A way to identify trusted developer strings (aka "literals", which have been defined within the PHP script) which need to be used for HTML templates, SQL strings, CLI strings; and keep those completely separate from user controlled (attacker tainted) strings.

1. is_literal()
A proposed function for PHP
Craig Francis

2. is_literal()
To distinguish between safe strings,
which have been defined in your PHP script.

3. is_literal()
To distinguish between safe strings,
which have been defined in your PHP script.
VS unsafe strings,
which have been tainted by external sources.

4. The Problem

5. The Problem

6. The Problem

7. The Problem
Version 5.4.1
April 29, 2020

8. The Problem
Version 5.4.2
June 10, 2020

9. is_literal() is not the same as Taint Checking.
The Problem

10. Injection problems are rarely solved by Static Analysis.
The Problem

11. Injection problems are rarely solved by Static Analysis.
Still do use this.
The Problem

12. Injection problems are rarely solved by Static Analysis.
But it's hard to follow every variable from Source to Sink.
The Problem

13. Injection problems are rarely solved by Static Analysis.
And don't expect every programmer to use.
The Problem

14. $mysqli = new mysqli('localhost', 'test', '???', 'test');
$result = $mysqli->query('SELECT * FROM user WHERE id = ' . $_GET['id']);
if ($result instanceof mysqli_result) {
print_r($result->fetch_all());
}
Static Analysis
PHPStan

15. $mysqli = new mysqli('localhost', 'test', '???', 'test');
$id = (string) $_GET['id'];
$result = $mysqli->query('SELECT * FROM user WHERE id = ' . $id);
if ($result instanceof mysqli_result) {
print_r($result->fetch_all());
}
Static Analysis
Avoid MixedAssignment
Psalm

16. $mysqli = new mysqli('localhost', 'test', '???', 'test');
$id = (string) $_GET['id'];
$result = $mysqli->query('SELECT * FROM user WHERE id = ' . $id);
if ($result instanceof mysqli_result) {
print_r($result->fetch_all());
}
Static Analysis
Psalm,
Taint Analysis
I'm not using "mysqli_query()"
https://github.com/vimeo/psalm/issues/4155
Avoid MixedAssignment

17. Google engineer Christoph Kern, 2015:
https://www.usenix.org/conference/usenixsecurity15/symposium-program/
presentation/kern
Other Implementations

18. Google engineer Christoph Kern, 2015:
"Developer education doesn't solve the problem"
Other Implementations

19. Google engineer Christoph Kern, 2015:
"Bugs are hard to find after the fact"
Other Implementations

20. Google engineer Christoph Kern, 2015:
"Bugs are hard to find after the fact"
"Manual Testing, Automated Testing, Static Analysis, Human Code Reviews;
... will find some of these bugs..." @04:02
Other Implementations

21. Google have a similar solution in Go:
https://github.com/google/go-safeweb/tree/master/safehttp
https://blogtitle.github.io/go-safe-html/
Other Implementations
HTML Injection / XSS
By Roberto Clapis

22. Google have a similar solution in Go:
https://github.com/google/go-safeweb/tree/master/safesql
A Query Builder, with an Append() method that only accepts compile-time
constant strings (literal or const).
Other Implementations
SQL Injection

23. JavaScript may get a similar solution:
https://github.com/tc39/proposal-array-is-template-object
"Distinguishing strings from a trusted developer,
from strings that may be attacker controlled"
Other Implementations

24. Examples

25. Examples

26. Examples

27. $users = $queryBuilder
->select('u')
->from('User', 'u')
->where('u.type_id = 1')
->getQuery()
->getResult();
Doctrine QueryBuilder
Examples

28. $users = $queryBuilder
->select('u')
->from('User', 'u')
->where('u.type_id = ?1')
->setParameter(1, $_GET['type_id'])
->getQuery()
->getResult();
Examples

29. $users = $queryBuilder
->select('u')
->from('User', 'u')
->where('u.type_id = 1')
->getQuery()
->getResult();
Examples

30. $users = $queryBuilder
->select('u')
->from('User', 'u')
->where('u.type_id = ' . $_GET['type_id'])
->getQuery()
->getResult();
Examples

31. Examples

32. Examples

33. $users = $queryBuilder
->select('u')
->from('User', 'u')
->where('u.type_id = 1')
->getQuery()
->getResult();
Safe String, a Literal
Examples

34. $users = $queryBuilder
->select('u')
->from('User', 'u')
->where('u.type_id = ' . $_GET['type_id'])
->getQuery()
->getResult();
Unsafe StringSafe String
Examples

35. $users = $queryBuilder
->select('u')
->from('User', 'u')
->where('u.type_id = ' . $_GET['type_id'])
->getQuery()
->getResult();
Examples
'WHERE u.type_id = u.type_id'

