Re: [PHP-DEV] [RFC] Block requests to builtin SQL functions where PHP can prove the call is vulnerable to a potential SQL-injection attack

Wed, 29 Jul 2015 08:12:14 -0700 

On 29 Jul 2015, at 10:02, Lester Caine <les...@lsces.co.uk> wrote:

> The problem is removing all of the poor quality on-line guides and
> replacing them with ones which provide a mush better working model.
> Trying to get PHP too pick up a few edge cases is a poor use of time.




I completely disagree... prepared statements are just as vulnerable, and so are 
ORM's.

You can push developers towards these solutions, and that would be good, but 
you are completely blind if you think an uneducated developer won't do:

        if ($stmt = $mysqli->prepare("SELECT District FROM City WHERE Name=" . 
$_GET['name'])) {
        }

And thats using a slightly edited example from:

        http://php.net/manual/en/mysqli.prepare.php

It's a shame that Wietse suggested this solution in 2008, is incomplete, and 
does not seem to be going anywhere (I'm also tempted to say the implementation 
is slightly the wrong way around, but the theory is there).

Likewise the PECL extension from 2013.

        http://pecl.php.net/package/taint

Matt, I realise I'm not a C programmer, and probably won't be able to help 
there, but if there is anything I can do, please let me know.

If you want to compare notes, my suggestion is at: 

        http://news.php.net/php.internals/87207

Craig







On 29 Jul 2015, at 10:02, Lester Caine <les...@lsces.co.uk> wrote:

> On 28/07/15 18:33, Matt Tait wrote:
>> What do you all think? There's obviously a bit more work to do; the PoC
>> currently only covers mysqli_query, but I thought this stage is an
>> interesting point to throw it open to comments before working to complete
>> it.
> 
> If you want a safe and stable system ... don't use mysql ...
> The problem is removing all of the poor quality on-line guides and
> replacing them with ones which provide a mush better working model.
> Trying to get PHP too pick up a few edge cases is a poor use of time.
> 
> -- 
> Lester Caine - G8HFL
> -----------------------------
> Contact - http://lsces.co.uk/wiki/?page=contact
> L.S.Caine Electronic Services - http://lsces.co.uk
> EnquirySolve - http://enquirysolve.com/
> Model Engineers Digital Workshop - http://medw.co.uk
> Rainbow Digital Media - http://rainbowdigitalmedia.co.uk
> 
> -- 
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
> 


--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to