Ending Injection Vulnerabilities - Craig Francis

Imagine you're working on a project that uses Doctrine for database abstraction. You think you're safe from SQL injection vulnerabilities, but a developer has just written: $qb->select('u') ->from('User', 'u') ->where('u.id = ' . $_GET['id']); $qb->select('u') ->from('User', 'u') ->where($qb->expr()->andX( $qb->expr()->eq('u.type_id', $_GET['type']), $qb->expr()->isNull('u.deleted') )); Even when using abstractions or parameterized queries, mistakes can still happen—often with junior developers but also in complex codebases. Instead, if we follow Mike Samuel's advice and "distinguish strings from a trusted developer, from strings that may be attacker-controlled," we arrive at a surprisingly simple solution to all injection vulnerabilities. In this talk, I'll show how libraries can detect when developers misuse them (often unintentionally) and how you can apply this technique in your own projects. The key is identifying which string arguments in public methods receive sensitive values (such as those used directly in SQL) and adding the literal-string type to their definitions. This ensures the value must be a string explicitly defined within the source code—written by a trusted developer.