Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:87393 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 2158 invoked from network); 30 Jul 2015 12:40:23 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 30 Jul 2015 12:40:23 -0000 Authentication-Results: pb1.pair.com header.from=craig@craigfrancis.co.uk; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=craig@craigfrancis.co.uk; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain craigfrancis.co.uk designates 209.85.212.178 as permitted sender) X-PHP-List-Original-Sender: craig@craigfrancis.co.uk X-Host-Fingerprint: 209.85.212.178 mail-wi0-f178.google.com Received: from [209.85.212.178] ([209.85.212.178:35606] helo=mail-wi0-f178.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id DD/D0-31830-43B1AB55 for ; Thu, 30 Jul 2015 08:40:21 -0400 Received: by wibxm9 with SMTP id xm9so242960797wib.0 for ; Thu, 30 Jul 2015 05:40:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=craigfrancis.co.uk; s=default; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=NExChiZBU+HQfVJZUdePF4Dk7JG2l4YTAZTHpbEa5Yg=; b=CyGSEq1oqBj27ykQTIn7cW0Zp63gco9JrpSDJXgv3khLbJN4wKW55OTsdmyVjVh0Vr 9AYjHSDVSbSJ2EO8apzYPlrHbD4rej1/HmaER09wi3k37tyTXv6PZU/gEAI/7frEogJw gfeLYnT/zovQrHwSCmYZIQ/egyHR+OewCmYs0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=NExChiZBU+HQfVJZUdePF4Dk7JG2l4YTAZTHpbEa5Yg=; b=Z42pm/WAVmroaXcCOeI/GWtRhOw0bR0Dbo51it+FBG+/xn8Rn0fErbf2RI7fazJVq/ OJ+FWOlua0RSZap4N3d4gekTGu7BzGwzq2QgyKvNRVKhZiPwO/HmZqwuqGTrxt/azZ7U iatuilxDxPdBsHUDlpODhQ+VnL/2mPlMTdD8q7fV4MTekcpHz+4OOgPT5ss22u8GhkZF mWSkccoknFdm2xCgX7jB+H1Y/spg/oDrGsjI4r9r0A8fJQnQJaiLSA5EZ6o9AyPZeeUM j7XRGdTIOckSD5BKAiHGl0qs9pYpvUaZ+G5Sol7+9vJ+YZ7NUB9cEm9P16yak5jurlL/ 0BIg== X-Gm-Message-State: ALoCoQlgv69rzQOYvJg7y2h4IfHSHP4tcojjQDT+vBuO8BM5DNB6IQzQzyFx9lNgg9hBdrspuE3+ X-Received: by 10.180.216.42 with SMTP id on10mr6283609wic.3.1438260017886; Thu, 30 Jul 2015 05:40:17 -0700 (PDT) Received: from [192.168.1.12] (cpc4-chap7-2-0-cust64.aztw.cable.virginm.net. [92.233.53.65]) by smtp.gmail.com with ESMTPSA id go5sm2860811wib.5.2015.07.30.05.40.17 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 30 Jul 2015 05:40:17 -0700 (PDT) Content-Type: multipart/alternative; boundary="Apple-Mail=_FF4E813A-0EB5-4162-8E09-FE79EEB6F7C1" Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\)) In-Reply-To: Date: Thu, 30 Jul 2015 13:40:16 +0100 Cc: Lester Caine , PHP internals Message-ID: <1715687D-BA2C-459F-AC98-A9443F468F3D@craigfrancis.co.uk> References: <55B896B8.4070901@lsces.co.uk> <6F8B9B35-D487-45D9-BC84-4A782951EDC7@craigfrancis.co.uk> <55B9D14B.9010902@lsces.co.uk> <44415028-F437-4914-818C-C928BA01D7FE@craigfrancis.co.uk> To: Joe Watkins X-Mailer: Apple Mail (2.1878.6) Subject: Re: [PHP-DEV] [RFC] Block requests to builtin SQL functions where PHP can prove the call is vulnerable to a potential SQL-injection attack From: craig@craigfrancis.co.uk (Craig Francis) --Apple-Mail=_FF4E813A-0EB5-4162-8E09-FE79EEB6F7C1 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii On 30 Jul 2015, at 13:14, Joe Watkins wrote: > I find myself agreeing with Pierre; The wrong signal would be sent. = History should teach us there is no such thing as (a) safe mode. Hi Joe, Please can you read my proposal (see the email you just replied to, also = below)... I'm replying on this thread because my first one was = ignored... I'm not suggesting a "safe mode" or any kind of blocking of = requests (as per the subject)... as I agree, and believe that would be = worse than the old auto escaping from PHP 4. Craig On 30 Jul 2015, at 13:14, Joe Watkins wrote: > I find myself agreeing with Pierre; The wrong signal would be sent. = History should teach us there is no such thing as (a) safe mode. >=20 > Xinchen did used to work on a taint extension, I wonder why that was = stopped ?=20 >=20 > Worth noticing that the extension is rather complex, touching many = parts of the engine, changing many things ... which I don't really like. >=20 > Cheers > Joe >=20 > On Thu, Jul 30, 2015 at 10:14 AM, Craig Francis = wrote: > On 30 Jul 2015, at 08:24, Lester Caine wrote: >=20 > > But that is a perfect example of what I am talking about. You do not > > educate people by publishing the very thing that is wrong. You = educate > > them by pointing out to them WHY the '?' was there in the first = place. >=20 >=20 >=20 >=20 > I completely agree on education, and what I'm hoping for... and this = is how we can educate everyone :-) >=20 > My suggestion for taints (not quite the same as the one from Matt or = Wietse) was not to change the way good programs are created/executed, = but simply an education device, which can also pick up mistakes that = experienced developers make. >=20 > While my first post on this mailing list gives a better overview: >=20 > http://news.php.net/php.internals/87207 >=20 > The original implementation suggestion is at: >=20 > https://bugs.php.net/bug.php?id=3D69886 >=20 > You will see that it does nothing more than create notices to say = "erm, do you want to be doing this?". >=20 > This is something that only PHP can do, unless you can find a way of = changing every single article / code example on the internet :-) >=20 > So, with your example... if you want to use a variable for a = table/field prefix, that is perfectly fine... in fact, it won't need any = changes, as the prefix will probably be hard coded as a string within a = PHP script (something I called ETYPE_CONSTANT). >=20 > But if not (e.g. storing the prefix in an ini file?), then I've shown = an example of how that can be handled with the proposed = "string_encoding_set" function (something I should have probably called = string_escaping_set)... which is simply to tell PHP that this one = variable is already safe (something I can't see being needed very = often). >=20 > Craig >=20 >=20 >=20 >=20 >=20 > On 30 Jul 2015, at 08:24, Lester Caine wrote: >=20 > > On 29/07/15 16:11, Craig Francis wrote: > >> I completely disagree... prepared statements are just as = vulnerable, and so are ORM's. > >> > >> You can push developers towards these solutions, and that would be = good, but you are completely blind if you think an uneducated developer = won't do: > >> > >> if ($stmt =3D $mysqli->prepare("SELECT District FROM City = WHERE Name=3D" . $_GET['name'])) { > >> } > > > > But that is a perfect example of what I am talking about. You do not > > educate people by publishing the very thing that is wrong. You = educate > > them by pointing out to them WHY the '?' was there in the first = place. > > > > Since the taint extension only covers mysql and sqlite it's of = little > > use if we manage to convert 'uneducated developer' to any of the = more > > secure databases, and that was one of the reasons why mysql was = dropped > > from being loaded by default. Once one starts from a base of > > parametrised sql queries the lax programming methods many mysql = guides > > and books continue to push can be reversed. Throwing more bloat into = php > > to create 'WTF' errors just adds to a new users frustration and = annoys > > experienced users who have very good reasons for building queries = using > > clean variables. MANY abstraction layers use variables to add = prefixes > > to table names or fields. > > > > Educate ... don't nanny ... > > > > -- > > Lester Caine - G8HFL > > ----------------------------- > > Contact - http://lsces.co.uk/wiki/?page=3Dcontact > > L.S.Caine Electronic Services - http://lsces.co.uk > > EnquirySolve - http://enquirysolve.com/ > > Model Engineers Digital Workshop - http://medw.co.uk > > Rainbow Digital Media - http://rainbowdigitalmedia.co.uk > > > > -- > > PHP Internals - PHP Runtime Development Mailing List > > To unsubscribe, visit: http://www.php.net/unsub.php > > >=20 >=20 > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php >=20 >=20 --Apple-Mail=_FF4E813A-0EB5-4162-8E09-FE79EEB6F7C1--