Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:116003
Content-Type: text/plain;
	charset=utf-8
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\))
Date: Wed, 8 Sep 2021 15:33:21 +0700
References: <CAFv4g+HRHrvCOTgpbVfCXj06De1kL+1+RwnGgq6tcyLNAtLfQA@mail.gmail.com>
 <CAFv4g+Fs-iSHoykGhkzzJFZSd=UDB9ZGEq-aeo0VyPjqrppQKw@mail.gmail.com>
 <CAFv4g+EwnJakuMyG5S2pUDLQSno+sRxybhGf=b5x8SappExd=w@mail.gmail.com>
 <BC03D9F6-E782-4AF8-A0FE-92287DC5F430@gmail.com>
To: PHP internals <internals@lists.php.net>
In-Reply-To: <BC03D9F6-E782-4AF8-A0FE-92287DC5F430@gmail.com>
Message-ID: <3BDF823C-3DAC-4E2F-AF3C-B5293858A2E7@koalephant.com>
Subject: Re: [PHP-DEV] [RFC] [VOTE] is_literal
From: php-lists@koalephant.com (Stephen Reay)



> On 8 Sep 2021, at 13:33, Claude Pache <claude.pache@gmail.com> wrote:
>=20
>=20
>=20
>> Le 7 sept. 2021 =C3=A0 11:49, Craig Francis =
<craig@craigfrancis.co.uk> a =C3=A9crit :
>>=20
>>=20
>> Obviously I'd still like libraries to be able to protect everyone =
from
>> introducing Injection Vulnerabilities (as the majority of programmers =
don't
>> use static analysis), but that's for another day.
>>=20
>=20
>=20
> Hi,=20
>=20
> We all want to protect from injection vulnerability, but I think there =
are better way than is_literal.
>=20
> One way is to use templates, an area where PHP is ironically lagging =
behind. I suggest looking at JS tagged templates:
>=20
> =
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Template=
_literals =
<https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Templat=
e_literals>
>=20
> For example:
>=20
>=20
> $qb->select('u')
>  ->from('User', 'u')
>  ->where('u.id =3D ' . $_GET['id']); // INSECURE
> could be written as
>=20
>=20
> <?php
> $qb->exec `
> SELECT u
> FROM User u
> WHERE u.id =3D %{ $_GET['id'] }
> `
> ?>
>=20
> where the part between %{ ... } is transformed into an SQL literal =
string (with delimiters "...", not just =E2=80=9Cescaping=E2=80=9D) when =
it is a string; into the SQL expression NULL when it is null; into an =
SQL subexpression if it is an object (provided by the library) that =
represents a well-formed SQL subexpression, etc.
>=20
> =E2=80=94Claude
>=20

Resending from on-list address because I=E2=80=99m an idiot. Apologies =
for the dupe Claude/Craig.


Hi Claude,

I had my share of issues with Craig=E2=80=99s PR, but I think the =
original goal of it was a good and useful concept - provide developers =
(mostly lib authors, but its not like it couldn=E2=80=99t be used by end =
developers too) a way to _know_ that a string came from something hard =
coded in a php file.=20


A =E2=80=98tagged template=E2=80=99 like that doesn=E2=80=99t help solve =
the problem in any way that parameterised queries can=E2=80=99t already =
do, and if you want to make it more =E2=80=99templated=E2=80=99 like =
that, you could implement the same thing already by passing a =
printf-compatible template and the arguments to a function/method.

None of that helps solve what the `is_literal` function (or potential =
type hint) would help with: when the part of the query that needs to be =
substituted, is something that cannot be parameterised at the SQL level =
(i.e. a column name) you _really_ don=E2=80=99t want that to accept user =
input of any kind.



Cheers

Stephen=