Hi Internals,
To follow up on yesterdays post [1]...
We *could* try to teach programmers to never make a mistake (yep, you can
stop laughing).
Take the previous example:
$html = "<img src=" . htmlentities($url) . " alt='' />";
We might be able to teach everyone to always quote their attributes (or use
a different form of encoding):
$html = "<img src='" . htmlentities($url) . "' alt='' />";
And before PHP 8.1 [2] is released, teach them htmlentities doesn't encode
single quotes by default.
And teach them about dangerous things like '<a href="?">', due to
'javascript:' URLs... etc, etc.
The first part to solving this, use the Parameterised Queries idea from SQL
- the programmer writes their HTML string, and keeps their HTML completely
*separate* from the user values. To combine, they provide both to a HTML
templating engine, that knows how to do appropriate escaping.
For example:
html("<img src=? alt='' />", [$url]);
Which can be done today, but it doesen't stop injection mistakes from
happening (the second part of this problem).
It's still trivial for a programmer to mistakenly include (inject) user
values into that first argument:
html("<img src='$url' alt='' />");
And note how this mistake is exactly same as the other examples, and doing
this with Laravel [3]:
DB::select('select * from users where active = ' . $_GET['active']);
// INSECURE
DB::select('select * from users where active = ?', [$_GET['active']]);
Craig
[1] https://externals.io/message/114540
[2]
https://github.com/php/php-src/commit/50eca61f68815005f3b0f808578cc1ce3b4297f0
[3] https://laravel.com/docs/8.x/database#running-a-select-query
>
