Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:87207
Return-Path: <craig@craigfrancis.co.uk>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 68247 invoked from network); 17 Jul 2015 13:00:32 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 17 Jul 2015 13:00:32 -0000
Authentication-Results: pb1.pair.com smtp.mail=craig@craigfrancis.co.uk; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=craig@craigfrancis.co.uk; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain craigfrancis.co.uk designates 74.125.82.52 as permitted sender)
X-PHP-List-Original-Sender: craig@craigfrancis.co.uk
X-Host-Fingerprint: 74.125.82.52 mail-wg0-f52.google.com  
Received: from [74.125.82.52] ([74.125.82.52:35278] helo=mail-wg0-f52.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 15/53-29914-86CF8A55 for <internals@lists.php.net>; Fri, 17 Jul 2015 09:00:30 -0400
Received: by wgav7 with SMTP id v7so16183152wga.2
        for <internals@lists.php.net>; Fri, 17 Jul 2015 06:00:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=craigfrancis.co.uk; s=default;
        h=from:content-type:content-transfer-encoding:subject:message-id:date
         :to:mime-version;
        bh=CfLCQnVNytYBdofaaC1IN//LxJK/wDuwnI4U5krcpok=;
        b=kBO2b1uwBrQGkZNg8jWCPR+mPmpMankyB40bwCwH3tqAEnu4x9pF7RD+aIFzsZ6sOZ
         Q7JEHdVoxYIrJp0Pgcf3o5hOzQpi7PrwhGBkcd9MAwm4tpcikNa3fNamprD5A+EZ0Wed
         JMUz4c9SAgGP8XxFqQpYio6rvRnXAG5+5xa3U=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:from:content-type:content-transfer-encoding
         :subject:message-id:date:to:mime-version;
        bh=CfLCQnVNytYBdofaaC1IN//LxJK/wDuwnI4U5krcpok=;
        b=ByDntItR7iK9NJBgAHctW98wN63e7aHLjSCTr1RaEPE3k70KcZ+GTHW8EAbkWYfoc1
         1fsThF3e4cc6Ho91qEcRNEkaTaZJRrNaUzD/thHjxNcRihE5fGlZw2gbKLySrdj1zt2s
         1DuAvK3EroJpwraHv4euu12vUNmYZ/aAkeTE/6N+gMklMAjkoJYmpoNP78v75Z0mca1d
         pAAbLB3nyr5jtd944Uv8LY/PhONqkpvJ2rstBQ61aaiCuom7EfLXJqJ3Dp/R1TvXS9kt
         1G+o3f4S6ju/QxudoZvcqxuQd/RArHFTp+0zTbkLPZvAZWNmvwpCL6GrqTzsUv9NDJ8q
         aPUg==
X-Gm-Message-State: ALoCoQmG75Zo8q67ZF4UvPk0EnVHcc6WBGa4JTK6zyi0bDQDf2moQ2wkFEysWx43N2gKNzWbmy+D
X-Received: by 10.180.187.167 with SMTP id ft7mr15003356wic.26.1437138018879;
        Fri, 17 Jul 2015 06:00:18 -0700 (PDT)
Received: from [192.168.1.12] (cpc4-chap7-2-0-cust64.aztw.cable.virginm.net. [92.233.53.65])
        by smtp.gmail.com with ESMTPSA id k16sm18296685wjr.7.2015.07.17.06.00.18
        for <internals@lists.php.net>
        (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
        Fri, 17 Jul 2015 06:00:18 -0700 (PDT)
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Message-ID: <872B5165-6A87-4024-BB9D-514E83A22E6F@craigfrancis.co.uk>
Date: Fri, 17 Jul 2015 14:00:18 +0100
To: internals@lists.php.net
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
X-Mailer: Apple Mail (2.1878.6)
Subject: [RFC] String Types (security)
From: craig@craigfrancis.co.uk (Craig Francis)

Hi,

I'm looking at creating an RFC to address security issues that relate to =
poor string handling / escaping, such as SQL-Injection, XSS, etc.

Considering these are still major issues on the OWSP Top 10, we need to =
do more to mitigate them.

For example, an inexperienced programmer can easily create an XSS =
vulnerability with:

echo '<p>Searched for: ' . $_GET['q'] . '</p>';

I'm proposing that we extend the error_reporting of E_NOTICE, so that =
PHP itself can tell the developer when they have made a mistake.

And this will work well with existing SQL prepared statements, ORMs, =
templating systems, etc.

--------------------------------------------------

So PHP assigns a "type" to every string (this must be done by PHP =
itself, "value objects" still allow mistakes).

This defaults to the "plain" string type... for example, values that =
come from GET/POST/COOKIE, the database, file_get_contents(), etc.

When a string is passed though htmlentities(), the returned string has a =
"html" type.

When a string is passed though pg_escape_literal(), the returned string =
has an "sql" type.

There are more :-)

---

When an "sql" string is concatenated with an "sql" string, it would =
result in an "sql" string.

When a hard coded string in the PHP script itself is concatenated with =
an "sql" string, the result is an "sql" string.

But if you concatenate an "sql" string with a "plain" string, then PHP =
will raise a Notice.

---

Then functions such as mysqli_query() can test the provided string =
type... e.g. a "plain" string can raise a Notice.

This could extend the PHP7 scalar type hints, so methods could check the =
string types as well.

And likewise, anything that is sent as output (e.g. echo/print) would be =
tested against a configurable output type, which defaults to "html".

--------------------------------------------------

There are a couple of edge cases (with solutions)... but does this =
interest anyone?

Craig=