CF
Uploaded byCraig Francis
PDF, PPTX54 views

Proposed PHP function: is_literal()

The document proposes the is_literal() function for PHP to differentiate safe strings defined in scripts from unsafe strings, particularly those tainted by external sources. It emphasizes that injection problems are not effectively resolved by static analysis and suggests that the function can improve string safety. The document also discusses examples and implications of the function in various coding scenarios, including its necessity for preventing SQL injection and XSS vulnerabilities.

Embed presentation

Download as PDF, PPTX
is_literal() A proposed function for PHP Craig Francis
is_literal() To distinguish between safe strings, which have been defined in your PHP script.
is_literal() To distinguish between safe strings, which have been defined in your PHP script. VS unsafe strings, which have been tainted by external sources.
The Problem
The Problem
The Problem
The Problem Version 5.4.1 April 29, 2020
The Problem Version 5.4.2 June 10, 2020
is_literal() is not the same as Taint Checking. The Problem
Injection problems are rarely solved by Static Analysis. The Problem
Injection problems are rarely solved by Static Analysis. Still do use this. The Problem
Injection problems are rarely solved by Static Analysis. But it's hard to follow every variable from Source to Sink. The Problem
Injection problems are rarely solved by Static Analysis. And don't expect every programmer to use. The Problem
$mysqli = new mysqli('localhost', 'test', '???', 'test'); $result = $mysqli->query('SELECT * FROM user WHERE id = ' . $_GET['id']); if ($result instanceof mysqli_result) { print_r($result->fetch_all()); } Static Analysis PHPStan
$mysqli = new mysqli('localhost', 'test', '???', 'test'); $id = (string) $_GET['id']; $result = $mysqli->query('SELECT * FROM user WHERE id = ' . $id); if ($result instanceof mysqli_result) { print_r($result->fetch_all()); } Static Analysis Avoid MixedAssignment Psalm
$mysqli = new mysqli('localhost', 'test', '???', 'test'); $id = (string) $_GET['id']; $result = $mysqli->query('SELECT * FROM user WHERE id = ' . $id); if ($result instanceof mysqli_result) { print_r($result->fetch_all()); } Static Analysis Psalm, Taint Analysis I'm not using "mysqli_query()" https://github.com/vimeo/psalm/issues/4155 Avoid MixedAssignment
Google engineer Christoph Kern, 2015: https://www.usenix.org/conference/usenixsecurity15/symposium-program/ presentation/kern Other Implementations
Google engineer Christoph Kern, 2015: "Developer education doesn't solve the problem" Other Implementations
Google engineer Christoph Kern, 2015: "Bugs are hard to find after the fact" Other Implementations
Google engineer Christoph Kern, 2015: "Bugs are hard to find after the fact" "Manual Testing, Automated Testing, Static Analysis, Human Code Reviews; ... will find some of these bugs..." @04:02 Other Implementations
Google have a similar solution in Go: https://github.com/google/go-safeweb/tree/master/safehttp https://blogtitle.github.io/go-safe-html/ Other Implementations HTML Injection / XSS By Roberto Clapis
Google have a similar solution in Go: https://github.com/google/go-safeweb/tree/master/safesql A Query Builder, with an Append() method that only accepts compile-time constant strings (literal or const). Other Implementations SQL Injection
JavaScript may get a similar solution: https://github.com/tc39/proposal-array-is-template-object "Distinguishing strings from a trusted developer, from strings that may be attacker controlled" Other Implementations
Examples
Examples
Examples
$users = $queryBuilder ->select('u') ->from('User', 'u') ->where('u.type_id = 1') ->getQuery() ->getResult(); Doctrine QueryBuilder Examples
$users = $queryBuilder ->select('u') ->from('User', 'u') ->where('u.type_id = ?1') ->setParameter(1, $_GET['type_id']) ->getQuery() ->getResult(); Examples
$users = $queryBuilder ->select('u') ->from('User', 'u') ->where('u.type_id = 1') ->getQuery() ->getResult(); Examples
