Ending Injection Vulnerabilities - Craig Francis

Description

Injection Vulnerabilities remain in the "OWASP Top 10" and the "CWE Top 25 Most Dangerous Software Weaknesses". Unfortunately database abstractions (like Doctrine), or parameterised queries, do not prevent Injection Vulnerabilities (I've got several examples); so they can create a false sense of security (especially with complicated code, or when junior developers are involved). Fortunately there is a simple solution to identify these mistakes, by “distinguishing strings from a trusted developer, from strings that may be attacker controlled” (Mike Samuel, March 2019; and Christoph Kern, September 2014). This can be done in PHP with the `literal-string` type (using PHPStan and Psalm). It's been proven to work in other languages (Facebook/Meta use the LiteralString type in Python; and Google use the "un-exported string type" in Go), it works really well with our existing code, and it guarantees there cannot be any mistakes that lead to an Injection Vulnerability.