Re: [RFC] Block requests to builtin SQL functions where PHP can prove the call is vulnerable to a potential SQL-injection attack

From:	Rowan Collins	Date:	Tue, 28 Jul 2015 20:12:27 +0000
Subject:	Re: [RFC] Block requests to builtin SQL functions where PHP can prove the call is vulnerable to a potential SQL-injection attack
References:	1	Groups:	php.internals
Request:	Send a blank email to [email protected] to get a copy of this message

On 28 July 2015 18:33:31 BST, Matt Tait <[email protected]> wrote:
>Hi all,
>
>I've written an RFC (and PoC) about automatic detection and blocking of
>SQL
>injection vulnerabilities directly from inside PHP via automated taint
>analysis.
>
>https://wiki.php.net/rfc/sql_injection_protection
 
Have you searched the list archive and wiki for previous discussions and prototypes of variable
tainting? The idea may well have some legs, but there might be some interesting points from previous
discussions to note in your RFC.

Also, 7.0 is already in beta, so your RFC will need to target 7.1 at the earliest.

Regards,
-- 
Rowan Collins
[IMSoP]


   

Thread (45 messages)

• Matt TaitTue, 28 Jul 2015 17:33:31 +0000
  • Rowan CollinsTue, 28 Jul 2015 20:12:27 +0000
    • Christoph BeckerTue, 28 Jul 2015 20:42:41 +0000
      • Pierre JoyeTue, 28 Jul 2015 21:05:49 +0000
        • Thomas BleyWed, 29 Jul 2015 01:26:57 +0000
  • Lester CaineWed, 29 Jul 2015 09:02:48 +0000
    • Craig FrancisWed, 29 Jul 2015 15:11:06 +0000
      • Lester CaineThu, 30 Jul 2015 07:24:59 +0000
        • Craig FrancisThu, 30 Jul 2015 09:14:49 +0000
          • Joe WatkinsThu, 30 Jul 2015 12:14:24 +0000
            • Craig FrancisThu, 30 Jul 2015 12:40:16 +0000
            • Xinchen HuiThu, 30 Jul 2015 12:47:58 +0000
              • Craig FrancisThu, 30 Jul 2015 15:20:12 +0000
          • Ronald ChmaraThu, 30 Jul 2015 15:26:37 +0000
            • Craig FrancisThu, 30 Jul 2015 15:38:04 +0000
              • Ronald ChmaraFri, 31 Jul 2015 16:40:36 +0000
                • Craig FrancisSun, 02 Aug 2015 09:50:34 +0000
  • Scott ArciszewskiThu, 30 Jul 2015 13:43:06 +0000
    • Craig FrancisThu, 30 Jul 2015 15:20:28 +0000
      • Scott ArciszewskiThu, 30 Jul 2015 15:24:19 +0000
        • Craig FrancisThu, 30 Jul 2015 15:38:05 +0000
          • Joe WatkinsThu, 30 Jul 2015 16:02:33 +0000
            • Craig FrancisFri, 31 Jul 2015 10:40:37 +0000
              • Joe WatkinsFri, 31 Jul 2015 14:00:41 +0000
                • Craig FrancisFri, 31 Jul 2015 14:31:18 +0000
                • Matt TaitFri, 31 Jul 2015 14:47:41 +0000
    • Matt TaitFri, 31 Jul 2015 13:11:20 +0000
      • Craig FrancisFri, 31 Jul 2015 14:05:51 +0000
  • Lester CaineFri, 31 Jul 2015 14:11:14 +0000
  • Julien PauliWed, 05 Aug 2015 14:40:52 +0000
    • Anthony FerraraWed, 05 Aug 2015 15:27:01 +0000
      • Matt TaitWed, 05 Aug 2015 18:52:36 +0000
        • Anthony FerraraWed, 05 Aug 2015 20:53:14 +0000
          • Matt TaitThu, 06 Aug 2015 03:46:26 +0000
            • Dennis BirkholzThu, 06 Aug 2015 11:47:08 +0000
            • Anthony FerraraThu, 06 Aug 2015 21:34:26 +0000
              • Matt TaitThu, 06 Aug 2015 22:57:53 +0000
                • Craig FrancisMon, 10 Aug 2015 09:57:37 +0000
                  • Yasuo OhgakiTue, 11 Aug 2015 23:27:17 +0000
                    • Craig FrancisThu, 13 Aug 2015 11:00:41 +0000
                  • Christoph BeckerTue, 11 Aug 2015 23:43:32 +0000
                    • Craig FrancisThu, 13 Aug 2015 11:00:41 +0000
            • Yasuo OhgakiFri, 07 Aug 2015 01:29:12 +0000
              • Yasuo OhgakiFri, 07 Aug 2015 01:36:45 +0000
  • Yasuo OhgakiTue, 01 Sep 2015 02:58:08 +0000