$users = $queryBuilder ->select('u') ->from('User', 'u') ->where('u.type_id = ' . $_GET['type_id']) ->getQuery() ->getResult(); Examples
Examples
Examples
$users = $queryBuilder ->select('u') ->from('User', 'u') ->where('u.type_id = 1') ->getQuery() ->getResult(); Safe String, a Literal Examples
$users = $queryBuilder ->select('u') ->from('User', 'u') ->where('u.type_id = ' . $_GET['type_id']) ->getQuery() ->getResult(); Unsafe StringSafe String Examples
$users = $queryBuilder ->select('u') ->from('User', 'u') ->where('u.type_id = ' . $_GET['type_id']) ->getQuery() ->getResult(); Examples 'WHERE u.type_id = u.type_id'
$sql = 'SELECT u FROM User u WHERE u.type_id = ' . $_GET['type_id']; $query = $entityManager->createQuery($sql); Doctrine - CreateQuery Examples
$users = UserQuery::create()->where('type_id = ' . $_GET['type_id'])->find(); Propel ORM - Where Examples
$result = R::find('user', 'type_id = ' . $_GET['type_id']); RedBeanPHP - Find Examples
$template = $twig->createTemplate('<p>Hello {{ name }}</p>'); echo $template->render(['name' => $_GET['name']]); Examples Safe String, a Literal
$template = $twig->createTemplate('<p>Hello ' . $_GET['name'] . '</p>'); echo $template->render(); Examples Unsafe String
Examples
$output = shell_exec('ls /'); Safe String, a Literal Examples
Examples $output = shell_exec('ls ' . $_GET['path']); Unsafe String
Taint Checking https://pecl.php.net/package/taint
Taint Checking $prefix = 'Hi '; $welcome_html = $prefix . 'Name';
Taint Checking $prefix = 'Hi '; $welcome_html = $prefix . 'Name'; Untainted
Taint Checking $prefix = 'Hi '; $welcome_html = $prefix . 'Name'; Untainted Untainted Untainted
Taint Checking $prefix = 'Hi '; $welcome_html = $prefix . 'Name'; Untainted, Safe
Taint Checking $name = $_GET['name']; $prefix = 'Hi '; $welcome_html = $prefix . $name;
Taint Checking $name = $_GET['name']; $prefix = 'Hi '; $welcome_html = $prefix . $name; Tainted
Taint Checking $name = $_GET['name']; $prefix = 'Hi '; $welcome_html = $prefix . $name;
Taint Checking $name = $_GET['name']; $prefix = 'Hi '; $welcome_html = $prefix . $name; Untainted
Taint Checking $name = $_GET['name']; $prefix = 'Hi '; $welcome_html = $prefix . $name; Untainted Tainted
Taint Checking $name = $_GET['name']; $prefix = 'Hi '; $welcome_html = $prefix . $name; Tainted, not safe
Taint Checking $name = $_GET['name']; $prefix = 'Hi '; $welcome_html = $prefix . htmlentities($name);
Taint Checking $name = $_GET['name']; $prefix = 'Hi '; $welcome_html = $prefix . htmlentities($name); Un-Taint
Taint Checking $name = $_GET['name']; $prefix = 'Hi '; $welcome_html = $prefix . htmlentities($name); Untainted, should be safe.
Taint Checking $url = $_GET['url']; $name = $_GET['name']; $link_html = '<a href="' . htmlentities($url) . '">' . htmlentities($name) . '</a>';
Taint Checking $url = $_GET['url']; $name = $_GET['name']; $link_html = '<a href="' . htmlentities($url) . '">' . htmlentities($name) . '</a>'; Tainted Tainted
Taint Checking $url = $_GET['url']; $name = $_GET['name']; $link_html = '<a href="' . htmlentities($url) . '">' . htmlentities($name) . '</a>'; Tainted Tainted
Taint Checking $url = $_GET['url']; $name = $_GET['name']; $link_html = '<a href="' . htmlentities($url) . '">' . htmlentities($name) . '</a>'; Un-Taint Un-Taint
Taint Checking $url = $_GET['url']; $name = $_GET['name']; $link_html = '<a href="' . htmlentities($url) . '">' . htmlentities($name) . '</a>'; Untainted, surely this is safe?
Taint Checking $url = $_GET['url']; $name = $_GET['name']; $link_html = '<a href="' . htmlentities($url) . '">' . htmlentities($name) . '</a>'; 'javascript:alert("hi")'
Taint Checking $sql .= 'WHERE id = ' . mysqli_real_escape_string($link, $_GET['id']); Tainted
Taint Checking $sql .= 'WHERE id = ' . mysqli_real_escape_string($link, $_GET['id']); Untainted Un-Taint
Untainted, surely this is safe? Taint Checking $sql .= 'WHERE id = ' . mysqli_real_escape_string($link, $_GET['id']);
