Re: [RFC] Block requests to builtin SQL functions where PHP can prove the call is vulnerable to a potential SQL-injection attack

From:	Pierre Joye	Date:	Tue, 28 Jul 2015 21:05:49 +0000
Subject:	Re: [RFC] Block requests to builtin SQL functions where PHP can prove the call is vulnerable to a potential SQL-injection attack
References:	1 2 3	Groups:	php.internals
Request:	Send a blank email to [email protected] to get a copy of this message

The
On Jul 28, 2015 11:42 PM, "Christoph Becker" <[email protected]> wrote:
>
> Rowan Collins wrote:
>
> > On 28 July 2015 18:33:31 BST, Matt Tait <[email protected]> wrote:
> >> Hi all,
> >>
> >> I've written an RFC (and PoC) about automatic detection and blocking of
> >> SQL
> >> injection vulnerabilities directly from inside PHP via automated taint
> >> analysis.
> >>
> >> https://wiki.php.net/rfc/sql_injection_protection
> >
> > Have you searched the list archive and wiki for previous discussions
and prototypes of variable tainting? The idea may well have some legs, but
there might be some interesting points from previous discussions to note in
your RFC.
>
> FWIW, there is the inactive "Taint support for PHP"[1] RFC.
>
> [1] <https://wiki.php.net/rfc/taint>

Which is what should be done (global tainted mode) and not only for SQL.

Unfiltered input can affect way more than only SQL. Environment, exec, etc
are all potentially dangerous with unfiltered data.

I fear it is an almost impossible task and may give a wrong signal,
everything is safe of tainted mode is enabled.

Cheers,
Pierre


   

Thread (45 messages)

• Matt TaitTue, 28 Jul 2015 17:33:31 +0000
  • Rowan CollinsTue, 28 Jul 2015 20:12:27 +0000
    • Christoph BeckerTue, 28 Jul 2015 20:42:41 +0000
      • Pierre JoyeTue, 28 Jul 2015 21:05:49 +0000
        • Thomas BleyWed, 29 Jul 2015 01:26:57 +0000
  • Lester CaineWed, 29 Jul 2015 09:02:48 +0000
    • Craig FrancisWed, 29 Jul 2015 15:11:06 +0000
      • Lester CaineThu, 30 Jul 2015 07:24:59 +0000
        • Craig FrancisThu, 30 Jul 2015 09:14:49 +0000
          • Joe WatkinsThu, 30 Jul 2015 12:14:24 +0000
            • Craig FrancisThu, 30 Jul 2015 12:40:16 +0000
            • Xinchen HuiThu, 30 Jul 2015 12:47:58 +0000
              • Craig FrancisThu, 30 Jul 2015 15:20:12 +0000
          • Ronald ChmaraThu, 30 Jul 2015 15:26:37 +0000
            • Craig FrancisThu, 30 Jul 2015 15:38:04 +0000
              • Ronald ChmaraFri, 31 Jul 2015 16:40:36 +0000
                • Craig FrancisSun, 02 Aug 2015 09:50:34 +0000
  • Scott ArciszewskiThu, 30 Jul 2015 13:43:06 +0000
    • Craig FrancisThu, 30 Jul 2015 15:20:28 +0000
      • Scott ArciszewskiThu, 30 Jul 2015 15:24:19 +0000
        • Craig FrancisThu, 30 Jul 2015 15:38:05 +0000
          • Joe WatkinsThu, 30 Jul 2015 16:02:33 +0000
            • Craig FrancisFri, 31 Jul 2015 10:40:37 +0000
              • Joe WatkinsFri, 31 Jul 2015 14:00:41 +0000
                • Craig FrancisFri, 31 Jul 2015 14:31:18 +0000
                • Matt TaitFri, 31 Jul 2015 14:47:41 +0000
    • Matt TaitFri, 31 Jul 2015 13:11:20 +0000
      • Craig FrancisFri, 31 Jul 2015 14:05:51 +0000
  • Lester CaineFri, 31 Jul 2015 14:11:14 +0000
  • Julien PauliWed, 05 Aug 2015 14:40:52 +0000
    • Anthony FerraraWed, 05 Aug 2015 15:27:01 +0000
      • Matt TaitWed, 05 Aug 2015 18:52:36 +0000
        • Anthony FerraraWed, 05 Aug 2015 20:53:14 +0000
          • Matt TaitThu, 06 Aug 2015 03:46:26 +0000
            • Dennis BirkholzThu, 06 Aug 2015 11:47:08 +0000
            • Anthony FerraraThu, 06 Aug 2015 21:34:26 +0000
              • Matt TaitThu, 06 Aug 2015 22:57:53 +0000
                • Craig FrancisMon, 10 Aug 2015 09:57:37 +0000
                  • Yasuo OhgakiTue, 11 Aug 2015 23:27:17 +0000
                    • Craig FrancisThu, 13 Aug 2015 11:00:41 +0000
                  • Christoph BeckerTue, 11 Aug 2015 23:43:32 +0000
                    • Craig FrancisThu, 13 Aug 2015 11:00:41 +0000
            • Yasuo OhgakiFri, 07 Aug 2015 01:29:12 +0000
              • Yasuo OhgakiFri, 07 Aug 2015 01:36:45 +0000
  • Yasuo OhgakiTue, 01 Sep 2015 02:58:08 +0000