On Thu, Aug 15, 2019 at 8:03 PM Craig Francis <cr...@craigfrancis.co.uk> wrote:
> Hi, > > How likely would it be for PHP to do Literal tracking of variables? > > This is something that's being discussed JavaScript TC39 at the moment [1], > and I think it would be even more useful in PHP. > > We already know we should use parameterized/prepared SQL, but there is no > way to prove the SQL string hasn't been tainted by external data in large > projects, or even in an ORM. > > This could also work for templating systems (blocking HTML injection) and > commands. > > Internally it would need to introduce a flag on every variable, and a > single function to check if a given variable has only been created by > Literal(s). > > Unlike the taint extension, there should be no way to override this (e.g. > no taint/untaint functions); and if it was part of the core language, it > will continue to work after every update. > > One day certain functions (e.g. mysqli_query) might use this information to > generate a error/warning/notice; but for now, having it available for > checking would be more than enough. > > Craig > > It is an interesting topic indeed! I remember that laruence wrote an extension for this a while ago, I have never tried it myself though. You can find it here: https://github.com/laruence/taint > > public function exec($sql, $parameters = []) { > if (!*is_literal*($sql)) { > throw new Exception('SQL must be a literal.'); > } > $statement = $this->pdo->prepare($sql); > $statement->execute($parameters); > return $statement->fetchAll(); > } > > ... > > $sql = 'SELECT * FROM table WHERE id = ?'; > > $result = $db->exec($sql, [$id]); > > > > [1] https://github.com/tc39/proposal-array-is-template-object > https://github.com/mikewest/tc39-proposal-literals >