On Thu, 15 Aug 2019 at 7:43 pm, Matthew Brown <matthewmatt...@gmail.com> wrote:
> There are already some userland taint-checking solutions for PHP e.g. the > Phan taint-check plugin from MediaWiki: > https://www.mediawiki.org/wiki/Phan-taint-check-plugin > > I'm working on my own userland solution, too (based on Facebook's > approach). Demo is here: https://psalm.dev/r/ebb9522fea > Hi Matthew, If anything, this proposal would help user-land solutions (it gives them more information while the code is in running). At the moment, they all need to make their own parsers, or extensions, and they all have blind spots. I’d also like us to move slowly away from taint checkers that allow for tainted strings to be marked as un-tainted, as these allow mistakes to be made. Please excuse any typos, on my phone, but how about: $sql = ‘... WHERE id = ’ . mysqli_real_escape_string($db, $_GET[‘id’]); It’s been escaped, so surely it’s not tainted any more? Unfortunately, because it’s not surrounded with quote marks, it’s not safe. It also relies on there not being any parsing issues within the database engine itself (parameterised queries help here, as those values aren’t part of the SQL parsing process). Craig