Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:87361 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 79277 invoked from network); 29 Jul 2015 08:19:44 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 29 Jul 2015 08:19:44 -0000 Authentication-Results: pb1.pair.com smtp.mail=mails@thomasbley.de; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=mails@thomasbley.de; sender-id=unknown Received-SPF: error (pb1.pair.com: domain thomasbley.de from 85.13.137.24 cause and error) X-PHP-List-Original-Sender: mails@thomasbley.de X-Host-Fingerprint: 85.13.137.24 dd15934.kasserver.com Received: from [85.13.137.24] ([85.13.137.24:59117] helo=dd15934.kasserver.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id D8/86-22108-5EB28B55 for ; Tue, 28 Jul 2015 21:27:02 -0400 Received: from dd15934.kasserver.com (dd0800.kasserver.com [85.13.143.204]) by dd15934.kasserver.com (Postfix) with ESMTPSA id ADE1C2606AE; Wed, 29 Jul 2015 03:26:57 +0200 (CEST) MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-SenderIP: 95.90.234.94 User-Agent: ALL-INKL Webmail 2.11 In-Reply-To: References: <041328F1-A94D-4B36-BF4F-ED1D9AEB98A9@gmail.com> <55B7E941.3000801@gmx.de> To: cmbecker69@gmx.de, pierre.php@gmail.com Cc: rowan.collins@gmail.com, internals@lists.php.net Message-ID: <20150729012657.ADE1C2606AE@dd15934.kasserver.com> Date: Wed, 29 Jul 2015 03:26:57 +0200 (CEST) Subject: Re: [PHP-DEV] [RFC] Block requests to builtin SQL functions where PHP can prove the call is vulnerable to a potential SQL-injection attack From: mails@thomasbley.de ("Thomas Bley") Pierre Joye wrote on 28.07.2015 23:05: > The > On Jul 28, 2015 11:42 PM, "Christoph Becker" wrote: >> >> Rowan Collins wrote: >> >> > On 28 July 2015 18:33:31 BST, Matt Tait wrote: >> >> Hi all, >> >> >> >> I've written an RFC (and PoC) about automatic detection and blocking of >> >> SQL >> >> injection vulnerabilities directly from inside PHP via automated taint >> >> analysis. >> >> >> >> https://wiki.php.net/rfc/sql_injection_protection >> > >> > Have you searched the list archive and wiki for previous discussions > and prototypes of variable tainting? The idea may well have some legs, but > there might be some interesting points from previous discussions to note in > your RFC. >> >> FWIW, there is the inactive "Taint support for PHP"[1] RFC. >> >> [1] > > Which is what should be done (global tainted mode) and not only for SQL. > > Unfiltered input can affect way more than only SQL. Environment, exec, etc > are all potentially dangerous with unfiltered data. > > I fear it is an almost impossible task and may give a wrong signal, > everything is safe of tainted mode is enabled. > > Cheers, > Pierre > I think it's better to support parameter substitution and escaping directly in the extensions or the core functions: Idea 1: mixed mysqli_query_bind ( mysqli $link , string $query [, array $parameters [, int $resultmode = MYSQLI_STORE_RESULT ] ] ) e.g. mysqli_query_bind($link, 'SELECT * FROM users WHERE usertype = ?', [$usertype]); mysqli_query_bind($link, 'SELECT * FROM users WHERE id IN (?)', [[1,2,3]]); Using mysqli_query_bind() means parameters are substituted in as (correctly) escaped strings and the result is run with mysqli_query(). and similar: exec_bind ( string $command [, array $parameters [, array &$output [, int &$return_var ] ] ] ) echo exec_bind('ls ?', [$someDir]); Using exec_bind() means parameters are substituted in as (correctly) escaped strings and the result is run with exec(). Those who want to secure their legacy code can use "disable_functions=mysqli_query,exec" and change the occurrences of both functions to the new bind functions. If people still use echo exec_bind('ls '.$someDir), static code analysis can find it, similar to unsafe includes. Regards Thomas