Taint Checking $sql .= 'WHERE id = ' . mysqli_real_escape_string($link, $_GET['id']); Missing quotes
Taint Checking $sql .= 'WHERE id = ' . mysqli_real_escape_string($link, $_GET['id']); "id"
Taint Checking $sql .= 'WHERE id = ' . mysqli_real_escape_string($link, $_GET['id']); $sql .= 'WHERE id = id'; "id"
Taint Checking $img_html = '<img src=' . htmlentities($_GET['url']) . '>'; TaintedUntainted Untainted
Taint Checking $img_html = '<img src=' . htmlentities($_GET['url']) . '>'; Un-Taint
Taint Checking $img_html = '<img src=' . htmlentities($_GET['url']) . '>'; Untainted, surely this is safe?
Taint Checking $img_html = '<img src=' . htmlentities($_GET['url']) . '>'; Missing quotes
Taint Checking $img_html = '<img src=' . htmlentities($_GET['url']) . '>'; $img_html = '<img src=/ onerror=evil-js>'; "/ onerror=evil-js"
Taint Checking How about character encoding issues? The PDO Quote function clearly says it's only "theoretically safe". https://www.php.net/pdo.quote
Summary Do not mix safe strings (literals), with anything that may be attacker controlled.
Summary We need a way to ensure this does not happen.
is_literal('This is a Literal');
is_literal('This is a Literal'); true
$a = 'This is a Literal'; is_literal($a); true
$a = 'This is a Literal'; is_literal($a . 'And this'); true
$a = 'This is a Literal'; is_literal($a . $_GET['name']); false
$a = 'This is a Literal'; is_literal($a . htmlentities($_GET['name'])); Still false
$a = 'This is a Literal'; is_literal($a . strtoupper('abc')); Sorry, this is false - 'ABC' is no longer the string defined in the PHP script.
$users = $queryBuilder ->select('u') ->from('User', 'u') ->where('u.type_id = 1') ->getQuery() ->getResult(); Doctrine
$users = $queryBuilder ->select('u') ->from('User', 'u') ->where('u.type_id = 1') ->getQuery() ->getResult(); public function where($predicates) { if (!is_literal($predicates)) { throw new Exception('Can only accept a literal'); } ... } Is a Safe Literal?
$users = $queryBuilder ->select('u') ->from('User', 'u') ->where('u.type_id = ' . $_GET['type_id']) ->getQuery() ->getResult(); public function where($predicates) { if (!is_literal($predicates)) { throw new Exception('Can only accept a literal'); } ... } Not a Safe Literal
$template = $twig->createTemplate('<p>Hello {{ name }}</p>'); echo $template->render(['name' => $_GET['name']]); Twig
$template = $twig->createTemplate('<p>Hello {{ name }}</p>'); echo $template->render(['name' => $_GET['name']]) public function createTemplate(string $template, string $name = null): TemplateWrapper { if (!is_literal($template)) { throw new Exception('Can only accept a literal'); } ... } Is a Safe Literal?
$template = $twig->createTemplate('<p>Hello ' . $_GET['name'] . '</p>'); echo $template->render() public function createTemplate(string $template, string $name = null): TemplateWrapper { if (!is_literal($template)) { throw new Exception('Can only accept a literal'); } ... } Not a Safe Literal
if (function_exists('is_literal') && !is_literal($a)) { trigger_error('Can only accept a literal', E_USER_NOTICE); } Backwards compatibility Notices might be safer for legacy projects.
if (!function_exists('is_literal')) { function is_literal($variable) { return true; } } Backwards compatibility
$sql .= 'ORDER BY ' . $field_name; What about Table and Field names?
$fields = [ 'name', 'created', 'admin', ]; $field_id = array_search(($_GET['sort'] ?? 'created'), $fields); $sql = ' ORDER BY ' . $fields[$field_id];
$sql .= 'WHERE id IN (1, 2, 3)'; What about WHERE IN?
$ids = [1, 2, 3]; $sql .= 'WHERE id IN (' . implode(', ', $ids) . ')'; From an unknown source
$ids = [1, 2, 3]; $sql .= 'WHERE id IN (' . implode(',', array_fill(0, count($ids), '?')) . ')';
$ids = [1, 2, 3]; $sql .= 'WHERE id IN (' . implode(',', array_fill(0, count($ids), '?')) . ')'; $sql .= 'WHERE id IN (?, ?, ?)';
https://wiki.php.net/rfc/is_literal https://github.com/craigfrancis/php-is-literal-rfc Thank You
Proposed PHP function: is_literal()

