Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:33275 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 49491 invoked by uid 1010); 19 Nov 2007 01:49:44 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 49476 invoked from network); 19 Nov 2007 01:49:44 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 19 Nov 2007 01:49:44 -0000 Authentication-Results: pb1.pair.com smtp.mail=wietse@porcupine.org; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=wietse@porcupine.org; sender-id=unknown; domainkeys=good Received-SPF: error (pb1.pair.com: domain porcupine.org from 168.100.189.2 cause and error) DomainKey-Status: good X-DomainKeys: Ecelerity dk_validate implementing draft-delany-domainkeys-base-01 X-PHP-List-Original-Sender: wietse@porcupine.org X-Host-Fingerprint: 168.100.189.2 spike.porcupine.org FreeBSD 2.0-4.2 Received: from [168.100.189.2] ([168.100.189.2:1123] helo=spike.porcupine.org) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 54/08-31009-7BBE0474 for ; Sun, 18 Nov 2007 20:49:44 -0500 Received: by spike.porcupine.org (Postfix, from userid 1001) id 6D8AE1F3E97; Sun, 18 Nov 2007 20:49:41 -0500 (EST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=porcupine.org; s=dktest; t=1195436981; bh=iu4WM0pobAQQCP50FALwmh7kifDmdG1NsMbhHTxt 8ng=; h=DomainKey-Signature:Subject:In-Reply-To:To:Date:CC: X-Time-Zone:X-Mailer:MIME-Version:Content-Transfer-Encoding: Content-Type:Message-Id:From; b=pd6Gj56IJbxGmgmRPwOd3C7OlZB3uKXHJf n/wfy+E9ZWU42RtwF8YdZQuCWC0mhJUzLC9un9P7i3JzSVMUMWnB9AW/dZcVudAJt4w VWS+pEMEuKkBV5ss17d9PJTSoqpvYi6hw8fmtT1LK61HqLmRlaifOJreKivKspvPFN9 6K8= DomainKey-Signature: a=rsa-sha1; s=dktest; d=porcupine.org; c=simple; q=dns; h=subject:in-reply-to:to:date:cc:x-time-zone:x-mailer: mime-version:content-transfer-encoding:content-type:message-id:from; b=v2EUB71rvlmQ1DOxgn0quOLjVUg67ZIVYMd9tlm2TQ3PBywcgoupYlw3cZDd+cdKk UnWsmfQycW+8mLoOD3hNs1q1A8ORWokfMOphBMSWldxqkvz6nzx/0RiAgow9h6KQbj9 xSSAiyBufey9qsBwrWwJN/JKB40hGzbynu+xlYw= In-Reply-To: <47401946.2050406@sektioneins.de> "from Stefan Esser at Nov 18, 2007 11:51:50 am" To: Stefan Esser Date: Sun, 18 Nov 2007 20:49:41 -0500 (EST) CC: PHP internals X-Time-Zone: USA EST, 6 hours behind central European time X-Mailer: ELM [version 2.4ME+ PL82 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Message-ID: <20071119014941.6D8AE1F3E97@spike.porcupine.org> Subject: Re: [PHP-DEV] Tainted Mode Decision From: wietse@porcupine.org ((Wietse Venema)) References: <47401946.2050406@sektioneins.de> Stefan Esser: > 2) Using mysql_real_escape_string() on user input does not make it safe > for SQL. It only makes SQL strings safe. > Example: "SELECT * FROM table WHERE id=".mysql_real_escape_string($id) > is NOT secure but will result in no taint warning Can you give a specific example? I'd like to know how likely such things would be in real code. > 3) Using htmlentities() on usr input does not make it safe for HTML > output. It only makes it safe in some situations. > Example: echo '....'. Will allow XSS through the style > attribute without a taint warning > Example2: echo '....'. Will > allow XSS through javascript: URL (f.e. in Opera) without a taint warning Or they could encrypt the entire URL and include a decryptor (javascript or some other language) in the HTML text. Detecting threats that involve script/applet/etc execution requires the ability to realistically simulate every browser. I haven't solved that one yet. That doesn't mean that I should give up trying to warn people about known-to-be-bad coding practices. I just can't warn them about all possible ways to screw up. Wietse