Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:87970
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 713 invoked from network); 1 Sep 2015 02:58:52 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 1 Sep 2015 02:58:52 -0000
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.220.177 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.220.177 mail-qk0-f177.google.com  
Received: from [209.85.220.177] ([209.85.220.177:36009] helo=mail-qk0-f177.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id DD/68-39890-A6415E55 for <internals@lists.php.net>; Mon, 31 Aug 2015 22:58:50 -0400
Received: by qkbp67 with SMTP id p67so27856563qkb.3
        for <internals@lists.php.net>; Mon, 31 Aug 2015 19:58:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type;
        bh=dh9AHSjhcQ4i5nCpa62AL3xcoLegMJESi9ioNmIuWOo=;
        b=dA/kelg6yaEH4Ysg6L2tQBfkUnXdtye6EjxxIP7GM4CZEEzwN9J6vhYcQ0GxUXei9o
         57mPS31uXfkd+c8PyYeGjvGtWFZ0YVhloXgH54xToVU12gvzATyU9iSXNyhy4bnM1jmN
         g4Ly6BSmEF8PVNR5Q4TXmYEQlmZPPNWbPqJSHoRcCPZRk+TzYlX1JrZN1I+i/ITscsr2
         JMq92DcYw3g6CbHB9I4vJgKRopybl9StwiFxjzOmAXkXYRPk5PZpv9YfMJpaqfGvpuBM
         7Cu0HFEAG1xHS9mxc3k5llBeIVvLRd54B5Fc4Hs/Uw0UdDWLACojr2RRvQ05uD84ClvY
         GlFA==
X-Received: by 10.129.51.88 with SMTP id z85mr13275273ywz.148.1441076327794;
 Mon, 31 Aug 2015 19:58:47 -0700 (PDT)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.129.81.87 with HTTP; Mon, 31 Aug 2015 19:58:08 -0700 (PDT)
In-Reply-To: <CAEZfaM5t3MpVk=rz7JUPdao=qq96J3cowWQmKboqTgLOXLqaCA@mail.gmail.com>
References: <CAEZfaM5t3MpVk=rz7JUPdao=qq96J3cowWQmKboqTgLOXLqaCA@mail.gmail.com>
Date: Tue, 1 Sep 2015 11:58:08 +0900
X-Google-Sender-Auth: JzjT8oKfcNuIez5f7CeRmOtwhzE
Message-ID: <CAGa2bXbVXz2xMi7HKxrnzA=v3VKfwAjnX55zw9vcFObQZO62MQ@mail.gmail.com>
To: Matt Tait <matt.tait@gmail.com>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Subject: Re: [PHP-DEV] [RFC] Block requests to builtin SQL functions where PHP
 can prove the call is vulnerable to a potential SQL-injection attack
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

Hi Matt,

My friend made a product called sql_firewall for PostgreSQL.

https://github.com/uptimejp/sql_firewall
http://pgsnaga.blogspot.jp/2015/08/postgresql-sql-firewall.html

It's not directly relevant to your proposal, but this kind of database extension
could be alternative.

PDO has parser for params. Parser may be extended to parse basic SQL syntax
and store syntax tree hash like sql_firewall and compare it to reject
SQL injection
attacks.

Just FYI.

Regards,
--
Yasuo Ohgaki
yohgaki@ohgaki.net


On Wed, Jul 29, 2015 at 2:33 AM, Matt Tait <matt.tait@gmail.com> wrote:
> Hi all,
>
> I've written an RFC (and PoC) about automatic detection and blocking of SQL
> injection vulnerabilities directly from inside PHP via automated taint
> analysis.
>
> https://wiki.php.net/rfc/sql_injection_protection
>
> In short, we make zend_strings track where their value originated. If it
> originated as a T_STRING, from a primitive (like int) promotion, or as a
> concatenation of such strings, it's query that can't have been SQL-injected
> by an attacker controlled string. If we can't prove that the query is safe,
> that means that the query is either certainly vulnerable to a SQL-injection
> vulnerability, or sufficiently complex that it should be parameterized
> just-to-be-sure.
>
> There's also a working proof of concept over here:
>
> http://phpoops.cloudapp.net/oops.php
>
> You'll notice that the page makes a large number of SQL statements, most of
> which are not vulnerable to SQL injection, but one is. The proof of concept
> is smart enough to block that one vulnerable request, and leave all of the
> others unchanged.
>
> In terms of performance, the cost here is negligible. This is just basic
> variable taint analysis under the hood, (not an up-front intraprocedurale
> static analysis or anything complex) so there's basically no slow down.
>
> PHP SQL injections are the #1 way PHP applications get hacked - and all SQL
> injections are the result of a developer either not understanding how to
> prevent SQL injection, or taking a shortcut because it's fewer keystrokes
> to do it a "feels safe" rather than "is safe" way.
>
> What do you all think? There's obviously a bit more work to do; the PoC
> currently only covers mysqli_query, but I thought this stage is an
> interesting point to throw it open to comments before working to complete
> it.
>
> Matt