Re: [RFC] Block requests to builtin SQL functions where PHP can prove the call is vulnerable to a potential SQL-injection attack

From:	Matt Tait	Date:	Thu, 06 Aug 2015 22:57:53 +0000
Subject:	Re: [RFC] Block requests to builtin SQL functions where PHP can prove the call is vulnerable to a potential SQL-injection attack
References:	1 2 3 4 5 6 7	Groups:	php.internals
Request:	Send a blank email to [email protected] to get a copy of this message

Thanks for the feedback Anthony,

This feature specifically addresses the points you raise; the feature allows parameterized queries
constructed with structural parts of the query inserted from configuration variables, so long as the
resulting query is a safe-const as defined by this RFC.

If you can come up with an example of a query that either (a) is vulnerable to a SQL injection
attack and this feature wrongly does not detect it as such or (b) a query that cannot be expressed
using parameterized queries where the parameter is a safe-const as defined by this RFC, I'd be
genuinely interested to take a look.

Hope that clarifies,
Matt

> On Aug 6, 2015, at 14:34, Anthony Ferrara <[email protected]> wrote:
> 
> Matt,
> 
>> You are of course welcome to disagree with the overwhelming body of security
>> advice that parameterized queries are the correct, secure way to prevent SQL
>> injection. In that case, you only need to not enable this feature. This
>> feature is off-by-default, and only attempts to help secure webapplications
>> and webdevelopers who do (or are required, for example by PCI compliance
>> standards) to adopt this security-best-practice to ensure that they do so
>> systematically across their entire website.
> 
> You seem to misunderstand me. I'm *not* saying that you shouldn't use
> parameterized queries. Nor that they are not one of the best tools
> available. I am simply pointing out that they are not a sure-fire
> one-stop solution. There is a lot more that goes into it than simply
> using prepare/bind. As indicated by the two cases I talked about
> (structural elements not being supported and implementation quirks) as
> well as others (DOS attacks from wildcards in malformed query
> parameters, type validation, etc). This is not to say that we should
> avoid PQ, but that we should recognize that it's not enough to just
> use one thing and forget about everything else.
> 
> Anthony
> 
> PS: w3schools is NOT w3c. And their content is probably the single
> largest source of security vulnerabilities for PHP, so citing them in
> a security discussion is more than a little ironic.


   

Thread (45 messages)

• Matt TaitTue, 28 Jul 2015 17:33:31 +0000
  • Rowan CollinsTue, 28 Jul 2015 20:12:27 +0000
    • Christoph BeckerTue, 28 Jul 2015 20:42:41 +0000
      • Pierre JoyeTue, 28 Jul 2015 21:05:49 +0000
        • Thomas BleyWed, 29 Jul 2015 01:26:57 +0000
  • Lester CaineWed, 29 Jul 2015 09:02:48 +0000
    • Craig FrancisWed, 29 Jul 2015 15:11:06 +0000
      • Lester CaineThu, 30 Jul 2015 07:24:59 +0000
        • Craig FrancisThu, 30 Jul 2015 09:14:49 +0000
          • Joe WatkinsThu, 30 Jul 2015 12:14:24 +0000
            • Craig FrancisThu, 30 Jul 2015 12:40:16 +0000
            • Xinchen HuiThu, 30 Jul 2015 12:47:58 +0000
              • Craig FrancisThu, 30 Jul 2015 15:20:12 +0000
          • Ronald ChmaraThu, 30 Jul 2015 15:26:37 +0000
            • Craig FrancisThu, 30 Jul 2015 15:38:04 +0000
              • Ronald ChmaraFri, 31 Jul 2015 16:40:36 +0000
                • Craig FrancisSun, 02 Aug 2015 09:50:34 +0000
  • Scott ArciszewskiThu, 30 Jul 2015 13:43:06 +0000
    • Craig FrancisThu, 30 Jul 2015 15:20:28 +0000
      • Scott ArciszewskiThu, 30 Jul 2015 15:24:19 +0000
        • Craig FrancisThu, 30 Jul 2015 15:38:05 +0000
          • Joe WatkinsThu, 30 Jul 2015 16:02:33 +0000
            • Craig FrancisFri, 31 Jul 2015 10:40:37 +0000
              • Joe WatkinsFri, 31 Jul 2015 14:00:41 +0000
                • Craig FrancisFri, 31 Jul 2015 14:31:18 +0000
                • Matt TaitFri, 31 Jul 2015 14:47:41 +0000
    • Matt TaitFri, 31 Jul 2015 13:11:20 +0000
      • Craig FrancisFri, 31 Jul 2015 14:05:51 +0000
  • Lester CaineFri, 31 Jul 2015 14:11:14 +0000
  • Julien PauliWed, 05 Aug 2015 14:40:52 +0000
    • Anthony FerraraWed, 05 Aug 2015 15:27:01 +0000
      • Matt TaitWed, 05 Aug 2015 18:52:36 +0000
        • Anthony FerraraWed, 05 Aug 2015 20:53:14 +0000
          • Matt TaitThu, 06 Aug 2015 03:46:26 +0000
            • Dennis BirkholzThu, 06 Aug 2015 11:47:08 +0000
            • Anthony FerraraThu, 06 Aug 2015 21:34:26 +0000
              • Matt TaitThu, 06 Aug 2015 22:57:53 +0000
                • Craig FrancisMon, 10 Aug 2015 09:57:37 +0000
                  • Yasuo OhgakiTue, 11 Aug 2015 23:27:17 +0000
                    • Craig FrancisThu, 13 Aug 2015 11:00:41 +0000
                  • Christoph BeckerTue, 11 Aug 2015 23:43:32 +0000
                    • Craig FrancisThu, 13 Aug 2015 11:00:41 +0000
            • Yasuo OhgakiFri, 07 Aug 2015 01:29:12 +0000
              • Yasuo OhgakiFri, 07 Aug 2015 01:36:45 +0000
  • Yasuo OhgakiTue, 01 Sep 2015 02:58:08 +0000