Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:115470
Return-Path: <pierre.php@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 48689 invoked from network); 19 Jul 2021 03:40:09 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 19 Jul 2021 03:40:09 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 0792E1804DA
	for <internals@lists.php.net>; Sun, 18 Jul 2021 21:05:02 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,
	RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,
	SPF_PASS autolearn=no autolearn_force=no version=3.4.2
X-Spam-Virus: No
X-Envelope-From: <pierre.php@gmail.com>
Received: from mail-ot1-f51.google.com (mail-ot1-f51.google.com [209.85.210.51])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Sun, 18 Jul 2021 21:05:01 -0700 (PDT)
Received: by mail-ot1-f51.google.com with SMTP id s2-20020a0568301e02b02904ce2c1a843eso6394079otr.13
        for <internals@lists.php.net>; Sun, 18 Jul 2021 21:05:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=HFFab+bgVlAiQ+7mRAC0441S0QZsv0H3YyCqvRvIYW8=;
        b=X8OS6005Zakyt+aR9Xo/EuwbN2CpYOhWgnbVilZbf+D1T5VadRM5Brq21uzNGob564
         nI8JP0YcepwonHBhaX8CTbSaKn2VwnmqNUANVF/2wt2pNCZ+jYOfv3KpRP2KzP+xSGzG
         KGibEtiSDpQtFjN06YmM3zIMaaR8Z6XXFD8FF6tYQAxgggj/pkVzCmq/synBZSyVXgc4
         MOlEzRdbN7LJJUDUY9JRfjoDz4OYtsIz7RSQOsdBZ925DkLj/KcBd5Q6IM91/2+B8yTV
         99yarO5S/OZUgXAt6fpDUdHh8nkJ2M5kn0dPWyjtK/rgZLcnzrI5va4QDRbRdOtGbfkj
         c9VQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=HFFab+bgVlAiQ+7mRAC0441S0QZsv0H3YyCqvRvIYW8=;
        b=QyYTeEL2tXcNpWeqh5cmc8BLpW8C0uwu/6KIVSDkU4SSylqhYK6RNukw0mcbJUUkYj
         EXJwmAHrrrYj8XTO++XpBTTsZPRX3w/st3yMvILheLedxbfd8N4MjdJggCKQXyUSNVQB
         1FXcIoy5C5BkWWOwJypDUcTJn57KKJKnS5BoGHR86JzRAPehQvTqSSWMQCJcTsM2prxh
         EsnmLFqO3d7SrPKJdlqD+llrHv3AIyVhRQrQOHd/fe/6LUeAN6c7qddIXt1I5AIIlzOj
         Nc58nTsTaIbPf0oWvgnC9jIX+eESGJT70C2odAQJ/sv5CqjljoCDmKQGeB+3ee35f+cx
         c3sA==
X-Gm-Message-State: AOAM531iVSqh1g3/liUzrIxQBJpdB8s3RJATlpFW/ZAMeMh7huyrnbEr
	toCE856mB4iVNSD4nus7wXhg7fmD2VGeXLx3mSQ=
X-Google-Smtp-Source: ABdhPJxsc7/dkurGWeQL3H/GZtz4dA2kyGwPKvv+l2H7dx/s8VH96j+PTyQS9NN5QG5pGXYHHusSqkVL4X3fQvuC/Fg=
X-Received: by 2002:a9d:5a18:: with SMTP id v24mr17172824oth.191.1626667500881;
 Sun, 18 Jul 2021 21:05:00 -0700 (PDT)
MIME-Version: 1.0
References: <CAFv4g+HRHrvCOTgpbVfCXj06De1kL+1+RwnGgq6tcyLNAtLfQA@mail.gmail.com>
 <CADyq6s+eu4bLM3Z+28Vd0BoGzdbXRyG2Hw9OXqQtyok32p1CJQ@mail.gmail.com>
 <CAFv4g+H2Eec0SXif3=0nP4wwEaXzggTEPxJjm7fmuwQCR3CFFw@mail.gmail.com>
 <CAMrTa2GVpugjj71tcQO8oJgMyf7A_naHbrakjRWj92oKkAJQOw@mail.gmail.com>
 <fc75a9e5-8f16-2fa1-01a0-a69fa7ed28ee@allenjb.me.uk> <CAG9XoMQ9KVR+4cOyg5ysiYZw0fxSu2FG4QFTgZ7L_aLMbkFBQA@mail.gmail.com>
 <CAMrTa2H53AbowERZBhfbWBGkbKcBJ4jFjhtcRXyybEcpYcVctA@mail.gmail.com>
In-Reply-To: <CAMrTa2H53AbowERZBhfbWBGkbKcBJ4jFjhtcRXyybEcpYcVctA@mail.gmail.com>
Date: Mon, 19 Jul 2021 11:04:50 +0700
Message-ID: <CAEZPtU6koz69jh+J+aiSuXBys1d2fHN_+oissntEh1ETx10sYA@mail.gmail.com>
To: Jordan LeDoux <jordan.ledoux@gmail.com>
Cc: Benjamin Morel <benjamin.morel@gmail.com>, AllenJB <php.lists@allenjb.me.uk>, 
	Craig Francis <craig@craigfrancis.co.uk>, Marco Pivetta <ocramius@gmail.com>, 
	PHP internals <internals@lists.php.net>
Content-Type: text/plain; charset="UTF-8"
Subject: Re: [PHP-DEV] [RFC] [VOTE] is_literal
From: pierre.php@gmail.com (Pierre Joye)

Good morning,

On Mon, Jul 19, 2021 at 9:11 AM Jordan LeDoux <jordan.ledoux@gmail.com> wrote:
>
> > Are there documented SQL injection opportunities when using emulated
> prepares? I'm not aware of any.
>
> This was from my reading of the actual source, which of course may be
> flawed. It appeared that if emulated prepares were used the values were
> escaped and then passed as strings as part of the query, the same as if it
> had been concatenated and wrapped in real_escape_string. I hadn't gone too
> far in actually debugging it yet to find out how it behaved under different
> circumstances as I was still trying to figure out how "small" of a change
> this was from the perspective of internals.

I also don't think there is any left over possible SQL injection in
any of the core DB extensions (PDO or 'native'). It will indeed do not
prevent inserting invalid data but if there were any actual SQL
injection left, I am very confident we would have known it by now. :)

-- 
Pierre

@pierrejoye | http://www.libgd.org