Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:87370 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 14148 invoked from network); 29 Jul 2015 15:11:18 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 29 Jul 2015 15:11:18 -0000 Authentication-Results: pb1.pair.com smtp.mail=craig@craigfrancis.co.uk; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=craig@craigfrancis.co.uk; sender-id=pass Received-SPF: pass (pb1.pair.com: domain craigfrancis.co.uk designates 209.85.212.181 as permitted sender) X-PHP-List-Original-Sender: craig@craigfrancis.co.uk X-Host-Fingerprint: 209.85.212.181 mail-wi0-f181.google.com Received: from [209.85.212.181] ([209.85.212.181:36848] helo=mail-wi0-f181.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 2F/E0-08288-41DE8B55 for ; Wed, 29 Jul 2015 11:11:17 -0400 Received: by wicgb10 with SMTP id gb10so205181978wic.1 for ; Wed, 29 Jul 2015 08:11:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=craigfrancis.co.uk; s=default; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=ZYbzU6yujUffI6ggv8+KyqZ1REmAOLJTUUfVCac1jes=; b=GpU5mE3oatLfNKB+S6DeaFXJzHuodN2YmZaW1M0NRd5KgDQWn3N5+fkmAdHcm5AzD4 S+8trInYG2tol+8gte1podNAJygd2fVdujv/JNz0eyD/uu9vKd5oAmEEPaLlMuaY5zf7 qB9HhxVqzrTI6YnQzHenV4EsmktM4ywufXvUI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=ZYbzU6yujUffI6ggv8+KyqZ1REmAOLJTUUfVCac1jes=; b=MmT/pMYYeD4DNZNzKGBk4HL3RRVJvJimndazP2/iQsnNNWHIA010mvyxFNc3k+Dl23 nKi8x75a7v/4NKME+9uTWkhHttPfvBGB6nHM+b08oaI/j1Ry6f7pLUUoDskyGrrTvzmZ VnwV4np7MP+5aRQBowV5HqHWTfKCygOST8MLMv83liLoXeN9P5aghhzrE8wlcO0pjgU3 GBkvM4Fcns3jVD9gavEjfZeecDmumaz7ZS8dpa00tCW1zkNIAxbcBNLeRtEzztTWn+vD x+QP4FJFHCqR87QLiu8TetZWynfN9xnsYMmsV8E+xLyxJYe1VGY4G6NVeEoE6sf09iHM jsYw== X-Gm-Message-State: ALoCoQl77QAkzPqpYiIW2ft9BuxvdbhGkZAyO8OB994brBQWffargmcrq5IXwyFIW/do66s8w1wp X-Received: by 10.180.90.209 with SMTP id by17mr6916380wib.2.1438182673366; Wed, 29 Jul 2015 08:11:13 -0700 (PDT) Received: from [192.168.11.153] ([77.232.175.30]) by smtp.gmail.com with ESMTPSA id hd6sm24822603wib.19.2015.07.29.08.11.11 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 29 Jul 2015 08:11:12 -0700 (PDT) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\)) In-Reply-To: <55B896B8.4070901@lsces.co.uk> Date: Wed, 29 Jul 2015 16:11:06 +0100 Cc: internals@lists.php.net Content-Transfer-Encoding: quoted-printable Message-ID: <6F8B9B35-D487-45D9-BC84-4A782951EDC7@craigfrancis.co.uk> References: <55B896B8.4070901@lsces.co.uk> To: Lester Caine X-Mailer: Apple Mail (2.1878.6) Subject: Re: [PHP-DEV] [RFC] Block requests to builtin SQL functions where PHP can prove the call is vulnerable to a potential SQL-injection attack From: craig@craigfrancis.co.uk (Craig Francis) On 29 Jul 2015, at 10:02, Lester Caine wrote: > The problem is removing all of the poor quality on-line guides and > replacing them with ones which provide a mush better working model. > Trying to get PHP too pick up a few edge cases is a poor use of time. I completely disagree... prepared statements are just as vulnerable, and = so are ORM's. You can push developers towards these solutions, and that would be good, = but you are completely blind if you think an uneducated developer won't = do: if ($stmt =3D $mysqli->prepare("SELECT District FROM City WHERE = Name=3D" . $_GET['name'])) { } And thats using a slightly edited example from: http://php.net/manual/en/mysqli.prepare.php It's a shame that Wietse suggested this solution in 2008, is incomplete, = and does not seem to be going anywhere (I'm also tempted to say the = implementation is slightly the wrong way around, but the theory is = there). Likewise the PECL extension from 2013. http://pecl.php.net/package/taint Matt, I realise I'm not a C programmer, and probably won't be able to = help there, but if there is anything I can do, please let me know. If you want to compare notes, my suggestion is at:=20 http://news.php.net/php.internals/87207 Craig On 29 Jul 2015, at 10:02, Lester Caine wrote: > On 28/07/15 18:33, Matt Tait wrote: >> What do you all think? There's obviously a bit more work to do; the = PoC >> currently only covers mysqli_query, but I thought this stage is an >> interesting point to throw it open to comments before working to = complete >> it. >=20 > If you want a safe and stable system ... don't use mysql ... > The problem is removing all of the poor quality on-line guides and > replacing them with ones which provide a mush better working model. > Trying to get PHP too pick up a few edge cases is a poor use of time. >=20 > --=20 > Lester Caine - G8HFL > ----------------------------- > Contact - http://lsces.co.uk/wiki/?page=3Dcontact > L.S.Caine Electronic Services - http://lsces.co.uk > EnquirySolve - http://enquirysolve.com/ > Model Engineers Digital Workshop - http://medw.co.uk > Rainbow Digital Media - http://rainbowdigitalmedia.co.uk >=20 > --=20 > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php >=20