More Related Content

PDF
QA for PHP projects
byMichelangelo van Dam
 
PDF
PHPunit and you
bymarkstory
 
PDF
Unit testing with zend framework tek11
byMichelangelo van Dam
 
KEY
Unit testing with zend framework PHPBenelux
byMichelangelo van Dam
 
ODP
Concern of Web Application Security
byMahmud Ahsan
 
KEY
PHPSpec BDD for PHP
byMarcello Duarte
 
PDF
PHPUnit Episode iv.iii: Return of the tests
byMichelangelo van Dam
 
PDF
Zf2 how arrays will save your project
byMichelangelo van Dam
 
QA for PHP projects
byMichelangelo van Dam
 
PHPunit and you
bymarkstory
 
Unit testing with zend framework tek11
byMichelangelo van Dam
 
Unit testing with zend framework PHPBenelux
byMichelangelo van Dam
 
Concern of Web Application Security
byMahmud Ahsan
 
PHPSpec BDD for PHP
byMarcello Duarte
 
PHPUnit Episode iv.iii: Return of the tests
byMichelangelo van Dam
 
Zf2 how arrays will save your project
byMichelangelo van Dam
 

What's hot

PDF
Your code sucks, let's fix it
byRafael Dohms
 
PPT
Php Security By Mugdha And Anish
byOSSCube
 
ODP
Javascript & jQuery: A pragmatic introduction
byIban Martinez
 
PDF
Refactoring using Codeception
byJeroen van Dijk
 
PDF
Dealing with Legacy PHP Applications
byClinton Dreisbach
 
PDF
Man in the Middle? - No, thank you!
byDaniel Schneller
 
PDF
Error Reporting in ZF2: form messages, custom error pages, logging
bySteve Maraspin
 
KEY
Object Calisthenics Applied to PHP
byGuilherme Blanco
 
KEY
Unit testing zend framework apps
byMichelangelo van Dam
 
PPTX
Coding for Scale and Sanity
byJimKellerES
 
PPTX
Let's write secure Drupal code! - DrupalCamp London 2019
byBalázs Tatár
 
KEY
PHP security audits
byDamien Seguy
 
PDF
async/await Revisited
byRiza Fahmi
 
PPTX
Hacking Your Way To Better Security - Dutch PHP Conference 2016
byColin O'Dell
 
PDF
November Camp - Spec BDD with PHPSpec 2
byKacper Gunia
 
PDF
QA Lab: тестирование ПО. Яков Крамаренко: "KISS Automation"
byGeeksLab Odessa
 
PDF
QA Lab: тестирование ПО. Станислав Шмидт: "Self-testing REST APIs with API Fi...
byGeeksLab Odessa
 
PPS
Implementing access control with zend framework
byGeorge Mihailov
 
PDF
“Writing code that lasts” … or writing code you won’t hate tomorrow. - PHP Yo...
byRafael Dohms
 
