Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:87396 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 6891 invoked from network); 30 Jul 2015 12:48:25 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 30 Jul 2015 12:48:25 -0000 Authentication-Results: pb1.pair.com header.from=laruence@php.net; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=xinchen.h@zend.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain zend.com designates 209.85.213.44 as permitted sender) X-PHP-List-Original-Sender: xinchen.h@zend.com X-Host-Fingerprint: 209.85.213.44 mail-vk0-f44.google.com Received: from [209.85.213.44] ([209.85.213.44:36575] helo=mail-vk0-f44.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id E7/E1-31830-51D1AB55 for ; Thu, 30 Jul 2015 08:48:22 -0400 Received: by vkci6 with SMTP id i6so9904613vkc.3 for ; Thu, 30 Jul 2015 05:48:18 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=uaoVBLReJnWuyvSupIqI648U7JwmC7XnCrk67nOH9fQ=; b=TeBzcGq265uTpXbp80aBS2ORxiLjYbtf0C9ZbVJDqKguDxv2SAvNJ+Wi/kUoT4xC2b 9M4QiOtPsH2I69DVhjhG61lFvDaC5w3AnReSQRV6BzMVcoFao4iMjTE1sZnd+i6ug7GX a6ReFa+3ZYYML74xLeaTYlob40j6AwuI0+28vacaVKYhhBAQiSPphbR1dzk4UI4DN/K3 ZPQWUEyjdLcdQ4VOqy2sDkpMu9pHjmocjF9GmF/Qpmv4TIfyXE5QuGXjh6HVBGf3Zspv 74sVsrmyEWgbUZf2ZCHmTZJ2wn2/r0axqtk81wa5RSs0Cz6XuxM+TJXwxuSTET9wx5xR SY4A== X-Gm-Message-State: ALoCoQkVMPMTCNHnT7wqKC3BOdAhF4TXM1G9Wjmd6uLp+PjmXJusnsMzrjUw0S/3RHAGAKspIBqRdnX0zsS/v+axNLukEnerrcMW5aPUj267871GFYKEUfB++6AmRCC2qPr15CrB5Us5sPvNidHH6IptEFpwcM/6fJVCTV7tf/Cq5iPHmyjDW7c= X-Received: by 10.52.38.197 with SMTP id i5mr59631002vdk.52.1438260498538; Thu, 30 Jul 2015 05:48:18 -0700 (PDT) Received: from mail-vn0-f54.google.com (mail-vn0-f54.google.com. [209.85.216.54]) by smtp.gmail.com with ESMTPSA id tr8sm157902vdb.23.2015.07.30.05.48.17 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 30 Jul 2015 05:48:17 -0700 (PDT) Received: by vnk197 with SMTP id 197so5368959vnk.3 for ; Thu, 30 Jul 2015 05:48:17 -0700 (PDT) X-Received: by 10.52.30.130 with SMTP id s2mr20513252vdh.17.1438260497630; Thu, 30 Jul 2015 05:48:17 -0700 (PDT) MIME-Version: 1.0 Received: by 10.31.12.1 with HTTP; Thu, 30 Jul 2015 05:47:58 -0700 (PDT) In-Reply-To: References: <55B896B8.4070901@lsces.co.uk> <6F8B9B35-D487-45D9-BC84-4A782951EDC7@craigfrancis.co.uk> <55B9D14B.9010902@lsces.co.uk> <44415028-F437-4914-818C-C928BA01D7FE@craigfrancis.co.uk> Date: Thu, 30 Jul 2015 20:47:58 +0800 Message-ID: To: Joe Watkins Cc: Craig Francis , Lester Caine , PHP internals Content-Type: text/plain; charset=UTF-8 Subject: Re: [PHP-DEV] [RFC] Block requests to builtin SQL functions where PHP can prove the call is vulnerable to a potential SQL-injection attack From: laruence@php.net (Xinchen Hui) Hey: On Thu, Jul 30, 2015 at 8:14 PM, Joe Watkins wrote: > I find myself agreeing with Pierre; The wrong signal would be sent. History > should teach us there is no such thing as (a) safe mode. > > Xinchen did used to work on a taint extension, I wonder why that was > stopped ? yes, it is https://github.com/laruence/php-taint Anyway, I was too busy so I didn't make it supports PHP-5.6, I was hoping someone could help(it supports 5.5 now). it is a complex extension, and using tricky way to keep taint infos anyway, with PHP7's new zend_string, and string flags, the implementation will become easier. I have a plan to make it supports PHP7.. thanks > > Worth noticing that the extension is rather complex, touching many parts of > the engine, changing many things ... which I don't really like. > > Cheers > Joe > > On Thu, Jul 30, 2015 at 10:14 AM, Craig Francis > wrote: > >> On 30 Jul 2015, at 08:24, Lester Caine wrote: >> >> > But that is a perfect example of what I am talking about. You do not >> > educate people