Re: [RFC] Block requests to builtin SQL functions where PHP can prove the call is vulnerable to a potential SQL-injection attack

From: Date: Wed, 29 Jul 2015 01:26:57 +0000
Subject: Re: [RFC] Block requests to builtin SQL functions where PHP can prove the call is vulnerable to a potential SQL-injection attack
References: 1 2 3 4  Groups: php.internals 
Request: Send a blank email to [email protected] to get a copy of this message 
Pierre Joye wrote on 28.07.2015 23:05:

> The
> On Jul 28, 2015 11:42 PM, "Christoph Becker" <[email protected]> wrote:
>>
>> Rowan Collins wrote:
>>
>> > On 28 July 2015 18:33:31 BST, Matt Tait <[email protected]> wrote:
>> >> Hi all,
>> >>
>> >> I've written an RFC (and PoC) about automatic detection and blocking of
>> >> SQL
>> >> injection vulnerabilities directly from inside PHP via automated taint
>> >> analysis.
>> >>
>> >> https://wiki.php.net/rfc/sql_injection_protection
>> >
>> > Have you searched the list archive and wiki for previous discussions
> and prototypes of variable tainting? The idea may well have some legs, but
> there might be some interesting points from previous discussions to note in
> your RFC.
>>
>> FWIW, there is the inactive "Taint support for PHP"[1] RFC.
>>
>> [1] <https://wiki.php.net/rfc/taint>
> 
> Which is what should be done (global tainted mode) and not only for SQL.
> 
> Unfiltered input can affect way more than only SQL. Environment, exec, etc
> are all potentially dangerous with unfiltered data.
> 
> I fear it is an almost impossible task and may give a wrong signal,
> everything is safe of tainted mode is enabled.
> 
> Cheers,
> Pierre
> 


I think it's better to support parameter substitution and escaping directly in the extensions
or the core functions:


Idea 1:

mixed mysqli_query_bind ( mysqli $link , string $query [, array $parameters [, int $resultmode =
MYSQLI_STORE_RESULT ] ] )

e.g.

mysqli_query_bind($link, 'SELECT * FROM users WHERE usertype = ?', [$usertype]);

mysqli_query_bind($link, 'SELECT * FROM users WHERE id IN (?)', [[1,2,3]]);


Using mysqli_query_bind() means parameters are substituted in as (correctly) escaped strings and the
result is run with mysqli_query().


and similar:

exec_bind ( string $command [, array $parameters [, array &$output [, int &$return_var ] ] ]
)

echo exec_bind('ls ?', [$someDir]);

Using exec_bind() means parameters are substituted in as (correctly) escaped strings and the result
is run with exec().


Those who want to secure their legacy code can use "disable_functions=mysqli_query,exec"
and change the occurrences of both functions to the new bind functions.

If people still use echo exec_bind('ls '.$someDir), static code analysis can find it,
similar to unsafe includes.

Regards
Thomas

Thread (45 messages)

« previous php.internals (#87361) next »