36. $sql = 'SELECT u FROM User u WHERE u.type_id = ' . $_GET['type_id'];
$query = $entityManager->createQuery($sql);
Doctrine - CreateQuery
Examples

37. $users = UserQuery::create()->where('type_id = ' . $_GET['type_id'])->find();
Propel ORM - Where
Examples

38. $result = R::find('user', 'type_id = ' . $_GET['type_id']);
RedBeanPHP - Find
Examples

39. $template = $twig->createTemplate('<p>Hello {{ name }}</p>');
echo $template->render(['name' => $_GET['name']]);
Examples Safe String, a Literal

40. $template = $twig->createTemplate('<p>Hello ' . $_GET['name'] . '</p>');
echo $template->render();
Examples Unsafe String

41. Examples

42. $output = shell_exec('ls /');
Safe String, a Literal
Examples

43. Examples
$output = shell_exec('ls ' . $_GET['path']);
Unsafe String

44. Taint Checking
https://pecl.php.net/package/taint

45. Taint Checking
$prefix = 'Hi ';
$welcome_html = $prefix . 'Name';

46. Taint Checking
$prefix = 'Hi ';
$welcome_html = $prefix . 'Name';
Untainted

47. Taint Checking
$prefix = 'Hi ';
$welcome_html = $prefix . 'Name';
Untainted
Untainted
Untainted

48. Taint Checking
$prefix = 'Hi ';
$welcome_html = $prefix . 'Name';
Untainted, Safe

49. Taint Checking
$name = $_GET['name'];
$prefix = 'Hi ';
$welcome_html = $prefix . $name;

50. Taint Checking
$name = $_GET['name'];
$prefix = 'Hi ';
$welcome_html = $prefix . $name;
Tainted

51. Taint Checking
$name = $_GET['name'];
$prefix = 'Hi ';
$welcome_html = $prefix . $name;

52. Taint Checking
$name = $_GET['name'];
$prefix = 'Hi ';
$welcome_html = $prefix . $name;
Untainted

53. Taint Checking
$name = $_GET['name'];
$prefix = 'Hi ';
$welcome_html = $prefix . $name;
Untainted
Tainted

54. Taint Checking
$name = $_GET['name'];
$prefix = 'Hi ';
$welcome_html = $prefix . $name;
Tainted, not safe

55. Taint Checking
$name = $_GET['name'];
$prefix = 'Hi ';
$welcome_html = $prefix . htmlentities($name);

56. Taint Checking
$name = $_GET['name'];
$prefix = 'Hi ';
$welcome_html = $prefix . htmlentities($name);
Un-Taint

57. Taint Checking
$name = $_GET['name'];
$prefix = 'Hi ';
$welcome_html = $prefix . htmlentities($name);
Untainted, should be safe.

58. Taint Checking
$url = $_GET['url'];
$name = $_GET['name'];
$link_html = '<a href="' . htmlentities($url) . '">' . htmlentities($name) . '</a>';

59. Taint Checking
$url = $_GET['url'];
$name = $_GET['name'];
$link_html = '<a href="' . htmlentities($url) . '">' . htmlentities($name) . '</a>';
Tainted
Tainted

60. Taint Checking
$url = $_GET['url'];
$name = $_GET['name'];
$link_html = '<a href="' . htmlentities($url) . '">' . htmlentities($name) . '</a>';
Tainted Tainted

61. Taint Checking
$url = $_GET['url'];
$name = $_GET['name'];
$link_html = '<a href="' . htmlentities($url) . '">' . htmlentities($name) . '</a>';
Un-Taint Un-Taint

62. Taint Checking
$url = $_GET['url'];
$name = $_GET['name'];
$link_html = '<a href="' . htmlentities($url) . '">' . htmlentities($name) . '</a>';
Untainted, surely this is safe?

63. Taint Checking
$url = $_GET['url'];
$name = $_GET['name'];
$link_html = '<a href="' . htmlentities($url) . '">' . htmlentities($name) . '</a>';
'javascript:alert("hi")'

64. Taint Checking
$sql .= 'WHERE id = ' . mysqli_real_escape_string($link, $_GET['id']);
Tainted

65. Taint Checking
$sql .= 'WHERE id = ' . mysqli_real_escape_string($link, $_GET['id']);
Untainted Un-Taint

66. Untainted, surely this is safe?
Taint Checking
$sql .= 'WHERE id = ' . mysqli_real_escape_string($link, $_GET['id']);

