Re: [PHP-DEV] [RFC] Block requests to builtin SQL functions where PHP can prove the call is vulnerable to a potential SQL-injection attack

Wed, 29 Jul 2015 01:20:07 -0700 

Pierre Joye wrote on 28.07.2015 23:05:

> The
> On Jul 28, 2015 11:42 PM, "Christoph Becker" <cmbecke...@gmx.de> wrote:
>>
>> Rowan Collins wrote:
>>
>> > On 28 July 2015 18:33:31 BST, Matt Tait <matt.t...@gmail.com> wrote:
>> >> Hi all,
>> >>
>> >> I've written an RFC (and PoC) about automatic detection and blocking of
>> >> SQL
>> >> injection vulnerabilities directly from inside PHP via automated taint
>> >> analysis.
>> >>
>> >> https://wiki.php.net/rfc/sql_injection_protection
>> >
>> > Have you searched the list archive and wiki for previous discussions
> and prototypes of variable tainting? The idea may well have some legs, but
> there might be some interesting points from previous discussions to note in
> your RFC.
>>
>> FWIW, there is the inactive "Taint support for PHP"[1] RFC.
>>
>> [1] <https://wiki.php.net/rfc/taint>
> 
> Which is what should be done (global tainted mode) and not only for SQL.
> 
> Unfiltered input can affect way more than only SQL. Environment, exec, etc
> are all potentially dangerous with unfiltered data.
> 
> I fear it is an almost impossible task and may give a wrong signal,
> everything is safe of tainted mode is enabled.
> 
> Cheers,
> Pierre
> 


I think it's better to support parameter substitution and escaping directly in 
the extensions or the core functions:


Idea 1:

mixed mysqli_query_bind ( mysqli $link , string $query [, array $parameters [, 
int $resultmode = MYSQLI_STORE_RESULT ] ] )

e.g.

mysqli_query_bind($link, 'SELECT * FROM users WHERE usertype = ?', [$usertype]);

mysqli_query_bind($link, 'SELECT * FROM users WHERE id IN (?)', [[1,2,3]]);


Using mysqli_query_bind() means parameters are substituted in as (correctly) 
escaped strings and the result is run with mysqli_query().


and similar:

exec_bind ( string $command [, array $parameters [, array &$output [, int 
&$return_var ] ] ] )

echo exec_bind('ls ?', [$someDir]);

Using exec_bind() means parameters are substituted in as (correctly) escaped 
strings and the result is run with exec().


Those who want to secure their legacy code can use 
"disable_functions=mysqli_query,exec" and change the occurrences of both 
functions to the new bind functions.

If people still use echo exec_bind('ls '.$someDir), static code analysis can 
find it, similar to unsafe includes.

Regards
Thomas

-- 
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to