rfc:sql_injection_protection

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Last revisionBoth sides next revision
rfc:sql_injection_protection [2015/07/28 16:43] matttaitrfc:sql_injection_protection [2015/07/28 18:09] matttait
Line 3: Line 3:
   * Date: 2015-07-22   * Date: 2015-07-22
   * Author: Matt Tait, matttait#at#google.com   * Author: Matt Tait, matttait#at#google.com
-  * Status: Draft+  * Status: Under discussion
   * First Published at: http://wiki.php.net/rfc/sql_injection_protection   * First Published at: http://wiki.php.net/rfc/sql_injection_protection
 +  * You can [[http://phpoops.cloudapp.net/oops.php||try it online]] ([[http://phpoops.cloudapp.net/oops.php?action=main&dbg_sql&limit=4%20ohdear|spoiler]])
  
 ===== Background ===== ===== Background =====
Line 46: Line 47:
  
 By design, SafeConstness is ***not** applied to the output of SQL-escape functions. Consider the following query: By design, SafeConstness is ***not** applied to the output of SQL-escape functions. Consider the following query:
-  mysqli_query("SELECT * from USER where $id=" . mysqli_escape_query($_GET["userid"]))  +  mysqli_query("SELECT * from USER where ID=" . mysqli_escape_query($_GET["userid"]))  
-This can be injected via page.php?userid=1%20INJECT_HERE--. Even quoted forms +This can be injected via page.php?userid=1%20INJECT_HERE--. Even using correct SQL-escapes within quotes can [[[[http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string|can be injected]] in a way PHP cannot verify at runtime 
-  mysqli_query("SELECT * from USER where $id='" . mysqli_escape_query($_GET["userid"]) . "'"+  mysqli_query("SELECT * from USER where ID='" mysqli_escape_query($_GET["userid"]) . "'"
-can be injected using crazy [[http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string|charset bugs]], or if the SQL and the PHP server use different character sets. It is a critical security feature, not a bug, that this feature encourages developers to parameterize dynamic queries rather than building queries dynamically.+ 
 +It is a feature, not a bug, of this proposal that we are deliberately encouraging developers to parameterizerather than escape their SQL queries.
  
 === Example SQL-queries that are recognized as safe === === Example SQL-queries that are recognized as safe ===
Line 199: Line 201:
  
 ===== Unaffected PHP Functionality ===== ===== Unaffected PHP Functionality =====
-This change is designed to have the minimum user-visible impact for websites that do not use SQL, or who use it in a safe way.+Websites that already adopt security-best-practice of only issuing dynamic queries to their SQL database via parameterized SQL statements with constant parameter-strings will see no change when this proposal is adopted.
  
 ===== Future Scope ===== ===== Future Scope =====
Line 205: Line 207:
  
 ===== Proposed Voting Choices ===== ===== Proposed Voting Choices =====
-This requires a 50%+1 vote to be adopted.+This does not introduce any syntax changes to the PHP language, and therefore requires a 50%+1 vote to be adopted.
  
 ===== Patches and Tests ===== ===== Patches and Tests =====
rfc/sql_injection_protection.txt · Last modified: 2017/09/22 13:28 by 127.0.0.1

Page Tools