Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:87350 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 35747 invoked from network); 28 Jul 2015 20:42:41 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 28 Jul 2015 20:42:41 -0000 Authentication-Results: pb1.pair.com header.from=cmbecker69@gmx.de; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=cmbecker69@gmx.de; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmx.de designates 212.227.15.18 as permitted sender) X-PHP-List-Original-Sender: cmbecker69@gmx.de X-Host-Fingerprint: 212.227.15.18 mout.gmx.net Received: from [212.227.15.18] ([212.227.15.18:65052] helo=mout.gmx.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 4C/02-22108-E39E7B55 for ; Tue, 28 Jul 2015 16:42:39 -0400 Received: from [192.168.0.100] ([95.89.139.132]) by mail.gmx.com (mrgmx001) with ESMTPSA (Nemesis) id 0LtZcC-1YsSCt0zKO-010rrC; Tue, 28 Jul 2015 22:42:35 +0200 Message-ID: <55B7E941.3000801@gmx.de> Date: Tue, 28 Jul 2015 22:42:41 +0200 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0 MIME-Version: 1.0 To: Rowan Collins , internals@lists.php.net References: <041328F1-A94D-4B36-BF4F-ED1D9AEB98A9@gmail.com> In-Reply-To: <041328F1-A94D-4B36-BF4F-ED1D9AEB98A9@gmail.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Provags-ID: V03:K0:h2fxv2Z8bqaPx5uC3v33JA2iDy7TGxBvQfMZCmK+RaIQAWiBNpK onCUuQ+kthiReM7omzL81JCVR1bGsoUIOkBKQrceiaDytqv3VGgbQcTPWsRUdLJrGf3ZBd/ jq0FyLst+hOSVppHeBFpUzEhrQ1sTPu613y/JwNs6xUWe+f7311fFzBwPyliWEAIPvhXA/1 kCnhNSbzhz5zuo3WXEL8w== X-UI-Out-Filterresults: notjunk:1;V01:K0:+ogvRnF8OT0=:ykyWeVIGWxlplKjhwgxRMu npwjjBCkmpP5eGiBfx3m8G5Nj2PEwgIkd7WshJLi6hemGbqEWuPHGxTBPw1c5WxnD5Oq3yM0B qz3K5CnUILrzchJX6uwE4JbRVt9W89oArQhcFSxzPnk7412eQ7iX36Ba/XxoCCIGy0dr8mHCP Va3QI1lLX5a9SoxV6UYF0ZMGvI4Ue7+PEcgLAsAgrLANjQcIeJNcBrong03Bh1CBW1dqJ7Ncb 4HcPajQR3Q4HS3jyxOMgPwxE3HmCOl1KX8vr4wosTj3rSInIb9HuuBaW5pRScqD5K7YJ/QfEq 4HSTuaqi6ygr7/bsepDpaA3QRefLCor3PKZqO8Hqvh3/BjxQum7sFAnm8WsuCenO0oeld0ntW neCdP9yqRlRoNePGCTFQEx6kU/Ga6ZSYwoVxO3GLWE1zaRblOIn4L/DTB/FLTsn8sav0sPFTZ gDwmU9O8IiGduPqPrg/9MQ0Q08yxhrb8o4sbsBpNNevSXgY7+I1UGwEMB8EAwwIac67/8DIHE QPZzAbRGr9SKtIi8njVukJRsT4aqrG/jqGS0Y+kus9uOBdPGSjDvlytYUM+YolWv5guqeddnm ohdP1R7S8POkOxP7yG+QmtZF2NAbdAToyWLAWPRZhKFihv2wMDDK8eje9EXj+OpvPSkYmW20g 4ca/hCAZGfOBGsB+3lIvD1/NjrHBmZNifC7TJTyENRikiebVq0cSCgIBHi/owDI9/6Ew= Subject: Re: [PHP-DEV] [RFC] Block requests to builtin SQL functions where PHP can prove the call is vulnerable to a potential SQL-injection attack From: cmbecker69@gmx.de (Christoph Becker) Rowan Collins wrote: > On 28 July 2015 18:33:31 BST, Matt Tait wrote: >> Hi all, >> >> I've written an RFC (and PoC) about automatic detection and blocking of >> SQL >> injection vulnerabilities directly from inside PHP via automated taint >> analysis. >> >> https://wiki.php.net/rfc/sql_injection_protection > > Have you searched the list archive and wiki for previous discussions and prototypes of variable tainting? The idea may well have some legs, but there might be some interesting points from previous discussions to note in your RFC. FWIW, there is the inactive "Taint support for PHP"[1] RFC. [1] -- Christoph M. Becker