You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Having tried the taint extension for a while, I find that it does a good job at identifying most issues, while only requiring minor tweaks to my code to avoid warnings.
However there are a few exceptions which can't be covered with the current implementation, for example mysqli_real_escape_string() without quote marks (see pg_escape_literal for comparison), or using preg_replace to sanitise a string.
Would it be possible to keep the current implementation, but add a second flag that tracks if a variable has only been built from T_STRING constants?
Then add a new function that allows the programmer to check the variable is made from string constants, maybe with a function named is_string_constant, or is_static, etc.
This means the following could be possible to check for SQLi:
<?php
class db {
function fetch_row($sql, $parameters) {
if (!is_string_constant($sql)) {
throw new Exception('Not a static string.');
}
// ...
}
// ...
}
?>
<?php
define('SQL_TABLE_PREFIX', 'abc_');
if ($_GET['order'] == 'desc') {
$sql_order = 'DESC';
} else {
$sql_order = 'ASC';
}
$sql = 'SELECT
*
FROM
' . SQL_TABLE_PREFIX . 'table
WHERE
field = ?
ORDER BY
field ' . $sql_order;
$parameters = array();
$parameters[] = array('s', $unsafe_var);
if ($row = $db->fetch_row($sql, $parameters)) {
// It works :-)
}
?>
And likewise, a framework could provide a wrapper to exec/shell_exec/system/passthru which supports a form of parameterized command, while checking that the command itself if made from string constants.
The text was updated successfully, but these errors were encountered:
Having tried the taint extension for a while, I find that it does a good job at identifying most issues, while only requiring minor tweaks to my code to avoid warnings.
However there are a few exceptions which can't be covered with the current implementation, for example
mysqli_real_escape_string()without quote marks (see pg_escape_literal for comparison), or using preg_replace to sanitise a string.So taking the idea from Matt Tait - https://wiki.php.net/rfc/sql_injection_protection
Would it be possible to keep the current implementation, but add a second flag that tracks if a variable has only been built from
T_STRINGconstants?Then add a new function that allows the programmer to check the variable is made from string constants, maybe with a function named
is_string_constant, oris_static, etc.This means the following could be possible to check for SQLi:
And likewise, a framework could provide a wrapper to exec/shell_exec/system/passthru which supports a form of parameterized command, while checking that the command itself if made from string constants.
The text was updated successfully, but these errors were encountered: