Skip to first unread message
johannes....@gmail.com
Mar 14, 2018, 1:44:58 PM3/14/18
to SonarQube
For this PHP code sample:
SonarQube doesn't detect the string-concatenated parameter.
Is it planned to enable SQL Injection detection in the PHP scanner as well?
Should I try to propose a custom rule?
Best,
Johannes
| $query = $db->prepare("DELETE FROM testtable WHERE noteid IN (".$noteid.")"); | ||||
SonarQube doesn't detect the string-concatenated parameter.
Is it planned to enable SQL Injection detection in the PHP scanner as well?
Should I try to propose a custom rule?
Best,
Johannes
dinesh.bo...@sonarsource.com
Mar 15, 2018, 4:27:09 AM3/15/18
to SonarQube
Hey Johannes,
There may or may not be a vulnerability in the code snippet you've sent.
Indeed, if $noteid is defined as a constant (e.g. $noteid = 'foo'), then it's all good.
However, if it comes from a user-controlled source (e.g. $noteid = $_GET['param']), then there is a vulnerability.
Correctly implementing such a rule correctly is not trivial.
Our goal for 2018 is to deliver a new (commercial) plugin to identify exactly this type of vulnerabilities in Java, C# and PHP code. See MMF-1189
Johannes Fiala
Mar 15, 2018, 4:51:32 AM3/15/18
to sona...@googlegroups.com
Dear Dinesh,
IMHO in 99% of the cases this is not a constant :), so I think
confirming it that it is safe is a good idea (although that might
change in the future..).
It sounds well, when is the ETA for the plugin and what will it cost?
It seems this is already implemented for Java/JDBC - is it an
option to port this in the meanwhile?
Thx & Best regards,
Johannes
--
You received this message because you are subscribed to a topic in the Google Groups "SonarQube" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/sonarqube/Xi1_w6PRQD4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to sonarqube+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/91b3c255-627d-4195-b41a-1ec3c0401eac%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
-- Mit freundlichen Grüßen, Johannes Fiala ========================== FWD GmbH Viktoriagasse 7/33 1150 Wien -------------------------- Tel: +43 1 595 23 55 Fax: +43 1 595 23 55-15 Web: http://www.fwd.at ==========================
Dinesh Bolkensteyn
Mar 15, 2018, 8:44:06 AM3/15/18
to Johannes Fiala, SonarQube
Indeed we already have a rule in Java and C# that essentially forbid to use any non-compile time constant as SQL query.
However, no later then yesterday, someone complained about this rule raising false-positives in C#:
(and more negative feedback on those rules can be found in this list's archives)
So we are not eager to make it available as well for PHP without improving it first.
I am unable to commit on any ETA or price of upcoming features. All I can say is that this is a key topic for SonarSource and for this year.
On Thu, Mar 15, 2018 at 9:51 AM, Johannes Fiala <johanne...@fwd.at> wrote:
Dear Dinesh,
IMHO in 99% of the cases this is not a constant :), so I think confirming it that it is safe is a good idea (although that might change in the future..).
It sounds well, when is the ETA for the plugin and what will it cost?
It seems this is already implemented for Java/JDBC - is it an option to port this in the meanwhile?
Thx & Best regards,
Johannes
Am 15.03.2018 um 09:27 schrieb dinesh.bolkensteyn@sonarsource.com:
Hey Johannes,--
There may or may not be a vulnerability in the code snippet you've sent.
Indeed, if $noteid is defined as a constant (e.g. $noteid = 'foo'), then it's all good.However, if it comes from a user-controlled source (e.g. $noteid = $_GET['param']), then there is a vulnerability.
Correctly implementing such a rule correctly is not trivial.
Our goal for 2018 is to deliver a new (commercial) plugin to identify exactly this type of vulnerabilities in Java, C# and PHP code. See MMF-1189
On Wednesday, March 14, 2018 at 6:44:58 PM UTC+1, johannes....@gmail.com wrote:For this PHP code sample:
$query = $db->prepare("DELETE FROM testtable
WHERE noteid IN (".$noteid.")");
SonarQube doesn't detect the string-concatenated parameter.
Is it planned to enable SQL Injection detection in the PHP scanner as well?
Should I try to propose a custom rule?
Best,
Johannes
You received this message because you are subscribed to a topic in the Google Groups "SonarQube" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/sonarqube/Xi1_w6PRQD4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to sonarqube+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/91b3c255-627d-4195-b41a-1ec3c0401eac%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
-- Mit freundlichen Grüßen, Johannes Fiala ========================== FWD GmbH Viktoriagasse 7/33 1150 Wien -------------------------- Tel: +43 1 595 23 55 Fax: +43 1 595 23 55-15 Web: http://www.fwd.at ==========================
--
You received this message because you are subscribed to a topic in the Google Groups "SonarQube" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/sonarqube/Xi1_w6PRQD4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to sonarqube+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/a7fb844c-593a-2968-564a-9327d1866e7f%40fwd.at.
Johannes Fiala
Mar 15, 2018, 9:40:12 AM3/15/18
to sona...@googlegroups.com
Dear Dinesh,
Great, thx for the input! Good it is on your list :).
Best regards,
Johannes
To unsubscribe from this group and all its topics, send an email to sonarqube+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/CAOqE0ny6mxvUH9M1jHtRWwD4ehoZ02e5kB5jvQ%2BVButhfq_TiA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages