Re: [RFC] Block requests to builtin SQL functions where PHP can prove the call is vulnerable to a potential SQL-injection attack

From:	Christoph Becker	Date:	Tue, 11 Aug 2015 23:43:32 +0000
Subject:	Re: [RFC] Block requests to builtin SQL functions where PHP can prove the call is vulnerable to a potential SQL-injection attack
References:	1 2 3 4 5 6 7 8 9	Groups:	php.internals
Request:	Send a blank email to [email protected] to get a copy of this message

On 10.08.2015 at 11:57, Craig Francis wrote:

> You only have to skim read things like the second comment (with 27 up votes) on the PDO prepare
> page to see that these problems are happening all the time:
> 
> 
> 	http://php.net/manual/en/pdo.prepare.php#111458
> 	SELECT * FROM users WHERE $search=:email

"Skim reading" things might be the problem (here).  The user contributed
note states:

| In my case I allow the user to enter their username or email,
| determine which they've entered and set $search to "username" or
| "email". As this value is not entered by the user there is no
| potential for SQL injection and thus safe to use as I have done.

So to me that note looks pretty fine.

-- 
Christoph M. Becker


   

Thread (45 messages)

• Matt TaitTue, 28 Jul 2015 17:33:31 +0000
  • Rowan CollinsTue, 28 Jul 2015 20:12:27 +0000
    • Christoph BeckerTue, 28 Jul 2015 20:42:41 +0000
      • Pierre JoyeTue, 28 Jul 2015 21:05:49 +0000
        • Thomas BleyWed, 29 Jul 2015 01:26:57 +0000
  • Lester CaineWed, 29 Jul 2015 09:02:48 +0000
    • Craig FrancisWed, 29 Jul 2015 15:11:06 +0000
      • Lester CaineThu, 30 Jul 2015 07:24:59 +0000
        • Craig FrancisThu, 30 Jul 2015 09:14:49 +0000
          • Joe WatkinsThu, 30 Jul 2015 12:14:24 +0000
            • Craig FrancisThu, 30 Jul 2015 12:40:16 +0000
            • Xinchen HuiThu, 30 Jul 2015 12:47:58 +0000
              • Craig FrancisThu, 30 Jul 2015 15:20:12 +0000
          • Ronald ChmaraThu, 30 Jul 2015 15:26:37 +0000
            • Craig FrancisThu, 30 Jul 2015 15:38:04 +0000
              • Ronald ChmaraFri, 31 Jul 2015 16:40:36 +0000
                • Craig FrancisSun, 02 Aug 2015 09:50:34 +0000
  • Scott ArciszewskiThu, 30 Jul 2015 13:43:06 +0000
    • Craig FrancisThu, 30 Jul 2015 15:20:28 +0000
      • Scott ArciszewskiThu, 30 Jul 2015 15:24:19 +0000
        • Craig FrancisThu, 30 Jul 2015 15:38:05 +0000
          • Joe WatkinsThu, 30 Jul 2015 16:02:33 +0000
            • Craig FrancisFri, 31 Jul 2015 10:40:37 +0000
              • Joe WatkinsFri, 31 Jul 2015 14:00:41 +0000
                • Craig FrancisFri, 31 Jul 2015 14:31:18 +0000
                • Matt TaitFri, 31 Jul 2015 14:47:41 +0000
    • Matt TaitFri, 31 Jul 2015 13:11:20 +0000
      • Craig FrancisFri, 31 Jul 2015 14:05:51 +0000
  • Lester CaineFri, 31 Jul 2015 14:11:14 +0000
  • Julien PauliWed, 05 Aug 2015 14:40:52 +0000
    • Anthony FerraraWed, 05 Aug 2015 15:27:01 +0000
      • Matt TaitWed, 05 Aug 2015 18:52:36 +0000
        • Anthony FerraraWed, 05 Aug 2015 20:53:14 +0000
          • Matt TaitThu, 06 Aug 2015 03:46:26 +0000
            • Dennis BirkholzThu, 06 Aug 2015 11:47:08 +0000
            • Anthony FerraraThu, 06 Aug 2015 21:34:26 +0000
              • Matt TaitThu, 06 Aug 2015 22:57:53 +0000
                • Craig FrancisMon, 10 Aug 2015 09:57:37 +0000
                  • Yasuo OhgakiTue, 11 Aug 2015 23:27:17 +0000
                    • Craig FrancisThu, 13 Aug 2015 11:00:41 +0000
                  • Christoph BeckerTue, 11 Aug 2015 23:43:32 +0000
                    • Craig FrancisThu, 13 Aug 2015 11:00:41 +0000
            • Yasuo OhgakiFri, 07 Aug 2015 01:29:12 +0000
              • Yasuo OhgakiFri, 07 Aug 2015 01:36:45 +0000
  • Yasuo OhgakiTue, 01 Sep 2015 02:58:08 +0000