Skip to content

Add a function to check if a variable is made from string constants #54

Description

@craigfrancis

Having tried the taint extension for a while, I find that it does a good job at identifying most issues, while only requiring minor tweaks to my code to avoid warnings.

However there are a few exceptions which can't be covered with the current implementation, for example mysqli_real_escape_string() without quote marks (see pg_escape_literal for comparison), or using preg_replace to sanitise a string.

So taking the idea from Matt Tait - https://wiki.php.net/rfc/sql_injection_protection

Would it be possible to keep the current implementation, but add a second flag that tracks if a variable has only been built from T_STRING constants?

Then add a new function that allows the programmer to check the variable is made from string constants, maybe with a function named is_string_constant, or is_static, etc.

This means the following could be possible to check for SQLi:

<?php

	class db {
		function fetch_row($sql, $parameters) {
			if (!is_string_constant($sql)) {
				throw new Exception('Not a static string.');
			}
			// ...
		}
		// ...
	}

?>
<?php

	define('SQL_TABLE_PREFIX', 'abc_');

	if ($_GET['order'] == 'desc') {
		$sql_order = 'DESC';
	} else {
		$sql_order = 'ASC';
	}

	$sql = 'SELECT
			*
		FROM
			' . SQL_TABLE_PREFIX . 'table
		WHERE
			field = ?
		ORDER BY
			field ' . $sql_order;
			
	$parameters = array();
	$parameters[] = array('s', $unsafe_var);

	if ($row = $db->fetch_row($sql, $parameters)) {
		// It works :-)
	}

?>

And likewise, a framework could provide a wrapper to exec/shell_exec/system/passthru which supports a form of parameterized command, while checking that the command itself if made from string constants.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions