Having tried the taint extension for a while, I find that it does a good job at identifying most issues, while only requiring minor tweaks to my code to avoid warnings.
However there are a few exceptions which can't be covered with the current implementation, for example mysqli_real_escape_string() without quote marks (see pg_escape_literal for comparison), or using preg_replace to sanitise a string.
Would it be possible to keep the current implementation, but add a second flag that tracks if a variable has only been built from T_STRING constants?
Then add a new function that allows the programmer to check the variable is made from string constants, maybe with a function named is_string_constant, or is_static, etc.
This means the following could be possible to check for SQLi:
<?php
class db {
function fetch_row($sql, $parameters) {
if (!is_string_constant($sql)) {
throw new Exception('Not a static string.');
}
// ...
}
// ...
}
?>
<?php
define('SQL_TABLE_PREFIX', 'abc_');
if ($_GET['order'] == 'desc') {
$sql_order = 'DESC';
} else {
$sql_order = 'ASC';
}
$sql = 'SELECT
*
FROM
' . SQL_TABLE_PREFIX . 'table
WHERE
field = ?
ORDER BY
field ' . $sql_order;
$parameters = array();
$parameters[] = array('s', $unsafe_var);
if ($row = $db->fetch_row($sql, $parameters)) {
// It works :-)
}
?>
And likewise, a framework could provide a wrapper to exec/shell_exec/system/passthru which supports a form of parameterized command, while checking that the command itself if made from string constants.
Having tried the taint extension for a while, I find that it does a good job at identifying most issues, while only requiring minor tweaks to my code to avoid warnings.
However there are a few exceptions which can't be covered with the current implementation, for example
mysqli_real_escape_string()
without quote marks (see pg_escape_literal for comparison), or using preg_replace to sanitise a string.So taking the idea from Matt Tait - https://wiki.php.net/rfc/sql_injection_protection
Would it be possible to keep the current implementation, but add a second flag that tracks if a variable has only been built from
T_STRING
constants?Then add a new function that allows the programmer to check the variable is made from string constants, maybe with a function named
is_string_constant
, oris_static
, etc.This means the following could be possible to check for SQLi:
And likewise, a framework could provide a wrapper to exec/shell_exec/system/passthru which supports a form of parameterized command, while checking that the command itself if made from string constants.