Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:87386
Return-Path: <craig@craigfrancis.co.uk>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 83517 invoked from network); 30 Jul 2015 09:14:55 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 30 Jul 2015 09:14:55 -0000
Authentication-Results: pb1.pair.com smtp.mail=craig@craigfrancis.co.uk; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=craig@craigfrancis.co.uk; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain craigfrancis.co.uk designates 209.85.212.180 as permitted sender)
X-PHP-List-Original-Sender: craig@craigfrancis.co.uk
X-Host-Fingerprint: 209.85.212.180 mail-wi0-f180.google.com  
Received: from [209.85.212.180] ([209.85.212.180:33450] helo=mail-wi0-f180.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id FD/27-25901-D0BE9B55 for <internals@lists.php.net>; Thu, 30 Jul 2015 05:14:54 -0400
Received: by wicmv11 with SMTP id mv11so12781371wic.0
        for <internals@lists.php.net>; Thu, 30 Jul 2015 02:14:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=craigfrancis.co.uk; s=default;
        h=content-type:mime-version:subject:from:in-reply-to:date:cc
         :content-transfer-encoding:message-id:references:to;
        bh=Z6lfiSiiKYdCLYo+0PFnRZTS72fCeSm7xHa81mYHm68=;
        b=dHTE9RCC6gm34UepnV2GqD42b4XHIc03nVuodsBqv5UMDoDq8wG755qUzK33/qYjCF
         RuyKDPlalV2uWS04oTGQt3WnZsgZJUJPnXcC1+jlhf1p518kprEwUw1/AHWlfk1CixgN
         8ehGO7ozzZs18UrH2Bsx8hT5KFKNq1Gn7fqpc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:content-type:mime-version:subject:from
         :in-reply-to:date:cc:content-transfer-encoding:message-id:references
         :to;
        bh=Z6lfiSiiKYdCLYo+0PFnRZTS72fCeSm7xHa81mYHm68=;
        b=Qr9thtXeSdVc6IY03dZN/iu8QY5sIw1SgR9LWmbGSCaQrdgO6dmTsiSy6iay6bf94Y
         rVgH3X+HViTT2k785Zml/nLdjccay+7sg9NtVEzaY4VtCzbiNhsnlpte9DQWU4QNd3NK
         8ikk+XTnF6/u4OJsnbl3yezxJM1ug4FXy+JONPAze4L2p9b/j8Q1gJ4VLQG3uLpJn8Hs
         Ai7A7oP7yxL2lWML6ttmltTNnFEVa7ph3MwjLsz3G8sAiXqjI0qSbDaguTZEhDjrbTHs
         Vh2DEXFzJ54r2reoX4jHGbzRCUC5OiXpdJ5hyKhw3lIBgLQN6v/0a9Wy+81Tt4uFt+US
         YGQg==
X-Gm-Message-State: ALoCoQnmYYg4ONOIn316bRL62rr4vr4uczSxzMRmbm6d9EtXJO2XBEBlEzQb3MWiKQt8xIrhnSR1
X-Received: by 10.180.100.2 with SMTP id eu2mr4136856wib.90.1438247690648;
        Thu, 30 Jul 2015 02:14:50 -0700 (PDT)
Received: from [192.168.1.12] (cpc4-chap7-2-0-cust64.aztw.cable.virginm.net. [92.233.53.65])
        by smtp.gmail.com with ESMTPSA id fz16sm1948578wic.3.2015.07.30.02.14.49
        (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
        Thu, 30 Jul 2015 02:14:49 -0700 (PDT)
Content-Type: text/plain; charset=windows-1252
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
In-Reply-To: <55B9D14B.9010902@lsces.co.uk>
Date: Thu, 30 Jul 2015 10:14:49 +0100
Cc: internals@lists.php.net
Content-Transfer-Encoding: quoted-printable
Message-ID: <44415028-F437-4914-818C-C928BA01D7FE@craigfrancis.co.uk>
References: <CAEZfaM5t3MpVk=rz7JUPdao=qq96J3cowWQmKboqTgLOXLqaCA@mail.gmail.com> <55B896B8.4070901@lsces.co.uk> <6F8B9B35-D487-45D9-BC84-4A782951EDC7@craigfrancis.co.uk> <55B9D14B.9010902@lsces.co.uk>
To: Lester Caine <lester@lsces.co.uk>
X-Mailer: Apple Mail (2.1878.6)
Subject: Re: [PHP-DEV] [RFC] Block requests to builtin SQL functions where PHP can prove the call is vulnerable to a potential SQL-injection attack
From: craig@craigfrancis.co.uk (Craig Francis)

