Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:87355 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 44415 invoked from network); 28 Jul 2015 21:05:55 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 28 Jul 2015 21:05:55 -0000 Authentication-Results: pb1.pair.com header.from=pierre.php@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=pierre.php@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.220.177 as permitted sender) X-PHP-List-Original-Sender: pierre.php@gmail.com X-Host-Fingerprint: 209.85.220.177 mail-qk0-f177.google.com Received: from [209.85.220.177] ([209.85.220.177:35383] helo=mail-qk0-f177.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id B0/F3-22108-1BEE7B55 for ; Tue, 28 Jul 2015 17:05:53 -0400 Received: by qkbm65 with SMTP id m65so56965275qkb.2 for ; Tue, 28 Jul 2015 14:05:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=fcX58x3bWjTlxzsvkEWBxhJbcBiU38Nnwv14f/41gIQ=; b=XF7MxHrlya6stqwNsSIVNlrQrbtJEQA0AA8dvgpwr8juXHJ5D8GhNCF8sUSk6n33kJ FJdFKF7BQgfUj9tToMliU8rus4IcnvtT5NDXRkwZPiEhmgrGoXSEAkkwWGT2MJoigojx D9PDz9mcgUNUyTCgJr6GdcbVlb0qQQVA2vsBcx1KIW3pbIH+QaNYSXN+tx3+Pd4rjODT EQo05uCdRLyrzJ6y7KrvSuEdaoYLe36tzfSqtm1s7pTWHqh7lPz9W6yp1ORMolBzNW/6 ubv5kHF28g1hSz94koDxH/PPYU+ecFIAeto6v0GYCLJdFin8czpaA+pHBULEPtzacn8n NxSQ== MIME-Version: 1.0 X-Received: by 10.55.31.65 with SMTP id f62mr51619698qkf.73.1438117550580; Tue, 28 Jul 2015 14:05:50 -0700 (PDT) Received: by 10.96.151.5 with HTTP; Tue, 28 Jul 2015 14:05:49 -0700 (PDT) Received: by 10.96.151.5 with HTTP; Tue, 28 Jul 2015 14:05:49 -0700 (PDT) In-Reply-To: <55B7E941.3000801@gmx.de> References: <041328F1-A94D-4B36-BF4F-ED1D9AEB98A9@gmail.com> <55B7E941.3000801@gmx.de> Date: Wed, 29 Jul 2015 04:05:49 +0700 Message-ID: To: Christoph Becker Cc: Rowan Collins , PHP internals Content-Type: multipart/alternative; boundary=001a1147ee16bf6d6f051bf5d5ee Subject: Re: [PHP-DEV] [RFC] Block requests to builtin SQL functions where PHP can prove the call is vulnerable to a potential SQL-injection attack From: pierre.php@gmail.com (Pierre Joye) --001a1147ee16bf6d6f051bf5d5ee Content-Type: text/plain; charset=UTF-8 The On Jul 28, 2015 11:42 PM, "Christoph Becker" wrote: > > Rowan Collins wrote: > > > On 28 July 2015 18:33:31 BST, Matt Tait wrote: > >> Hi all, > >> > >> I've written an RFC (and PoC) about automatic detection and blocking of > >> SQL > >> injection vulnerabilities directly from inside PHP via automated taint > >> analysis. > >> > >> https://wiki.php.net/rfc/sql_injection_protection > > > > Have you searched the list archive and wiki for previous discussions and prototypes of variable tainting? The idea may well have some legs, but there might be some interesting points from previous discussions to note in your RFC. > > FWIW, there is the inactive "Taint support for PHP"[1] RFC. > > [1] Which is what should be done (global tainted mode) and not only for SQL. Unfiltered input can affect way more than only SQL. Environment, exec, etc are all potentially dangerous with unfiltered data. I fear it is an almost impossible task and may give a wrong signal, everything is safe of tainted mode is enabled. Cheers, Pierre --001a1147ee16bf6d6f051bf5d5ee--