Injection Vulnerabilities remain at the top of the OWASP "Top 10 Web Application Security Risks".
It’s important to remember that Injection Vulnerabilities don't just affect the developer, but rather the data of potentially thousands of people using the website/system. These can even occur when using libraries. Take this example from CakePHP, where the developer has dangerously included user data into the SQL: $users->find()->where(['age >= ' . $_GET['age']]); By distinguishing strings from a trusted developer, from strings that may be attacker controlled, libraries can ensure values that go directly into the SQL, HTML, CLI, etc have not been "Injected" with user data. PHP is now lagging behind other languages, where Java and Go can already test for developer defined strings (it's also being implemented in JavaScript). is_literal() is a simple and minor change that simply utilises a currently unused flag on strings to mark whether the string was written by the developer. It requires no rewriting of code by the developer to work, no grand visionary overhaul of the PHP language, with only a 0.43% difference in speed that is too small to measure with normal internet/database variability. It’s just a basic but effective way of being able to warn about and locate Injection Vulnerabilities (and therefore providing a way for libraries to directly educate developers). The vote for this RFC ends on Monday the 19th of July, 7:30pm UK time and 6:30pm UTC, and needs your support. https://wiki.php.net/rfc/is_literal The following link provides more examples of these mistakes, based on code I’ve found on production servers. They show how similar they are to the examples found in the libraries official documentation, and how easy it is for a developer to make a small tweak that ends up being very dangerous: https://github.com/craigfrancis/php-is-literal-rfc/blob/main/justification/mistakes.php I have created 3 example libraries you can experiment with, to see what is_literal() can do: https://github.com/craigfrancis/php-is-literal-rfc/tree/main/examples I'm happy to take questions on and off list. Vote ends on Monday the 19th of July, 7:30pm UK time and 6:30pm UTC. https://wiki.php.net/rfc/is_literal Thanks, Craig >
