Stefan Esser:
[ Charset ISO-8859-1 unsupported, converting... ]
> Wietse Venema schrieb:
> > Stefan Esser:
> >
> >> 2) Using mysql_real_escape_string() on user input does not make it safe
> >> for SQL. It only makes SQL strings safe.
> >> Example: "SELECT * FROM table WHERE id=".mysql_real_escape_string($id)
> >> is NOT secure but will result in no taint warning
> >>
> >
> > Can you give a specific example? I'd like to know how likely such
> > things would be in real code.
> >
> I have to search for an example where mysql_real_escape_string is used
> wrongly like this....
>
> However the "bigger" problem is that if the statement is like
>
> "SELECT * FROM table WHERE id=$id"
>
> which *IS* quite common in insecure code your patch will give the
> following warning: "contains data that is not converted with
> mysql_real_escape_string()"
>
> This gives the message to the uneducated user (and that is the one you
> want to protect) to write something like this in his code.
>
> "SELECT * FROM table WHERE id=".mysql_real_escape_string($id)
>
> The PHP taint mode will stop crying and that teaches the developer the
> WRONG message.
I can certainly update the warning message, with a reminder to put
query arguments inside quotes. The idea is to help the programmer
to the right thing. It is currently not possible for a programming
language implementation to guarantee that the programmer won't make
mistakes.
Some mistakes (like the one that requires exection in the browser)
can be found by emulating the browser, and some mistakes can be
found by emulating the user. I'll try to report the mistakes today
that I can report today.
Wietse
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
