8"

On Wed, Jun 23, 2021, 9:23 PM Bruce Weirdan <weirdan@gmail.com> wrote:

> On Thu, Jun 24, 2021 at 3:41 AM Scott Arciszewski <scott@paragonie.com>
> wrote:
> > The failure condition of this query is
> > "return all rows from the table already being queried", not "return
> > arbitrary data the attacker selects from any table that the
> > application can read".
>
> Imagine that was a DELETE rather than SELECT and the failure condition
> becomes 'the table is emptied'.
> It may have less disastrous consequences (depending on how good your
> backup / restore procedures are) compared to arbitrary reads you
> demonstrated, but it is still, quite clearly, a glaring security hole
> caused by user input in SQL query - AKA SQL injection in layman's
> terms.
>
> > it differs from Injection vulnerabilities in one
> > fundamental way: The attacker cannot change the structure of the SQL
> > query being executed.
>
> I would say replacing a column name with value is changing the
> structure of SQL query, and, basically, in exactly the way you
> describe SQL injection: confusing the code (column name) with data.
>
> I wholeheartedly welcome this RFC as it was originally proposed:
> is_literal() doing exactly what it says on the tin, without any
> security claims. But it has gone far from there real quick and now
> people can't even name the thing.
>
>
> --
>   Best regards,
>       Bruce Weirdan                                     mailto:
> weirdan@gmail.com



We can agree that it is a bug. We don't agree on the definition of SQL
injection.

Changing a column name to a number (which prepared statements shouldn't
allow in the first place) is a bug. This changes the effect of the command,
but the *structure* of the query remains unchanged.

>
>

--0000000000004bb0ab05c578fab0--