Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:87400
Return-Path: <scott@paragonie.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 14287 invoked from network); 30 Jul 2015 13:43:14 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 30 Jul 2015 13:43:14 -0000
Authentication-Results: pb1.pair.com header.from=scott@paragonie.com; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=scott@paragonie.com; spf=permerror; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain paragonie.com from 209.85.192.42 cause and error)
X-PHP-List-Original-Sender: scott@paragonie.com
X-Host-Fingerprint: 209.85.192.42 mail-qg0-f42.google.com  
Received: from [209.85.192.42] ([209.85.192.42:34116] helo=mail-qg0-f42.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 5B/53-31830-DE92AB55 for <internals@lists.php.net>; Thu, 30 Jul 2015 09:43:10 -0400
Received: by qgeu79 with SMTP id u79so24173393qge.1
        for <internals@lists.php.net>; Thu, 30 Jul 2015 06:43:06 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:in-reply-to:references:date
         :message-id:subject:from:to:cc:content-type;
        bh=xhCp58a+VmwO1OOPLLzhK0drDAYY2O9eXg2SFYahgUU=;
        b=b1bxl3M7T3s+6JH1sVveEO+OQCWzuJlh0ilZWj7EKcKMg+ewo/g8RJCT3NMr/YayPL
         miyKboK4CMylV0CHWmftZarxLen1MHMjKkeXM16fnzahdVulh1QRDRBmC2g/DYYetHVw
         iLYgeNtk5zMILbDSAS6nSnCkothsL2c5eJrLWe0wB0shpdIWnJMhSDBlkMJ0PXiXrCeK
         0T3E0wwU7PO55ILwqRQsbhABcAtCytSHEOaczPPBO93sk0ZxujLhx9i1PgfurlfXmR/h
         PuoBG646qxbk0TmHUrw+ItDnKdyrTwXj1kCcdFDuFId/p9+QVOMikxCaJbWK5XRh6B4m
         SZ2g==
X-Gm-Message-State: ALoCoQmjwYdNXlKYC2JDZKrfAejs8fd3e/w9hNhvmf+mWgX2uhnMC2LZegY6/retl+8wMXQnP14z
MIME-Version: 1.0
X-Received: by 10.140.86.41 with SMTP id o38mr69440714qgd.102.1438263786875;
 Thu, 30 Jul 2015 06:43:06 -0700 (PDT)
Received: by 10.96.83.102 with HTTP; Thu, 30 Jul 2015 06:43:06 -0700 (PDT)
In-Reply-To: <CAEZfaM5t3MpVk=rz7JUPdao=qq96J3cowWQmKboqTgLOXLqaCA@mail.gmail.com>
References: <CAEZfaM5t3MpVk=rz7JUPdao=qq96J3cowWQmKboqTgLOXLqaCA@mail.gmail.com>
Date: Thu, 30 Jul 2015 09:43:06 -0400
Message-ID: <CAKws9z0k0VDFODWJbsbRGq1WhZy3Bdo3T4pv-MKy+fphkdF=PQ@mail.gmail.com>
To: Matt Tait <matt.tait@gmail.com>
Cc: PHP Internals <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Subject: Re: [PHP-DEV] [RFC] Block requests to builtin SQL functions where PHP
 can prove the call is vulnerable to a potential SQL-injection attack
From: scott@paragonie.com (Scott Arciszewski)

On Tue, Jul 28, 2015 at 1:33 PM, Matt Tait <matt.tait@gmail.com> wrote:
> Hi all,
>
> I've written an RFC (and PoC) about automatic detection and blocking of SQL
> injection vulnerabilities directly from inside PHP via automated taint
> analysis.
>
> https://wiki.php.net/rfc/sql_injection_protection
>
> In short, we make zend_strings track where their value originated. If it
> originated as a T_STRING, from a primitive (like int) promotion, or as a
> concatenation of such strings, it's query that can't have been SQL-injected
> by an attacker controlled string. If we can't prove that the query is safe,
> that means that the query is either certainly vulnerable to a SQL-injection
> vulnerability, or sufficiently complex that it should be parameterized
> just-to-be-sure.
>
> There's also a working proof of concept over here:
>
> http://phpoops.cloudapp.net/oops.php
>
> You'll notice that the page makes a large number of SQL statements, most of
> which are not vulnerable to SQL injection, but one is. The proof of concept
> is smart enough to block that one vulnerable request, and leave all of the
> others unchanged.
>
> In terms of performance, the cost here is negligible. This is just basic
> variable taint analysis under the hood, (not an up-front intraprocedurale
> static analysis or anything complex) so there's basically no slow down.
>
> PHP SQL injections are the #1 way PHP applications get hacked - and all SQL
> injections are the result of a developer either not understanding how to
> prevent SQL injection, or taking a shortcut because it's fewer keystrokes
> to do it a "feels safe" rather than "is safe" way.
>
> What do you all think? There's obviously a bit more work to do; the PoC
> currently only covers mysqli_query, but I thought this stage is an
> interesting point to throw it open to comments before working to complete
> it.
>
> Matt

Hi Matt,

> PHP SQL injections are the #1 way PHP applications get hacked - and all SQL
> injections are the result of a developer either not understanding how to
> prevent SQL injection, or taking a shortcut because it's fewer keystrokes
> to do it a "feels safe" rather than "is safe" way.

This may have been true at one point in time, but my own experience
and the statistics collected by Dan Kaminsky of White Hat Security
indicates that Cross-Site Scripting vulnerabilities are much more
prevalent in 2015 than SQL Injection, especially in business
applications. If Google has information that indicates that SQLi is
still more prevalent than XSS, I'd love to see this data.

In my opinion, SQL injection is almost a solved problem. Use prepared
statements where you can, and strictly whitelist where you cannot
(i.e. "ORDER BY {$column} ASC")

Scott Arciszewski
Chief Development Officer
Paragon Initiative Enterprises <https://paragonie.com>