67. Taint Checking
$sql .= 'WHERE id = ' . mysqli_real_escape_string($link, $_GET['id']);
Missing quotes

68. Taint Checking
$sql .= 'WHERE id = ' . mysqli_real_escape_string($link, $_GET['id']);
"id"

69. Taint Checking
$sql .= 'WHERE id = ' . mysqli_real_escape_string($link, $_GET['id']);
$sql .= 'WHERE id = id';
"id"

70. Taint Checking
$img_html = '<img src=' . htmlentities($_GET['url']) . '>';
TaintedUntainted Untainted

71. Taint Checking
$img_html = '<img src=' . htmlentities($_GET['url']) . '>';
Un-Taint

72. Taint Checking
$img_html = '<img src=' . htmlentities($_GET['url']) . '>';
Untainted, surely this is safe?

73. Taint Checking
$img_html = '<img src=' . htmlentities($_GET['url']) . '>';
Missing quotes

74. Taint Checking
$img_html = '<img src=' . htmlentities($_GET['url']) . '>';
$img_html = '<img src=/ onerror=evil-js>';
"/ onerror=evil-js"

75. Taint Checking
How about character encoding issues?
The PDO Quote function clearly says it's only "theoretically safe".
https://www.php.net/pdo.quote

76. Summary
Do not mix safe strings (literals), with anything that may be attacker controlled.

77. Summary
We need a way to ensure this does not happen.

78. is_literal('This is a Literal');

79. is_literal('This is a Literal');
true

80. $a = 'This is a Literal';
is_literal($a);
true

81. $a = 'This is a Literal';
is_literal($a . 'And this');
true

82. $a = 'This is a Literal';
is_literal($a . $_GET['name']);
false

83. $a = 'This is a Literal';
is_literal($a . htmlentities($_GET['name']));
Still false

84. $a = 'This is a Literal';
is_literal($a . strtoupper('abc'));
Sorry, this is false - 'ABC' is no longer the string defined in the PHP script.

85. $users = $queryBuilder
->select('u')
->from('User', 'u')
->where('u.type_id = 1')
->getQuery()
->getResult();
Doctrine

86. $users = $queryBuilder
->select('u')
->from('User', 'u')
->where('u.type_id = 1')
->getQuery()
->getResult();
public function where($predicates)
{
if (!is_literal($predicates)) {
throw new Exception('Can only accept a literal');
}
...
}
Is a Safe Literal?

87. $users = $queryBuilder
->select('u')
->from('User', 'u')
->where('u.type_id = ' . $_GET['type_id'])
->getQuery()
->getResult();
public function where($predicates)
{
if (!is_literal($predicates)) {
throw new Exception('Can only accept a literal');
}
...
}
Not a Safe Literal

88. $template = $twig->createTemplate('<p>Hello {{ name }}</p>');
echo $template->render(['name' => $_GET['name']]);
Twig

89. $template = $twig->createTemplate('<p>Hello {{ name }}</p>');
echo $template->render(['name' => $_GET['name']])
public function createTemplate(string $template, string $name = null): TemplateWrapper
{
if (!is_literal($template)) {
throw new Exception('Can only accept a literal');
}
...
}
Is a Safe Literal?

90. $template = $twig->createTemplate('<p>Hello ' . $_GET['name'] . '</p>');
echo $template->render()
public function createTemplate(string $template, string $name = null): TemplateWrapper
{
if (!is_literal($template)) {
throw new Exception('Can only accept a literal');
}
...
}
Not a Safe Literal

91. if (function_exists('is_literal') && !is_literal($a)) {
trigger_error('Can only accept a literal', E_USER_NOTICE);
}
Backwards compatibility
Notices might be safer for legacy projects.

92. if (!function_exists('is_literal')) {
function is_literal($variable) {
return true;
}
}
Backwards compatibility

93. $sql .= 'ORDER BY ' . $field_name;
What about Table and Field names?

94. $fields = [
'name',
'created',
'admin',
];
$field_id = array_search(($_GET['sort'] ?? 'created'), $fields);
$sql = ' ORDER BY ' . $fields[$field_id];

95. $sql .= 'WHERE id IN (1, 2, 3)';
What about WHERE IN?

96. $ids = [1, 2, 3];
$sql .= 'WHERE id IN (' . implode(', ', $ids) . ')';
From an unknown source

97. $ids = [1, 2, 3];
$sql .= 'WHERE id IN (' . implode(',', array_fill(0, count($ids), '?')) . ')';

98. $ids = [1, 2, 3];
$sql .= 'WHERE id IN (' . implode(',', array_fill(0, count($ids), '?')) . ')';
$sql .= 'WHERE id IN (?, ?, ?)';

99. https://wiki.php.net/rfc/is_literal
https://github.com/craigfrancis/php-is-literal-rfc
Thank You