Re: [PHP-DEV] Literal / Taint checking

This is only part of a thread. view whole thread
  106627
August 15, 2019 18:18 craig@craigfrancis.co.uk (Craig Francis)
On Thu, 15 Aug 2019 at 19:05, Benjamin Eberlei <kontakt@beberlei.de> wrote:

> On Thu, Aug 15, 2019 at 8:03 PM Craig Francis <craig@craigfrancis.co.uk> > wrote: > >> Hi, >> >> How likely would it be for PHP to do Literal tracking of variables? >> >> This is something that's being discussed JavaScript TC39 at the moment >> [1], >> and I think it would be even more useful in PHP. >> >> We already know we should use parameterized/prepared SQL, but there is no >> way to prove the SQL string hasn't been tainted by external data in large >> projects, or even in an ORM. >> >> This could also work for templating systems (blocking HTML injection) and >> commands. >> >> Internally it would need to introduce a flag on every variable, and a >> single function to check if a given variable has only been created by >> Literal(s). >> >> Unlike the taint extension, there should be no way to override this (e.g. >> no taint/untaint functions); and if it was part of the core language, it >> will continue to work after every update. >> >> One day certain functions (e.g. mysqli_query) might use this information >> to >> generate a error/warning/notice; but for now, having it available for >> checking would be more than enough. >> >> Craig >> >> > It is an interesting topic indeed! I remember that laruence wrote an > extension for this a while ago, I have never tried it myself though. You > can find it here: https://github.com/laruence/taint > >
Thanks, I've been using that extension for a few years - laruence has done a fantastic job with it. But it can be a bit buggy; and due to it being a taint based system, with the ability to taint/untaint, it introduces some problems. https://github.com/laruence/taint/issues/54