Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:87674 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 19893 invoked from network); 7 Aug 2015 01:37:29 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 7 Aug 2015 01:37:29 -0000 Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.160.178 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.160.178 mail-yk0-f178.google.com Received: from [209.85.160.178] ([209.85.160.178:36193] helo=mail-yk0-f178.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 00/91-06855-8DB04C55 for ; Thu, 06 Aug 2015 21:37:28 -0400 Received: by ykeo23 with SMTP id o23so77680899yke.3 for ; Thu, 06 Aug 2015 18:37:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=Y5USDuJpy8IYzAnIpPvHvG4Fg1sw58QZkyzeXNdnuBw=; b=lFLaSi7CY2s/eYCIYx1Tejge3MDJr7XcYwTSJD/DUkaLsnV8WIZos6WoYpOv0NWT0G 4h2syeWXFEV8U2yWYO7/NPuSDwSAenk65Q1VmsotlegqakkYL6c4nn4OEJIzG3Yu46jU E1FE8Q4gGsjZVC7CqUnDlCnM/SXFIlS9qGSEeKk3lFK/MHRLZw9YCipYI+7twooJ9y5C jJ32E2FhGlRBKcezkUm0SXp4+Aes59xwBXQOLVZ0kuiO214I2KybmUw0ylJ3fWnxzf15 tCjb4S40M8O9NBRNq7I+P9N3XMgH0xn9VDcDlPtc5ArcVhud5kdzTGwkltd2E2Pe6gS3 Obbg== X-Received: by 10.13.233.133 with SMTP id s127mr5289825ywe.154.1438911445178; Thu, 06 Aug 2015 18:37:25 -0700 (PDT) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.129.81.87 with HTTP; Thu, 6 Aug 2015 18:36:45 -0700 (PDT) In-Reply-To: References: Date: Fri, 7 Aug 2015 10:36:45 +0900 X-Google-Sender-Auth: w0RD5hgrJI8Dx-9rTAVPOQ8Xg9Q Message-ID: To: Matt Tait Cc: Anthony Ferrara , Julien Pauli , PHP Internals Content-Type: multipart/alternative; boundary=94eb2c0736e48da0a7051caead33 Subject: Re: [PHP-DEV] [RFC] Block requests to builtin SQL functions where PHP can prove the call is vulnerable to a potential SQL-injection attack From: yohgaki@ohgaki.net (Yasuo Ohgaki) --94eb2c0736e48da0a7051caead33 Content-Type: text/plain; charset=UTF-8 On Fri, Aug 7, 2015 at 10:29 AM, Yasuo Ohgaki wrote: > Even if there is identifier placeholder, SQL keyword remains. > So to be perfect, you'll need another place holder for SQL keywords. > There is no escaping for SQL keywords and it has to be validation. > e.g. ORDER BY {$_GET['order']} > Oops the last line should be e.g. ORDER BY col {$_GET['order']} BTW, instead of improving PHP, users are better to request "identifier escape API" to DB developers like PQescapeIdentifier() in PostgreSQL's client library. IMO. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net --94eb2c0736e48da0a7051caead33--