Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:87383 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 73823 invoked from network); 30 Jul 2015 07:25:04 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 30 Jul 2015 07:25:04 -0000 Authentication-Results: pb1.pair.com header.from=lester@lsces.co.uk; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=lester@lsces.co.uk; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain lsces.co.uk from 217.147.176.214 cause and error) X-PHP-List-Original-Sender: lester@lsces.co.uk X-Host-Fingerprint: 217.147.176.214 mail4-2.serversure.net Linux 2.6 Received: from [217.147.176.214] ([217.147.176.214:42863] helo=mail4.serversure.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 52/D5-25901-D41D9B55 for ; Thu, 30 Jul 2015 03:25:02 -0400 Received: (qmail 16120 invoked by uid 89); 30 Jul 2015 07:24:59 -0000 Received: by simscan 1.3.1 ppid: 16114, pid: 16117, t: 0.0636s scanners: attach: 1.3.1 clamav: 0.96/m:52/d:10677 Received: from unknown (HELO ?10.0.0.8?) (lester@rainbowdigitalmedia.org.uk@81.157.58.188) by mail4.serversure.net with ESMTPA; 30 Jul 2015 07:24:59 -0000 Message-ID: <55B9D14B.9010902@lsces.co.uk> Date: Thu, 30 Jul 2015 08:24:59 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0 MIME-Version: 1.0 To: internals@lists.php.net References: <55B896B8.4070901@lsces.co.uk> <6F8B9B35-D487-45D9-BC84-4A782951EDC7@craigfrancis.co.uk> In-Reply-To: <6F8B9B35-D487-45D9-BC84-4A782951EDC7@craigfrancis.co.uk> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] [RFC] Block requests to builtin SQL functions where PHP can prove the call is vulnerable to a potential SQL-injection attack From: lester@lsces.co.uk (Lester Caine) On 29/07/15 16:11, Craig Francis wrote: > I completely disagree... prepared statements are just as vulnerable, and so are ORM's. > > You can push developers towards these solutions, and that would be good, but you are completely blind if you think an uneducated developer won't do: > > if ($stmt = $mysqli->prepare("SELECT District FROM City WHERE Name=" . $_GET['name'])) { > } But that is a perfect example of what I am talking about. You do not educate people by publishing the very thing that is wrong. You educate them by pointing out to them WHY the '?' was there in the first place. Since the taint extension only covers mysql and sqlite it's of little use if we manage to convert 'uneducated developer' to any of the more secure databases, and that was one of the reasons why mysql was dropped from being loaded by default. Once one starts from a base of parametrised sql queries the lax programming methods many mysql guides and books continue to push can be reversed. Throwing more bloat into php to create 'WTF' errors just adds to a new users frustration and annoys experienced users who have very good reasons for building queries using clean variables. MANY abstraction layers use variables to add prefixes to table names or fields. Educate ... don't nanny ... -- Lester Caine - G8HFL ----------------------------- Contact - http://lsces.co.uk/wiki/?page=contact L.S.Caine Electronic Services - http://lsces.co.uk EnquirySolve - http://enquirysolve.com/ Model Engineers Digital Workshop - http://medw.co.uk Rainbow Digital Media - http://rainbowdigitalmedia.co.uk