Re: [RFC] Block requests to builtin SQL functions where PHP can prove the call is vulnerable to a potential SQL-injection attack

From: Date: Wed, 29 Jul 2015 15:11:06 +0000
Subject: Re: [RFC] Block requests to builtin SQL functions where PHP can prove the call is vulnerable to a potential SQL-injection attack
References: 1 2  Groups: php.internals 
Request: Send a blank email to [email protected] to get a copy of this message 
On 29 Jul 2015, at 10:02, Lester Caine <[email protected]> wrote:

> The problem is removing all of the poor quality on-line guides and
> replacing them with ones which provide a mush better working model.
> Trying to get PHP too pick up a few edge cases is a poor use of time.




I completely disagree... prepared statements are just as vulnerable, and so are ORM's.

You can push developers towards these solutions, and that would be good, but you are completely
blind if you think an uneducated developer won't do:

	if ($stmt = $mysqli->prepare("SELECT District FROM City WHERE Name=" .
$_GET['name'])) {
	}

And thats using a slightly edited example from:

	http://php.net/manual/en/mysqli.prepare.php

It's a shame that Wietse suggested this solution in 2008, is incomplete, and does not seem to
be going anywhere (I'm also tempted to say the implementation is slightly the wrong way around,
but the theory is there).

Likewise the PECL extension from 2013.

	http://pecl.php.net/package/taint

Matt, I realise I'm not a C programmer, and probably won't be able to help there, but if
there is anything I can do, please let me know.

If you want to compare notes, my suggestion is at: 

	http://news.php.net/php.internals/87207

Craig







On 29 Jul 2015, at 10:02, Lester Caine <[email protected]> wrote:

> On 28/07/15 18:33, Matt Tait wrote:
>> What do you all think? There's obviously a bit more work to do; the PoC
>> currently only covers mysqli_query, but I thought this stage is an
>> interesting point to throw it open to comments before working to complete
>> it.
> 
> If you want a safe and stable system ... don't use mysql ...
> The problem is removing all of the poor quality on-line guides and
> replacing them with ones which provide a mush better working model.
> Trying to get PHP too pick up a few edge cases is a poor use of time.
> 
> -- 
> Lester Caine - G8HFL
> -----------------------------
> Contact - http://lsces.co.uk/wiki/?page=contact
> L.S.Caine Electronic Services - http://lsces.co.uk
> EnquirySolve - http://enquirysolve.com/
> Model Engineers Digital Workshop - http://medw.co.uk
> Rainbow Digital Media - http://rainbowdigitalmedia.co.uk
> 
> -- 
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>

Thread (45 messages)

« previous php.internals (#87370) next »