Re: [RFC] Block requests to builtin SQL functions where PHP can prove the call is vulnerable to a potential SQL-injection attack

From: Yasuo Ohgaki Date: Fri, 07 Aug 2015 01:36:45 +0000

Subject: Re: [RFC] Block requests to builtin SQL functions where PHP can prove the call is vulnerable to a potential SQL-injection attack

References: 1 2 3 4 5 6 7 Groups: php.internals

Request: Send a blank email to [email protected] to get a copy of this message

On Fri, Aug 7, 2015 at 10:29 AM, Yasuo Ohgaki <[email protected]> wrote:

> Even if there is identifier  placeholder, SQL keyword remains.
> So to be perfect, you'll need another place holder for SQL keywords.
> There is no escaping for SQL keywords and it has to be validation.
> e.g. ORDER BY {$_GET['order']}
>

Oops the last line should be
e.g. ORDER BY col {$_GET['order']}

BTW, instead of improving PHP, users are better to request "identifier
escape API"
to DB developers like PQescapeIdentifier() in PostgreSQL's client library.
IMO.

Regards,

--
Yasuo Ohgaki
[email protected]

Thread (45 messages)

Matt TaitTue, 28 Jul 2015 17:33:31 +0000
Rowan CollinsTue, 28 Jul 2015 20:12:27 +0000
Christoph BeckerTue, 28 Jul 2015 20:42:41 +0000
Pierre JoyeTue, 28 Jul 2015 21:05:49 +0000
Thomas BleyWed, 29 Jul 2015 01:26:57 +0000
Lester CaineWed, 29 Jul 2015 09:02:48 +0000
Craig FrancisWed, 29 Jul 2015 15:11:06 +0000
Lester CaineThu, 30 Jul 2015 07:24:59 +0000
Craig FrancisThu, 30 Jul 2015 09:14:49 +0000
Joe WatkinsThu, 30 Jul 2015 12:14:24 +0000
Craig FrancisThu, 30 Jul 2015 12:40:16 +0000
Xinchen HuiThu, 30 Jul 2015 12:47:58 +0000
Craig FrancisThu, 30 Jul 2015 15:20:12 +0000
Ronald ChmaraThu, 30 Jul 2015 15:26:37 +0000
Craig FrancisThu, 30 Jul 2015 15:38:04 +0000
Ronald ChmaraFri, 31 Jul 2015 16:40:36 +0000
Craig FrancisSun, 02 Aug 2015 09:50:34 +0000
Scott ArciszewskiThu, 30 Jul 2015 13:43:06 +0000
Craig FrancisThu, 30 Jul 2015 15:20:28 +0000
Scott ArciszewskiThu, 30 Jul 2015 15:24:19 +0000
Craig FrancisThu, 30 Jul 2015 15:38:05 +0000
Joe WatkinsThu, 30 Jul 2015 16:02:33 +0000
Craig FrancisFri, 31 Jul 2015 10:40:37 +0000
Joe WatkinsFri, 31 Jul 2015 14:00:41 +0000
Craig FrancisFri, 31 Jul 2015 14:31:18 +0000
Matt TaitFri, 31 Jul 2015 14:47:41 +0000
Matt TaitFri, 31 Jul 2015 13:11:20 +0000
Craig FrancisFri, 31 Jul 2015 14:05:51 +0000
Lester CaineFri, 31 Jul 2015 14:11:14 +0000
Julien PauliWed, 05 Aug 2015 14:40:52 +0000
Anthony FerraraWed, 05 Aug 2015 15:27:01 +0000
Matt TaitWed, 05 Aug 2015 18:52:36 +0000
Anthony FerraraWed, 05 Aug 2015 20:53:14 +0000
Matt TaitThu, 06 Aug 2015 03:46:26 +0000
Dennis BirkholzThu, 06 Aug 2015 11:47:08 +0000
Anthony FerraraThu, 06 Aug 2015 21:34:26 +0000
Matt TaitThu, 06 Aug 2015 22:57:53 +0000
Craig FrancisMon, 10 Aug 2015 09:57:37 +0000
Yasuo OhgakiTue, 11 Aug 2015 23:27:17 +0000
Craig FrancisThu, 13 Aug 2015 11:00:41 +0000
Christoph BeckerTue, 11 Aug 2015 23:43:32 +0000
Craig FrancisThu, 13 Aug 2015 11:00:41 +0000
Yasuo OhgakiFri, 07 Aug 2015 01:29:12 +0000
Yasuo OhgakiFri, 07 Aug 2015 01:36:45 +0000
Yasuo OhgakiTue, 01 Sep 2015 02:58:08 +0000

« previous	php.internals (#87674)	next »

From:	Yasuo Ohgaki	Date:	Fri, 07 Aug 2015 01:36:45 +0000
Subject:	Re: [RFC] Block requests to builtin SQL functions where PHP can prove the call is vulnerable to a potential SQL-injection attack
References:	1 2 3 4 5 6 7	Groups:	php.internals
Request:	Send a blank email to [email protected] to get a copy of this message