The state of PHP security
Posted Dec 22, 2006 17:00 UTC (Fri) by iabervon
In reply to: The state of PHP security
Parent article: The state of PHP security
Every programming language (with SQL bindings) does seem to use strings for SQL statements, and it's a design error in every one of them.
SQL string constants can have single quotes in them escaped as a sequence of two single quotes, but SQL statements can only have single quotes using weird other methods (for purposes like having a column named "don't", of course; none of the standard functions or keywords contain single quotes). And SQL statements can (and must) include single quotes around string constants, but I'm prohibiting writing string constants as statement text.
E.g., you'd have to write something like:
new Statement().cmd("SELECT uid FROM passwd WHERE password=").
lit(password).cmd(" AND username=").lit(username)
And this would ensure that the two string literals are properly quoted and escaped. And the user can't do something like cmd("WHERE password='" + password + "'") because the single quotes in the command text are prohibited. And obviously cmd("WHERE password=").cmd(password) would never work, because the client-supplied password wouldn't get even the outer single quotes. So the correct way is the only way to get it to work at all, and you don't have any SQL insertion holes possible unless the language bindings get screwed up.
Of course, it's not necessary for the database to support placeholders in order for the language bindings to support substituted constants. The language bindings can substitute properly-handled constants, which would imply that any security flaws must be in the language bindings, which are exclusively written by people who ought to know better than to mess it up.
to post comments)