$query = $db->prepare("DELETE FROM testtable WHERE noteid IN (".$noteid.")"); | ||||
Dear Dinesh,
IMHO in 99% of the cases this is not a constant :), so I think
confirming it that it is safe is a good idea (although that might
change in the future..).
It sounds well, when is the ETA for the plugin and what will it cost?
It seems this is already implemented for Java/JDBC - is it an
option to port this in the meanwhile?
Thx & Best regards,
Johannes
--
You received this message because you are subscribed to a topic in the Google Groups "SonarQube" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/sonarqube/Xi1_w6PRQD4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to sonarqube+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/91b3c255-627d-4195-b41a-1ec3c0401eac%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
-- Mit freundlichen Grüßen, Johannes Fiala ========================== FWD GmbH Viktoriagasse 7/33 1150 Wien -------------------------- Tel: +43 1 595 23 55 Fax: +43 1 595 23 55-15 Web: http://www.fwd.at ==========================
Dear Dinesh,
IMHO in 99% of the cases this is not a constant :), so I think confirming it that it is safe is a good idea (although that might change in the future..).
It sounds well, when is the ETA for the plugin and what will it cost?
It seems this is already implemented for Java/JDBC - is it an option to port this in the meanwhile?
Thx & Best regards,
Johannes
Am 15.03.2018 um 09:27 schrieb dinesh.bolkensteyn@sonarsource.com:
Hey Johannes,--
There may or may not be a vulnerability in the code snippet you've sent.
Indeed, if $noteid is defined as a constant (e.g. $noteid = 'foo'), then it's all good.However, if it comes from a user-controlled source (e.g. $noteid = $_GET['param']), then there is a vulnerability.
Correctly implementing such a rule correctly is not trivial.
Our goal for 2018 is to deliver a new (commercial) plugin to identify exactly this type of vulnerabilities in Java, C# and PHP code. See MMF-1189
On Wednesday, March 14, 2018 at 6:44:58 PM UTC+1, johannes....@gmail.com wrote:For this PHP code sample:
$query = $db->prepare("DELETE FROM testtable
WHERE noteid IN (".$noteid.")");
SonarQube doesn't detect the string-concatenated parameter.
Is it planned to enable SQL Injection detection in the PHP scanner as well?
Should I try to propose a custom rule?
Best,
Johannes
You received this message because you are subscribed to a topic in the Google Groups "SonarQube" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/sonarqube/Xi1_w6PRQD4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to sonarqube+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/91b3c255-627d-4195-b41a-1ec3c0401eac%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
-- Mit freundlichen Grüßen, Johannes Fiala ========================== FWD GmbH Viktoriagasse 7/33 1150 Wien -------------------------- Tel: +43 1 595 23 55 Fax: +43 1 595 23 55-15 Web: http://www.fwd.at ==========================
--
You received this message because you are subscribed to a topic in the Google Groups "SonarQube" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/sonarqube/Xi1_w6PRQD4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to sonarqube+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/a7fb844c-593a-2968-564a-9327d1866e7f%40fwd.at.
Dear Dinesh,
Great, thx for the input! Good it is on your list :).
Best regards,
Johannes
To unsubscribe from this group and all its topics, send an email to sonarqube+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/CAOqE0ny6mxvUH9M1jHtRWwD4ehoZ02e5kB5jvQ%2BVButhfq_TiA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.