On 30 Jul 2015, at 08:24, Lester Caine <lester@lsces.co.uk> wrote:

> But that is a perfect example of what I am talking about. You do not
> educate people by publishing the very thing that is wrong. You educate
> them by pointing out to them WHY the '?' was there in the first place.




I completely agree on education, and what I'm hoping for... and this is =
how we can educate everyone :-)

My suggestion for taints (not quite the same as the one from Matt or =
Wietse) was not to change the way good programs are created/executed, =
but simply an education device, which can also pick up mistakes that =
experienced developers make.

While my first post on this mailing list gives a better overview:

   http://news.php.net/php.internals/87207

The original implementation suggestion is at:

   https://bugs.php.net/bug.php?id=3D69886

You will see that it does nothing more than create notices to say "erm, =
do you want to be doing this?".

This is something that only PHP can do, unless you can find a way of =
changing every single article / code example on the internet :-)

So, with your example... if you want to use a variable for a table/field =
prefix, that is perfectly fine... in fact, it won't need any changes, as =
the prefix will probably be hard coded as a string within a PHP script =
(something I called ETYPE_CONSTANT).

But if not (e.g. storing the prefix in an ini file?), then I've shown an =
example of how that can be handled with the proposed =
"string_encoding_set" function (something I should have probably called =
string_escaping_set)... which is simply to tell PHP that this one =
variable is already safe (something I can't see being needed very =
often).

Craig





On 30 Jul 2015, at 08:24, Lester Caine <lester@lsces.co.uk> wrote:

> On 29/07/15 16:11, Craig Francis wrote:
>> I completely disagree... prepared statements are just as vulnerable, =
and so are ORM's.
>>=20
>> You can push developers towards these solutions, and that would be =
good, but you are completely blind if you think an uneducated developer =
won't do:
>>=20
>> 	if ($stmt =3D $mysqli->prepare("SELECT District FROM City WHERE =
Name=3D" . $_GET['name'])) {
>> 	}
>=20
> But that is a perfect example of what I am talking about. You do not
> educate people by publishing the very thing that is wrong. You educate
> them by pointing out to them WHY the '?' was there in the first place.
>=20
> Since the taint extension only covers mysql and sqlite it's of little
> use if we manage to convert 'uneducated developer' to any of the more
> secure databases, and that was one of the reasons why mysql was =
dropped
> from being loaded by default. Once one starts from a base of
> parametrised sql queries the lax programming methods many mysql guides
> and books continue to push can be reversed. Throwing more bloat into =
php
> to create 'WTF' errors just adds to a new users frustration and annoys
> experienced users who have very good reasons for building queries =
using
> clean variables. MANY abstraction layers use variables to add prefixes
> to table names or fields.
>=20
> Educate ... don't nanny ...
>=20
> --=20
> Lester Caine - G8HFL
> -----------------------------
> Contact - http://lsces.co.uk/wiki/?page=3Dcontact
> L.S.Caine Electronic Services - http://lsces.co.uk
> EnquirySolve - http://enquirysolve.com/
> Model Engineers Digital Workshop - http://medw.co.uk
> Rainbow Digital Media - http://rainbowdigitalmedia.co.uk
>=20
> --=20
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>=20