Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:87726 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 18975 invoked from network); 11 Aug 2015 23:44:43 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 11 Aug 2015 23:44:43 -0000 Authentication-Results: pb1.pair.com smtp.mail=cmbecker69@gmx.de; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=cmbecker69@gmx.de; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmx.de designates 212.227.15.15 as permitted sender) X-PHP-List-Original-Sender: cmbecker69@gmx.de X-Host-Fingerprint: 212.227.15.15 mout.gmx.net Received: from [212.227.15.15] ([212.227.15.15:54866] helo=mout.gmx.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 2F/D0-12494-8E88AC55 for ; Tue, 11 Aug 2015 19:44:42 -0400 Received: from [192.168.0.100] ([91.67.244.142]) by mail.gmx.com (mrgmx001) with ESMTPSA (Nemesis) id 0Lcj9b-1YzdiW0ebH-00kAA8; Wed, 12 Aug 2015 01:44:37 +0200 Message-ID: <55CA88A4.4050407@gmx.de> Date: Wed, 12 Aug 2015 01:43:32 +0200 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0 MIME-Version: 1.0 To: Craig Francis , Anthony Ferrara , Julien Pauli CC: Matt Tait , PHP Internals References: <882D42B0-3554-4CAC-9EB9-09A0F00A35E8@craigfrancis.co.uk> In-Reply-To: <882D42B0-3554-4CAC-9EB9-09A0F00A35E8@craigfrancis.co.uk> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Provags-ID: V03:K0:b4/hA6g+as6uWUhD7+L0dwKhzSXi0YOf0AFdRr1PYLGLSjRwcUi EQ1Bcq8QwFzyZPYV5PmR5BuNvRBSK5zCqCKG++EEWMiBRHsJBxTOjO3JpRZpH1kuQ3iEBqq 9Hve974OZq/ONCIYSVQgd7Tn1Chy6ZCcOuLDkzrnwG9uI7gELOehkMkpwgP+BcRJVRbB0V2 DK8ysE+veJR7EMILsyJbA== X-UI-Out-Filterresults: notjunk:1;V01:K0:IX1ueEy4Dls=:rS0aMj45sV1kLollfMmbZc Sc14+OlCiUW5fZri38i4/E/RENaF/PHxv+1xIwRDkrzufJqDLj8PE3xYa4VBwXKKRSWLMYe2y ncb1YejuZIqRztuumqwUxTVjUflMz4EE7OspVzyJuxFWpSDU7omu9ZErIBMIQWP/TrRve4IUg g1DnY76op+4OyH8AqOk2Q1KWCUPO0UEOsObf8DsfDib216wRwx6WZE0vTfuaps/rKAqBk5e4P SNDHmFSrsoulOUPw6XfcMO4/Iuc+UwoUpSWqd+NhU3woosjrycHXXPzdDDC8BCLXE52iM67Qs EfP8X50CrnkMoOLSyrlefX4pjLQi8b/IsUvjfOIXywMviQh+OK+fL7K4Zoe76ZMTdA/O0WR+t 4lwJVYRQa7fIN6S1OOqnGRlmjZUSDZV7/tDrP330avdQlYVJTJisPYce1EV8Ie1FLTdg3GKb9 lX0tkh0i3SOXJQlP+aKGuCeb4iWmRMqTc9vHNQg/jcUGjzNzk5FojZLgub3ruUQx4eFTLXnmx B3AA4UnHg/1ukhodiz423+jazKg3ezCJtRw7xYbPyiBxY/WCaBVnTq6YEOpc7uIurWXGFofxX IjiI68SpBBTBYvXHInaQAT2fErLPV2agxL51GGIQ4vYE6ZGNjijGmxkCCZk9+OyUV0m0Xam+O QSa6XU+HAxQBOV4QCyngGdAR1veQvzgMZEEx8V5QxA9VvGqKnk0hZii49YE2plb6W9mXTubyf T2ahnQ3bYqgDyOjCaw4CAVePGQlX5SzoaQeklQ== Subject: Re: [PHP-DEV] [RFC] Block requests to builtin SQL functions where PHP can prove the call is vulnerable to a potential SQL-injection attack From: cmbecker69@gmx.de (Christoph Becker) On 10.08.2015 at 11:57, Craig Francis wrote: > You only have to skim read things like the second comment (with 27 up votes) on the PDO prepare page to see that these problems are happening all the time: > > > http://php.net/manual/en/pdo.prepare.php#111458 > SELECT * FROM users WHERE $search=:email "Skim reading" things might be the problem (here). The user contributed note states: | In my case I allow the user to enter their username or email, | determine which they've entered and set $search to "username" or | "email". As this value is not entered by the user there is no | potential for SQL injection and thus safe to use as I have done. So to me that note looks pretty fine. -- Christoph M. Becker