Edit report at https://bugs.php.net/bug.php?id=61708&edit=1
ID: 61708
Updated by: s...@php.net
Reported by: forphponly at hostultra dot com
Summary: Untrusted input variables tagging to detect and
prevent SQL injection
-Status: Open
+Status: Not a bug
Type: Feature/Change Request
Package: MySQL related
PHP Version: Irrelevant
Block user comment: N
Private report: N
New Comment:
See https://wiki.php.net/rfc/taint and http://pecl.php.net/package/taint
Previous Comments:
------------------------------------------------------------------------
[2012-04-13 01:52:27] forphponly at hostultra dot com
Description:
------------
I propose that PHP tag bytes in variables that come from untrusted sources such
as user input (eg. $_GET $_POST $_COOKIE $_REQUEST etc..) or read from the
database.
For each php variable, there would be a piece of metadata that defines the byte
ranges in that variable containing bytes from untrusted sources.
This metadata would be updated whenever any php code or function changed the
contents of a variable.
This is a very simple concept in theory, but I am not sure how difficult it
would be to implement in php.
The mysql functions such as mysql_query() can then use the metadata to
differentiate between bytes that come from untrusted sources from the part of
the query that the programmer wrote.
eg. in my test script below, mysql_query() would know that the $username and
$password parts in the $query variable are untrusted and must be escaped.
The php mysql functions can then alter the query to automatically add escaping
before passing it on to mysql database thus making all SQL injection exploits
obsolete without needing to rewrite any php code.
This would work similar to magic quotes, without the problem of double escaping
or display errors when the variables are displayed on a webpage instead of used
in a database.
A color diagram should make my idea more clear.
http://img690.imageshack.us/img690/3313/mysqlinjection.png
Test script:
---------------
<?php
// username and password variables vulnerable to SQL injection
// Example exploit http://server/test.php?username=john&password=' OR 1=1 --
$username = $_GET['username'];
$password = $_GET['password'];
$query = "SELECT * FROM `users` WHERE `username` = '$username' AND `password` =
'$password' ";
$result = mysql_query ( $query );
?>
Expected result:
----------------
mysql_query() would change the query to
SELECT * FROM `users` WHERE `username` = 'john' AND `password` = '\' OR 1=1 --'
Actual result:
--------------
The query that gets executed
SELECT * FROM `users` WHERE `username` = 'john' AND `password` = '' OR 1=1 --'
------------------------------------------------------------------------
--
Edit this bug report at https://bugs.php.net/bug.php?id=61708&edit=1
