Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:115123
Return-Path: <scott@paragonie.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 5350 invoked from network); 24 Jun 2021 15:59:56 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 24 Jun 2021 15:59:56 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 4C9A01804D9
	for <internals@lists.php.net>; Thu, 24 Jun 2021 09:18:43 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS
	autolearn=no autolearn_force=no version=3.4.2
X-Spam-Virus: No
X-Envelope-From: <scott@paragonie.com>
Received: from mail-lj1-f172.google.com (mail-lj1-f172.google.com [209.85.208.172])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Thu, 24 Jun 2021 09:18:42 -0700 (PDT)
Received: by mail-lj1-f172.google.com with SMTP id q4so129982ljp.13
        for <internals@lists.php.net>; Thu, 24 Jun 2021 09:18:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=paragonie-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc:content-transfer-encoding;
        bh=mIXASwAJr3Y/pc9En96Em1sIwxfhfZgaPXj/oaGhzfM=;
        b=za9ll9Q/JInkzOtnzqGwGtCHe4GfLDJ2pd5wjRFL4s20AYvF+NFcFaoxrL4YUoULsr
         ON01tvb9CUwwwe16Amq6w4+smA6AvhTo6Yln40VPpprvTs2lDzsxHkvU/4iUH970c7cR
         A8vwdcNCRylkQoFK4ypb/5asVmoFpJYmGFvSjEUKcf7GfZRAyP5grsFOm5LP3QiWJm2s
         iZgRjtXEfnuheNhsITfCr2cb024AVJ0UmceEesPQuFQ8afXm64zDObjcOk1zUQ7gbO3I
         GJwX3kL9hh5SRwSLkTsBDb8M7I/i3+fkNAR10EcWs1asYNN5DhF4GYOBC4lT4dEiSzbm
         zVcw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc:content-transfer-encoding;
        bh=mIXASwAJr3Y/pc9En96Em1sIwxfhfZgaPXj/oaGhzfM=;
        b=ZeTBozv6vnC5QNNTdULca120vz+Bln/fqQKiBEkV4qxtHbcErQ2Akfazm6lB8XzdmY
         X0q4sjIkhGAgslIZRTtgvCL82TcbUT1BJONGXO+c4++CpvZ5iJ0NYHO7X1NBsQU6ptBq
         cHstmvaE19zrS+XDOFWiVlw0kARbZ4+rI25KsoM9R/jLHeqA717NFUAFjfqrECC2wmRg
         d1c+x+dZHJSKVKSgbfs0Fm5yXuRAt6tmrZatW+LykcPL96zMKYg9nT59rLjD25uII3uu
         YOJXQy5Buz7d6K8T3bRUdglDE/toGrOorldtG3ldxLQLVFKcHUFBXrQoQlmc8Yz4L5gY
         8uYQ==
X-Gm-Message-State: AOAM532hoT2IYfUjCaMP5spcTNyKp2nB808HVQQB+kgQ/e4cZDQjYfmh
	RWZgW87w4iQAz5Jjb1yiE4Hy2kYak6awOKM/6Wq9dA==
X-Google-Smtp-Source: ABdhPJz9i2bP7tUuB64T3RG/v49Si3MIUpboGZZN2JGJlrV/JvKC96y3b7+/w9bC9+b64bfL4b/m86g7hdc1MptnUPA=
X-Received: by 2002:a2e:5855:: with SMTP id x21mr1415078ljd.117.1624551516131;
 Thu, 24 Jun 2021 09:18:36 -0700 (PDT)
MIME-Version: 1.0
References: <CAFv4g+Gv1qQ2Gtx2Qwo0Dx2Cb_gOXJ=rm7rVy+Jo89PmD-3jnA@mail.gmail.com>
 <CAEMvS4GRaqMBPn7ocBX-XU3jzrtpe+9uGfYpG10qc_iKZY80UA@mail.gmail.com>
 <03f7955c-69a8-4841-9245-449d7851e207@www.fastmail.com> <CAFv4g+EaT309KDWz63j3S7n8E58czEWTKUEw9hAvgt7s6R9eKQ@mail.gmail.com>
 <CAKws9z02yCZTb2_mw-5xUO5-QLc4jbOUcBRfJ8nFSNPP1rgO3g@mail.gmail.com>
 <CA+hqhpfUiOMLDZyXTqP+mm9jjG6v+K94Ug7K_zvuuZus_XhOaQ@mail.gmail.com>
 <CAKws9z34nTT0_CXoo4Yq7zO2CZX622has23xmfHbWjfaDrgLqA@mail.gmail.com>
 <CA+hqhpdR=W8nbWy8UBgLtKdvb_KCss5mpzturS67HhqRj4q6BQ@mail.gmail.com>
 <CAKws9z1=6fmCxJWYVfN+xKT+u=_ZTq0m7C0nZPT6LB5scbfpXQ@mail.gmail.com>
 <95D16F2E-E9DD-4964-A0E2-62E1FB0D976B@koalephant.com> <CAKws9z0CbyjeKas=DNKi0ScdUxt8CnvNOLymXpWvQTaJtB0xkw@mail.gmail.com>
 <0427D84F-762D-48D3-B4D1-FD4E405274C4@koalephant.com>
In-Reply-To: <0427D84F-762D-48D3-B4D1-FD4E405274C4@koalephant.com>
Date: Thu, 24 Jun 2021 12:18:25 -0400
Message-ID: <CAKws9z0P1K8FQ3PqoZqh6zm995S60siTi25qWUMo7=ZJ=DAv0w@mail.gmail.com>
To: Stephen Reay <php-lists@koalephant.com>
Cc: Bruce Weirdan <weirdan@gmail.com>, Craig Francis <craig@craigfrancis.co.uk>, 
	Larry Garfield <larry@garfieldtech.com>, php internals <internals@lists.php.net>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Subject: Re: [PHP-DEV] [RFC] Name issue - is_literal/is_trusted
From: scott@paragonie.com (Scott Arciszewski)

On Thu, Jun 24, 2021 at 5:22 AM Stephen Reay <php-lists@koalephant.com> wro=
te:
> > If you **inject a `1=3D1` clause where one didn't exist before**, that'=
s
> > injection. Notice the introduction of an OR operator in the examples
> > you cited.
>
> Please, explain to us all, how `where foo=3D=E2=80=98bar=E2=80=99 OR 1=3D=
1` is functionally different than `where 123=3D123` because the developer s=
crewed the pooch in some specific condition and passed the ID twice, rather=
 than the column name and the id, respectively.

SQL injection occurs when you send specially crafted user input and it
injects SQL code.

**If you aren't injecting SQL, it's not SQL injection.** I don't
understand why this isn't clicking for you.

The scenario you've concocted is a Confused Deputy. Logic bugs can be
severe. Logic bugs can be sev:crit security issues! But if you aren't
injecting SQL, calling it SQL Injection is wrong.

Arguing from consequences ("SQL Injection can drop a table! This logic
bug can drop a table! Therefore they're the same thing") rather than
the specific properties of the system design failure in question ("one
injects code, the other doesn't") isn't a useful way to classify
vulnerabilities.

To reiterate:

1. I never claimed that it wasn't a bug.
2. I never claimed it wasn't impactful.
3. I never claimed it wasn't security-affecting.

I've simply said that this isn't an example of SQL Injection, because
nothing is being *injected*.

> >
> > My classification of the original example as "Not Injection" has
> > nothing to do with the fact that numbers are being compared with
> > numbers. Rather, there was no code injection.
> >
> >> Also, while researching the specifics of what is considered an =E2=80=
=9CSQL Injection=E2=80=9D I came across an article, that talks specifically=
 about the dangers of allowing user input (i.e. the thing `is_trusted` is m=
eant to prevent) as a column or table identifier. It=E2=80=99s from this li=
ttle organisation, you may have heard of them: =E2=80=9CParagon Initiative=
=E2=80=9D (https://paragonie.com/blog/2015/05/preventing-sql-injection-in-p=
hp-applications-easy-and-definitive-guide).
> > Snark is unnecessary.
>
> You call it snark, I call it ironic hypocrisy.

In my original email, I said. "Outside the chr()/pack()/sprintf()/etc.
technique demonstrated above, there's no risk of injection inherent to
concatenating a trusted string with an untrusted integer." You brought
up a high-severity logic bug that could happen if someone concatenates
variables with wild abandon, but it's still not an example of
**injection**.

If you're going to call someone a hypocrite (which is a needless
personal attack), take care that you're actually correct when you do
so.