PDF
Essentials and Impactful Features of ES6
byRiza Fahmi
 
Your code sucks, let's fix it
byRafael Dohms
 
Php Security By Mugdha And Anish
byOSSCube
 
Javascript & jQuery: A pragmatic introduction
byIban Martinez
 
Refactoring using Codeception
byJeroen van Dijk
 
Dealing with Legacy PHP Applications
byClinton Dreisbach
 
Man in the Middle? - No, thank you!
byDaniel Schneller
 
Error Reporting in ZF2: form messages, custom error pages, logging
bySteve Maraspin
 
Object Calisthenics Applied to PHP
byGuilherme Blanco
 
Unit testing zend framework apps
byMichelangelo van Dam
 
Coding for Scale and Sanity
byJimKellerES
 
Let's write secure Drupal code! - DrupalCamp London 2019
byBalázs Tatár
 
PHP security audits
byDamien Seguy
 
async/await Revisited
byRiza Fahmi
 
Hacking Your Way To Better Security - Dutch PHP Conference 2016
byColin O'Dell
 
November Camp - Spec BDD with PHPSpec 2
byKacper Gunia
 
QA Lab: тестирование ПО. Яков Крамаренко: "KISS Automation"
byGeeksLab Odessa
 
QA Lab: тестирование ПО. Станислав Шмидт: "Self-testing REST APIs with API Fi...
byGeeksLab Odessa
 
Implementing access control with zend framework
byGeorge Mihailov
 
“Writing code that lasts” … or writing code you won’t hate tomorrow. - PHP Yo...
byRafael Dohms
 
Essentials and Impactful Features of ES6
byRiza Fahmi
 

Similar to Proposed PHP function: is_literal()

PDF
PHP-UK 2025: Ending Injection Vulnerabilities
byCraig Francis
 
PDF
PHP Secure Programming
byBalavignesh Kasinathan
 
PPT
12-security.ppt - PHP and Arabic Language - Index
bywebhostingguy
 
PDF
Intro to Php Security
byDave Ross
 
PDF
DEFCON 23 - Lance buttars Nemus - sql injection on lamp
byFelipe Prado
 
PPTX
Interpolique
byDan Kaminsky
 
PPT
Positive Hack Days. Goltsev. Web Vulnerabilities: Difficult Cases
byPositive Hack Days
 
PDF
Generic Attack Detection - ph-Neutral 0x7d8
byMario Heiderich
 
PDF
17726 bypassing-phpids-0.6.5
byAttaporn Ninsuwan
 
PDF
Php Security
byguest7cf35c
 
PDF
Dip Your Toes in the Sea of Security (PHP UK 2016)
byJames Titcumb
 
PPT
Security.ppt
bywebhostingguy
 
PPTX
Web Security - Hands-on
byAndrea Valenza
 
PPS
Php security3895
byPrinceGuru MS
 
ODP
Jeff Channell - Secure PHP Coding Practices
byvdrover
 
ODP
My app is secure... I think
byWim Godden
 
PPS
PHP Built-in String Validation Functions
byAung Khant
 
PPTX
Interpolique
byDan Kaminsky
 
PDF
Web注入+http漏洞等描述
byfangjiafu
 
PPT
Php manish
byManish Jain
 
PHP-UK 2025: Ending Injection Vulnerabilities
byCraig Francis
 
PHP Secure Programming
byBalavignesh Kasinathan
 
12-security.ppt - PHP and Arabic Language - Index
bywebhostingguy
 
Intro to Php Security
byDave Ross
 
DEFCON 23 - Lance buttars Nemus - sql injection on lamp
byFelipe Prado
 
Interpolique
byDan Kaminsky
 
Positive Hack Days. Goltsev. Web Vulnerabilities: Difficult Cases
byPositive Hack Days
 
