Add a function to check if a variable is made from string constants

Question

Add a function to check if a variable is made from string constants

craigfrancis opened this issue 7 years ago · 0 comments

Having tried the taint extension for a while, I find that it does a good job at identifying most issues, while only requiring minor tweaks to my code to avoid warnings.

However there are a few exceptions which can't be covered with the current implementation, for example mysqli_real_escape_string() without quote marks (see pg_escape_literal for comparison), or using preg_replace to sanitise a string.

So taking the idea from Matt Tait - https://wiki.php.net/rfc/sql_injection_protection

Would it be possible to keep the current implementation, but add a second flag that tracks if a variable has only been built from T_STRING constants?

Then add a new function that allows the programmer to check the variable is made from string constants, maybe with a function named is_string_constant, or is_static, etc.

This means the following could be possible to check for SQLi:

<?php

	class db {
		function fetch_row($sql, $parameters) {
			if (!is_string_constant($sql)) {
				throw new Exception('Not a static string.');
			}
			// ...
		}
		// ...
	}

?>
<?php

	define('SQL_TABLE_PREFIX', 'abc_');

	if ($_GET['order'] == 'desc') {
		$sql_order = 'DESC';
	} else {
		$sql_order = 'ASC';
	}

	$sql = 'SELECT
			*
		FROM
			' . SQL_TABLE_PREFIX . 'table
		WHERE
			field = ?
		ORDER BY
			field ' . $sql_order;
			
	$parameters = array();
	$parameters[] = array('s', $unsafe_var);

	if ($row = $db->fetch_row($sql, $parameters)) {
		// It works :-)
	}

?>

And likewise, a framework could provide a wrapper to exec/shell_exec/system/passthru which supports a form of parameterized command, while checking that the command itself if made from string constants.