by publishing the very thing that is wrong. You educate >> > them by pointing out to them WHY the '?' was there in the first place. >> >> >> >> >> I completely agree on education, and what I'm hoping for... and this is >> how we can educate everyone :-) >> >> My suggestion for taints (not quite the same as the one from Matt or >> Wietse) was not to change the way good programs are created/executed, but >> simply an education device, which can also pick up mistakes that >> experienced developers make. >> >> While my first post on this mailing list gives a better overview: >> >> http://news.php.net/php.internals/87207 >> >> The original implementation suggestion is at: >> >> https://bugs.php.net/bug.php?id=69886 >> >> You will see that it does nothing more than create notices to say "erm, do >> you want to be doing this?". >> >> This is something that only PHP can do, unless you can find a way of >> changing every single article / code example on the internet :-) >> >> So, with your example... if you want to use a variable for a table/field >> prefix, that is perfectly fine... in fact, it won't need any changes, as >> the prefix will probably be hard coded as a string within a PHP script >> (something I called ETYPE_CONSTANT). >> >> But if not (e.g. storing the prefix in an ini file?), then I've shown an >> example of how that can be handled with the proposed "string_encoding_set" >> function (something I should have probably called string_escaping_set)... >> which is simply to tell PHP that this one variable is already safe >> (something I can't see being needed very often). >> >> Craig >> >> >> >> >> >> On 30 Jul 2015, at 08:24, Lester Caine wrote: >> >> > On 29/07/15 16:11, Craig Francis wrote: >> >> I completely disagree... prepared statements are just as vulnerable, >> and so are ORM's. >> >> >> >> You can push developers towards these solutions, and that would be >> good, but you are completely blind if you think an uneducated developer >> won't do: >> >> >> >> if ($stmt = $mysqli->prepare("SELECT District FROM City WHERE >> Name=" . $_GET['name'])) { >> >> } >> > >> > But that is a perfect example of what I am talking about. You do not >> > educate people by publishing the very thing that is wrong. You educate >> > them by pointing out to them WHY the '?' was there in the first place. >> > >> > Since the taint extension only covers mysql and sqlite it's of little >> > use if we manage to convert 'uneducated developer' to any of the more >> > secure databases, and that was one of the reasons why mysql was dropped >> > from being loaded by default. Once one starts from a base of >> > parametrised sql queries the lax programming methods many mysql guides >> > and books continue to push can be reversed. Throwing more bloat into php >> > to create 'WTF' errors just adds to a new users frustration and annoys >> > experienced users who have very good reasons for building queries using >> > clean variables. MANY abstraction layers use variables to add prefixes >> > to table names or fields. >> > >> > Educate ... don't nanny ... >> > >> > -- >> > Lester Caine - G8HFL >> > ----------------------------- >> > Contact - http://lsces.co.uk/wiki/?page=contact >> > L.S.Caine Electronic Services - http://lsces.co.uk >> > EnquirySolve - http://enquirysolve.com/ >> > Model Engineers Digital Workshop - http://medw.co.uk >> > Rainbow Digital Media - http://rainbowdigitalmedia.co.uk >> > >> > -- >> > PHP Internals - PHP Runtime Development Mailing List >> > To unsubscribe, visit: http://www.php.net/unsub.php >> > >> >> >> -- >> PHP Internals - PHP Runtime Development Mailing List >> To unsubscribe, visit: http://www.php.net/unsub.php >> >> -- Xinchen Hui @Laruence http://www.laruence.com/