Generic Attack Detection - ph-Neutral 0x7d8
byMario Heiderich
 
17726 bypassing-phpids-0.6.5
byAttaporn Ninsuwan
 
Php Security
byguest7cf35c
 
Dip Your Toes in the Sea of Security (PHP UK 2016)
byJames Titcumb
 
Security.ppt
bywebhostingguy
 
Web Security - Hands-on
byAndrea Valenza
 
Php security3895
byPrinceGuru MS
 
Jeff Channell - Secure PHP Coding Practices
byvdrover
 
My app is secure... I think
byWim Godden
 
PHP Built-in String Validation Functions
byAung Khant
 
Interpolique
byDan Kaminsky
 
Web注入+http漏洞等描述
byfangjiafu
 
Php manish
byManish Jain
 

Recently uploaded

PDF
Supercharge Your JVM with Project Leyden
byAna-Maria Mihalceanu
 
PPTX
Enhancing Web Security: Key Concepts & Strategies.pptx
byParham Abolghasemi
 
PDF
MathML Core in WebKit
byIgalia
 
PDF
Catalog Data - Keys to the Kingdom.pdf‎ ‎
byPrecisely
 
PPTX
Expanding Your Toolbox: Beginners Guide to Controlling Kubernetes Logs
byEric D. Schabell
 
PDF
How to not make bugs (in JSC), and the future of 32-bits
byIgalia
 
PDF
Manage Local Users and Groups - RHCSA (RH124)
byLinuxCert Guru
 
PDF
Manage Files Using CLI - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
Transparency Exchange API: How Do You Find the SBOM for a Smart Light Bulb?
byPavel Shukhman
 
PDF
The Complete Crypto Airdrop Playbook: Strategies, Scams & Success Stories | 3...
by3verseTV
 
PDF
Access Linux File System in RHEL - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
WebXR in Android and Linux with OpenXR
byIgalia
 
PDF
From Pixels to Insights: Getting Started with Imagery in FME
bySafe Software
 
PDF
Install and Update Software - RHCSA (RH124).pdf
byLinuxCert Guru
 
PPTX
Getting Started with MSP360 Backup for M365/Google
byMSP360
 
PDF
Career Blueprint: Mentor Tracks & Career Clinic - Part 2
byDianaGray10
 
PPTX
Career Blueprint - Future Career Vision & Success Stories - 2025 - Part 1
byDianaGray10
 
PPTX
Sephora UAE API Service Real-Time Product & Price Data Access.pptx
bycreativeclicks1733
 
PPTX
Bulwark Pokemon League Top 8 graphic archive
byGc Howard
 
PDF
"Visual Guide to DSA: Big O Notation, Data Structures, and Algorithms Fundame...
byNusrat Gulbarga
 
Supercharge Your JVM with Project Leyden
byAna-Maria Mihalceanu
 
Enhancing Web Security: Key Concepts & Strategies.pptx
byParham Abolghasemi
 
MathML Core in WebKit
byIgalia
 
Catalog Data - Keys to the Kingdom.pdf‎ ‎
byPrecisely
 
Expanding Your Toolbox: Beginners Guide to Controlling Kubernetes Logs
byEric D. Schabell
 
How to not make bugs (in JSC), and the future of 32-bits
byIgalia
 
Manage Local Users and Groups - RHCSA (RH124)
byLinuxCert Guru
 
Manage Files Using CLI - RHCSA (RH124).pdf
byLinuxCert Guru
 
Transparency Exchange API: How Do You Find the SBOM for a Smart Light Bulb?
byPavel Shukhman
 
The Complete Crypto Airdrop Playbook: Strategies, Scams & Success Stories | 3...
by3verseTV
 
Access Linux File System in RHEL - RHCSA (RH124).pdf
byLinuxCert Guru
 
WebXR in Android and Linux with OpenXR
byIgalia
 
From Pixels to Insights: Getting Started with Imagery in FME
bySafe Software
 
Install and Update Software - RHCSA (RH124).pdf
byLinuxCert Guru
 
Getting Started with MSP360 Backup for M365/Google
byMSP360
 
Career Blueprint: Mentor Tracks & Career Clinic - Part 2
byDianaGray10
 
Career Blueprint - Future Career Vision & Success Stories - 2025 - Part 1
byDianaGray10
 
Sephora UAE API Service Real-Time Product & Price Data Access.pptx
bycreativeclicks1733
 
Bulwark Pokemon League Top 8 graphic archive
byGc Howard
 
"Visual Guide to DSA: Big O Notation, Data Structures, and Algorithms Fundame...
byNusrat Gulbarga
 

Proposed PHP function: is_literal()