Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:87407 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 29261 invoked from network); 30 Jul 2015 15:38:10 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 30 Jul 2015 15:38:10 -0000 Authentication-Results: pb1.pair.com smtp.mail=craig@craigfrancis.co.uk; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=craig@craigfrancis.co.uk; sender-id=pass Received-SPF: pass (pb1.pair.com: domain craigfrancis.co.uk designates 209.85.212.178 as permitted sender) X-PHP-List-Original-Sender: craig@craigfrancis.co.uk X-Host-Fingerprint: 209.85.212.178 mail-wi0-f178.google.com Received: from [209.85.212.178] ([209.85.212.178:36108] helo=mail-wi0-f178.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id CD/71-21759-1E44AB55 for ; Thu, 30 Jul 2015 11:38:09 -0400 Received: by wicgb10 with SMTP id gb10so249413280wic.1 for ; Thu, 30 Jul 2015 08:38:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=craigfrancis.co.uk; s=default; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=APP+ZIyXRKNCHW8XMlPSQCCrRvNupaj9GIziCmXzrbs=; b=avzl3+aljrDC+x2f9CiJ5Aznb4V8eIw10BA6Vyj7cv1tvAAtgxthH/qFr2Uvyic48X ruzXRvm60qeBr3+RpTJG2v5qd85tY1g4kNDdHHomUiIA3FjiqHpYrNjwpc10vs0A749r 90ux885dcD5zBaCOB7t6uSPGYyRdBve+5sOnY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=APP+ZIyXRKNCHW8XMlPSQCCrRvNupaj9GIziCmXzrbs=; b=MIKt/sfhqYySvn9xXduVpuBbybuPWYsuExNYtSblCV505a9aC+w8bkfoa/sMi2tMlu 2+Tl+HWy53Lh7+P0iN7v8qu+5tZbfVE2VWmIFkFlGmqAV0O1fMEDtSZOZ5RBayZ0bvu2 wxJtBV6Btv+XalEyMYnmDNgphEUM0ZLsJBxEQpJPycT6+g4oASp6BGJfYsJawvivsEAD 9kWbzuaYeUcharYpx2z6mkCv1UEbRj96ETSOXWA156lsd+3ScnIWWlsEXyOhEjkQVdU9 9P4CpLQlvc8grhXRX6Ny2fmbZJ64t7G5KJjHTG6pYKmsrX1xivGQo6/MasZB1xGLeQ0m tV2A== X-Gm-Message-State: ALoCoQmRciN0IjYLViR2Q301nmgW4eCmzFAsI0pN6bTaFW0m7sCuDn7qtZtqyuLRehavIKKjNc1Z X-Received: by 10.194.184.82 with SMTP id es18mr94894905wjc.79.1438270686228; Thu, 30 Jul 2015 08:38:06 -0700 (PDT) Received: from [192.168.1.12] (cpc4-chap7-2-0-cust64.aztw.cable.virginm.net. [92.233.53.65]) by smtp.gmail.com with ESMTPSA id ed10sm30472575wic.0.2015.07.30.08.38.05 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 30 Jul 2015 08:38:05 -0700 (PDT) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\)) In-Reply-To: Date: Thu, 30 Jul 2015 16:38:04 +0100 Cc: Lester Caine , internals Content-Transfer-Encoding: quoted-printable Message-ID: <617E0E34-E407-434F-A441-3452166E89B7@craigfrancis.co.uk> References: <55B896B8.4070901@lsces.co.uk> <6F8B9B35-D487-45D9-BC84-4A782951EDC7@craigfrancis.co.uk> <55B9D14B.9010902@lsces.co.uk> <44415028-F437-4914-818C-C928BA01D7FE@craigfrancis.co.uk> To: Ronald Chmara X-Mailer: Apple Mail (2.1878.6) Subject: Re: [PHP-DEV] [RFC] Block requests to builtin SQL functions where PHP can prove the call is vulnerable to a potential SQL-injection attack From: craig@craigfrancis.co.uk (Craig Francis) On 30 Jul 2015, at 16:26, Ronald Chmara wrote: > Perhaps I have missed something in this discussion I think you have... my email from a couple of weeks ago was ignored... = so I replied to Matt's suggestion (which is similar, but different). Please, just spend a few minutes reading my suggestion, it has = absolutely nothing todo with breaking applications: http://news.php.net/php.internals/87207 https://bugs.php.net/bug.php?id=3D69886 And yes, I do have a bypass_the_nerfing function (well, a function to = say the variable has already been escaped)... but the idea is that it's = ever so slightly harder to use than the related escaping functions, and = rarely needed. On 30 Jul 2015, at 16:26, Ronald Chmara wrote: > Perhaps I have missed something in this discussion where such a change = to PHP does not break every single application that is supposed to pass = raw, user submitted, SQL *without* getting prepared/nerfed, or warned = about, by intentional application design. >=20 > If we're just limiting the nerfing for submitted GPC variables (since = PHP is used a lot for web applications).... we still have a non-trivial = number of those installed applications which require raw, user created, = unescaped SQL, passing through to function as designed. >=20 > I am thinking of the class of applications like phpMyAdmin, as well as = the the millions of other database utility scripts, application install = scripts, (etc.) out there that perform similar tasks, that need to pass = raw SQL, as crafted by users, without preparation, intentionally. >=20 > Of course, we could just add a "bypass_the_nerfing()" function, and = such a function could then possibly see widespread adoption, everywhere, = rendering the entire exercise moot.