Related to the general topic of injection attacks, I was considering submitting a PR to change the default of PDO::ATTR_EMULUATE_PREPARES to FALSE, since this mistakenly can lead people to believe that using prepared statements with PDO and MySQL protects against injection attacks. In fact, this is only the case if they create the PDO object with the option specified as false. I'm not aware however to reasoning for enabling prepare emulation by default for MySQL. I would assume it's a performance choice, but how long ago was this choice made and is it worth revisiting? Would this be something that requires its own RFC? It's a single line change.
Jordan On Sat, Jul 17, 2021 at 9:48 AM Craig Francis <cr...@craigfrancis.co.uk> wrote: > On Sat, 17 Jul 2021 at 4:05 pm, Marco Pivetta <ocram...@gmail.com> wrote: > > > my belief is that this is not a runtime problem, but rather a type-level > > issue with tainted/untainted input/output. > > > > > Thank you for the feedback Marco, > > As you appreciate, I don’t believe we can get every PHP developer to use > Static Analysis. It’s an extra step that developers with less time, energy, > or care, will not setup and use. > > Putting something in the base language, means that libraries can just use > it, and people using the sites/systems of rushed or lazier developers will > have these checks helping keep their data secure. Data breeches can have > life-changing consequences for people, Injection Vulnerabilities are one of > the biggest causes of them, and since we have the ability for libraries to > warn all developers about these mistake, we should. > > At the moment our house can catch on fire and we don’t even have a smoke > alarm. This is the smoke alarm. And there are reasons why it’s builders and > landlords that have to install them, and we don’t rely on the tenants going > and sorting them out themselves. Because if they don’t, for the best or the > worse reasons, either way there are severe consequences to everybody. > > In regards to Taint Checking, it has a significant problem as it creates a > false sense of security, hence these examples in the RFC: > > $sql = 'SELECT * FROM users WHERE id = ' . $db->real_escape_string($id); // > INSECURE > > $html = "<img src=" . htmlentities($url) . " alt='' />"; // INSECURE > > $html = "<a href='" . htmlentities($url) . "'>..."; // INSECURE > > Fortunately Psalm has just implemented the is_literal() concept, so those > developers who do use Psalm can protect themselves from these issues: > > https://github.com/vimeo/psalm/releases/tag/4.8.0 > > > > In addition to that, a mechanism to un-taint values is missing, > > > > > That’s the main flaw with Taint Checking, because it’s not possible to mark > something as safe without knowing about the context. As in, developers use > an escaping function (to mark as untainted), think the value is now “safe”, > and incorrectly use that value in a way that causes a security > vulnerability. > > is_literal() simplifies this problem considerably, by just identifying > developer defined strings, and instead using libraries to handle user > values. > > Craig >
