Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:87406
Return-Path: <ronabop@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 27326 invoked from network); 30 Jul 2015 15:26:40 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 30 Jul 2015 15:26:40 -0000
Authentication-Results: pb1.pair.com smtp.mail=ronabop@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=ronabop@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.45 as permitted sender)
X-PHP-List-Original-Sender: ronabop@gmail.com
X-Host-Fingerprint: 209.85.215.45 mail-la0-f45.google.com  
Received: from [209.85.215.45] ([209.85.215.45:36399] helo=mail-la0-f45.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 50/21-21759-0324AB55 for <internals@lists.php.net>; Thu, 30 Jul 2015 11:26:40 -0400
Received: by lagw2 with SMTP id w2so27344983lag.3
        for <internals@lists.php.net>; Thu, 30 Jul 2015 08:26:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=ad7bbxjDHt/3DeGd55Jdnj0mHj6RENzLknb8MsLVBw0=;
        b=S4qyfUS5cncCtMZFTGC8311Wk466JmwhzvnsRUIaVvBwqpeAQZyLYYxRGjSN/xvtPr
         SOQpq/GYkP/PFnIw4n3lm9aIoIvHD/+AwOtBoPrmechZHST3WFwEsGO0It5ZFzV/BdDn
         Pd+miI4oUxsuzNEYAIdXblZalyzGcteLNL3nEP482bE8yrmi6rpOYRNLC7sYFLgMu01M
         InrRPr/V2b36S40KbDP1t0+EM2E1QspsqH2dmDJQStfVN2+k2KQOd8kCbWMCNZcwayS3
         JBtJWOo0m/60QlbVgCCk8umAcn+wwj1M/TZKZRDtuTHSx5o7WBs2dDILoPLcakPJ74cM
         7lwQ==
MIME-Version: 1.0
X-Received: by 10.152.170.234 with SMTP id ap10mr44974724lac.28.1438269997421;
 Thu, 30 Jul 2015 08:26:37 -0700 (PDT)
Received: by 10.114.28.1 with HTTP; Thu, 30 Jul 2015 08:26:37 -0700 (PDT)
In-Reply-To: <44415028-F437-4914-818C-C928BA01D7FE@craigfrancis.co.uk>
References: <CAEZfaM5t3MpVk=rz7JUPdao=qq96J3cowWQmKboqTgLOXLqaCA@mail.gmail.com>
	<55B896B8.4070901@lsces.co.uk>
	<6F8B9B35-D487-45D9-BC84-4A782951EDC7@craigfrancis.co.uk>
	<55B9D14B.9010902@lsces.co.uk>
	<44415028-F437-4914-818C-C928BA01D7FE@craigfrancis.co.uk>
Date: Thu, 30 Jul 2015 08:26:37 -0700
Message-ID: <CAFWS2+FG-Ed_G4KH7o_SOxVgTCuLmpB8=WBkL47z9+v9sTquEA@mail.gmail.com>
To: Craig Francis <craig@craigfrancis.co.uk>
Cc: Lester Caine <lester@lsces.co.uk>, internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=089e01229758499bd7051c195431
Subject: Re: [PHP-DEV] [RFC] Block requests to builtin SQL functions where PHP
 can prove the call is vulnerable to a potential SQL-injection attack
From: ronabop@gmail.com (Ronald Chmara)

--089e01229758499bd7051c195431
Content-Type: text/plain; charset=UTF-8

Perhaps I have missed something in this discussion where such a change to
PHP does not break every single application that is supposed to pass raw,
user submitted, SQL *without* getting prepared/nerfed, or warned about, by
intentional application design.

If we're just limiting the nerfing for submitted GPC variables (since PHP
is used a lot for web applications).... we still have a non-trivial number
of those installed applications which require raw, user created, unescaped
SQL, passing through to function as designed.

I am thinking of the class of applications like phpMyAdmin, as well as the
the millions of other database utility scripts, application install
scripts, (etc.) out there that perform similar tasks, that need to pass raw
SQL, as crafted by users, without preparation, intentionally.

Of course, we could just add a "bypass_the_nerfing()" function, and such a
function could then possibly see widespread adoption, everywhere, rendering
the entire exercise moot.

--089e01229758499bd7051c195431--