Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:115096 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 34156 invoked from network); 24 Jun 2021 06:55:57 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 24 Jun 2021 06:55:57 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id CE2BA180508 for ; Thu, 24 Jun 2021 00:14:37 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.2 X-Spam-Virus: No X-Envelope-From: Received: from mail-lj1-f182.google.com (mail-lj1-f182.google.com [209.85.208.182]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Thu, 24 Jun 2021 00:14:37 -0700 (PDT) Received: by mail-lj1-f182.google.com with SMTP id r16so6369902ljk.9 for ; Thu, 24 Jun 2021 00:14:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paragonie-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=hX95PKqkFiyas0VaeUIJDTvAkSWd+5JR7i9GfQ2OXIs=; b=dpZkjfkYmN3ztMVJkZ6HBB03He3lDjuwaZQ+CwfmnyJTHw1NAKigjfIh3dUA1bf2fp Vf2z27emzHeWlXVQcVekr/9uM1IqF9uxLFLrpaALfuAKVqoA0MKqizZx7AaYg62ckKDJ l1cHwIfjlE6E5UjOYnXVoajg1dQJ0GBqWpxnSPvSBD/BCgmKpCqRHhxscsFhIRsb0HKV Qj3J5Rj9gpokZkHHc9fX2ILrm/q4AQPtqsqpJGX8CNJyGxrPvymBcSy3E0nVVg1Pt360 +LVdqSzy3P9Wu/JddQuCmL/Kml8AbZSAtR7QMXo1FQiqNEVThDJ1t3ttrgbRcRtJgczL 5SCw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=hX95PKqkFiyas0VaeUIJDTvAkSWd+5JR7i9GfQ2OXIs=; b=lWCH5SIebOwYKdp4blV6OBo7qPGg5M7qEQ3V3o3cJAtQtHUvqXZHWt0UOsoqBsY7KX nwB5mY8gFD+fjPDtvVYESRQIR/Qt0TPhXdLbFdi1OU4fQoY5i8y+no6cJrHNqGB1ZY7X ZxoFzJ/31mMoMog0K7KtZ5DdxnC2D6kGJ/ygRdFZhWIvkzymtGPNOLfayh8Cu9l1lycl v+XCt3moZ1UYtXFbngJSGphjkwzVR2Js3dXdlTmXVcVhGdv+N408pV1kVAxn/me1pl3e XNvtIi3/1bqyivi2tGdXViMyoGP18I0qA+QhNlRiwL2btWWtWPwTQXHIOA97/BzREnqx BJ1w== X-Gm-Message-State: AOAM530rqO9ou46E7FgkYrQfX5uPRzLpksvVhy+/6FVzMmZOftCzLWJr dLrWd68upwtIPMnW9hrnhY27Bsk2AlKr1ZvXrUWfmA== X-Google-Smtp-Source: ABdhPJw8Gtzs6hEq4qlwV1yO7Y5Q2vqipRaPwRmSR/rueHXFLtudcA3aRCeoBaE8B99DzIVMysBogvBK1B6jC/2UzVg= X-Received: by 2002:a2e:924c:: with SMTP id v12mr356416ljg.7.1624518873304; Thu, 24 Jun 2021 00:14:33 -0700 (PDT) MIME-Version: 1.0 References: <03f7955c-69a8-4841-9245-449d7851e207@www.fastmail.com> <95D16F2E-E9DD-4964-A0E2-62E1FB0D976B@koalephant.com> In-Reply-To: <95D16F2E-E9DD-4964-A0E2-62E1FB0D976B@koalephant.com> Date: Thu, 24 Jun 2021 03:14:23 -0400 Message-ID: To: Stephen Reay Cc: Bruce Weirdan , Craig Francis , Larry Garfield , php internals Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Subject: Re: [PHP-DEV] [RFC] Name issue - is_literal/is_trusted From: scott@paragonie.com (Scott Arciszewski) On Thu, Jun 24, 2021 at 2:10 AM Stephen Reay wro= te: > Hi Scott, > > I wrote that example where an integer could be dangerous. I don't disagree that it's an example where an integer could be dangerous. Danger is too broad to have a meaningful discussion about. You can, of course, always do dangerous things if you're determined or creative enough. > So firstly - just to clarify, because some replies seemed to be confused = on the topic, as was literally mentioned in the original comment, it is def= initely not correct behaviour - it=E2=80=99s a developer mistake that might= work some of the time, and thus go unnoticed in testing. If you can show m= e a developer who=E2=80=99s never inadvertently passed the wrong parameter = in some condition, I=E2=80=99ll show you an imaginary developer. Agreed. > Additionally - pointing out that this is a "developer error=E2=80=9D does= n=E2=80=99t help your case. Using non-parameterised queries should already = be a =E2=80=9Cdeveloper error=E2=80=9D for anyone who can walk and breathe = at the same time - and yet that usage is being actively encouraged if this = function supports integers. I=E2=80=99ve still seen zero responses about le= gitimate reasons this needs to support integers - giving people a shitty wa= y to build an IN() clause is not legitimate. Parameterisation exists, and w= orks. I don't have a strong opinion on this. > I don=E2=80=99t even understand why you mentioned prepared statements (I = guess you meant using parameterised queries?) - the column name inherently = can=E2=80=99t be parameterised - hence having to use a string substitution = in the query. They're effectively synonyms. > That part was weird and confusing, but not as odd as your claim that alte= ring the query, so that it causes the where clause to become moot, is not a= n SQL Injection? REALLY? That=E2=80=99s your claim? Yes, let me try to explain this more clearly. If you can inject code, it's a code injection vulnerability. SQL injection is a specific type of code injection vulnerability. If you can trick the SQL into doing something invalid *without* injecting code, and you call it "SQL injection", that's a category error. Supplying an integer in the place of a column name is a bug. The bug can even be dangerous. The bug can EVEN be a security problem for the system. But calling it SQL injection is categorically incorrect. Changing the behavior of a SQL command **without injecting additional code** is not SQL injection. If we're trying to stop all forms of misuse and insecurity that can result from string concatenation, cool. But be very clear about that. > I did a little research, and it turns out Wikipedia (https://en.wikipedia= .org/wiki/SQL_injection#Technical_implementations), Cloudflare (https://www= .cloudflare.com/en-au/learning/security/threats/sql-injection/), and OWASP = (https://owasp.org/www-community/attacks/SQL_Injection#example-2) all have = examples with a `1=3D1` type query manipulation. Do you want to write and t= ell them that they=E2=80=99re all wrong, or should I ask them to call you? If you **inject a `1=3D1` clause where one didn't exist before**, that's injection. Notice the introduction of an OR operator in the examples you cited. My classification of the original example as "Not Injection" has nothing to do with the fact that numbers are being compared with numbers. Rather, there was no code injection. > Also, while researching the specifics of what is considered an =E2=80=9CS= QL Injection=E2=80=9D I came across an article, that talks specifically abo= ut the dangers of allowing user input (i.e. the thing `is_trusted` is meant= to prevent) as a column or table identifier. It=E2=80=99s from this little= organisation, you may have heard of them: =E2=80=9CParagon Initiative=E2= =80=9D (https://paragonie.com/blog/2015/05/preventing-sql-injection-in-php-= applications-easy-and-definitive-guide). Snark is unnecessary. > I would absolutely make use of a function that tells me if the string giv= en is in fact from something controlled by the developer. But once that sam= e string can also include input from the request or the environment or what= ever by nature of integers, the function becomes useless for the stated pur= pose. Why not two functions then? - is_noble_string() -- more restrictive - is_noble() -- YOLO > Cheers > > Stephen >