To help pickup possible SQL Injection issues (http://en.wikipedia.org/wiki/Sql_injection) in our PHP code I've been messing about with a modified version of PHP that supplies taint checking.
If you're unfamiliar with taint checking you can check some pages like http://en.wikipedia.org/wiki/Taint_checking or http://perldoc.perl.org/perlsec.html.
In short – it is a way to have PHP automatically mark a variable unsafe if it was input by the user. If that variable is attempted to be used without being checked first it produces warnings for the programmer. Without the warning the programmer might forget to make sure the code is safe.
Because the warnings and errors are so obvious it means that our programmers have to fix any php sql injection vulnerabilities before moving on to another section of code.
After deploying it on one of our development servers I'm probably not the most popular sysadmin with our programming department, but at least we can feel a little safer that our PHP code is more secure.
The unoffical patch for PHP was written by Wietse Venema from the IBM Thomas J. Watson Research Centre. Although not pretty, Wietse's Readme for PHP-Taint covers most of the setup instructions you'll need – ftp://ftp.porcupine.org/pub/php/php-5.2.5-taint-20080622.README.html
I set this up without much pain, did not have to modify any already-working PHP code and have yet to find any bugs introduced by using this customized version of PHP. Because this is on a development server I was not concerned with the ~1% performance hit. In any case, surely user-written inefficient php code effects a servers performance a lot more than php-taint would.
For a server wide config, instead of as suggested, I decided to add an auto_prepend_file option in my php.ini and created an enable_taint_display_errors.php script to enable taint. (eg: auto_prepend_file = /var/lib/php/php_taint/enable_taint_display_errors.php). I did this because php.ini couldn't untaint the $_SERVER variables directly.
And if you're only interested in SQL Injection issues you may want to disable the checks for HTML script injection by using something like "ini_set("taint_checks_html", 0);". Depending on your situation you may also want to have the taint checker ignore data coming from a database (which it normally taints) with "ini_set("taint_marks_dbms", 0);".
Instead of doing this server-wide you could include this php script from your php scripts, or if you want it site-wide, you could configure your apache virtualhost config to have something like 'php_admin_value auto_prepend_file "/var/lib/php/php_taint/enable_taint_display_errors.php"'.
I hope to see this feature officially integrated into PHP some day.
Have Fun!
About Andy T
