Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:108913
Return-Path: <rowan.collins@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 4399 invoked from network); 9 Mar 2020 18:33:23 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 9 Mar 2020 18:33:23 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id B3544180556
	for <internals@lists.php.net>; Mon,  9 Mar 2020 09:54:03 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE,
	RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=no
	autolearn_force=no version=3.4.2
X-Spam-ASN: AS15169 209.85.128.0/17
X-Spam-Virus: No
X-Envelope-From: <rowan.collins@gmail.com>
Received: from mail-il1-f171.google.com (mail-il1-f171.google.com [209.85.166.171])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Mon,  9 Mar 2020 09:54:03 -0700 (PDT)
Received: by mail-il1-f171.google.com with SMTP id j69so9301979ila.11
        for <internals@lists.php.net>; Mon, 09 Mar 2020 09:54:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to;
        bh=6KdLygSZ3ASB//7WdF6mcjw211H3v2ge3B8mYi/rA30=;
        b=A3EyyYZ/7mNu5983hUpZ+qlOvh50evC5+08baRcb31d7bVETJ4iRoFt4MuAtpYkpo4
         y6e25wlfKBcJC9v1OvU9i+e3HXVGJx/JsDYvgMLHde+WYAu/DZrfTxFWsyVoTmtIoAPR
         lBOHyjByoT2JEq+oIGFrkoJ52jbMP09Vf1ROaLmOoSfcTAmz7N3cjvq582YqORDqFzDB
         QJwFPB3gkp1xbFX79O9OntfG5DUbJh+uu8JO1Rav/80a/g2EnG3rKNj3ZplJ8l+C1hOd
         mH1n6kye4ZMr0xjjv7GAFgsEkOtJ1MP9qavLMkSLkFdhPVgfGxHWfOzuumbGItYTIWYc
         SnzQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to;
        bh=6KdLygSZ3ASB//7WdF6mcjw211H3v2ge3B8mYi/rA30=;
        b=pm3GlAdIfkjctrwL78TwqhOaaLI0YmGM9+WBEK2AIAsAn18EOP+7IpFQlPOOGaLo+4
         NoxjTqcBeyaFNb3cJSDeeYtY4qCn+mZEo90yQmIT3+BQLhTI2o/avzBCFXte95QdN08W
         hDbIRI8Rb+qk1nr7wuWdZnxaC6vKX20dvARVtHnrQKcgGpjBso/007gWsQ9Mq+bJoGr4
         iCoewlC99IONF0VogOoeTNzSWXp1ne9X8+Fmpz5EnmMOjjCez735KDhQYuaicDGVgA4c
         YkksTwBU6PCXohE8RC5+Yy/ln29HBQCTR8M2t7Dwo694EjPDwRnCYOKmJg4nVrsSUZ8Y
         +pDQ==
X-Gm-Message-State: ANhLgQ0oZKkgdnuI9k0kMA7f6WZvvKNtso12r77jzy3DbfKa3kZam7y2
	PtYHpDIgaBgWcrP8VHX/6WLwENv8HxVm+fWP51ANfAVe
X-Google-Smtp-Source: ADFU+vvDYuiyahgX4HIUQq0XZXg9xrVilpOduBJRJHvj/pLnuDj/v5VmnY1Nz2Oo/dPuTUu3WPCoY1isoEegqTeSY4g=
X-Received: by 2002:a92:5d82:: with SMTP id e2mr8287444ilg.253.1583772841792;
 Mon, 09 Mar 2020 09:54:01 -0700 (PDT)
MIME-Version: 1.0
References: <CAFv4g+EG6f9e6yJqp1sesbJstYJwpdkVso3CKjAD_EAkcrtHqA@mail.gmail.com>
 <CAFv4g+Fa_cnyWqEP-qo9dgBiz7qszK-s52GuxOHfF6k1GmFcDQ@mail.gmail.com> <CAFv4g+G31=MrEUysNeeR0MCKm7SN0WTwnTX-S5m+7o8C73jibg@mail.gmail.com>
In-Reply-To: <CAFv4g+G31=MrEUysNeeR0MCKm7SN0WTwnTX-S5m+7o8C73jibg@mail.gmail.com>
Date: Mon, 9 Mar 2020 16:53:50 +0000
Message-ID: <CALKiJKrHpcu5q0dREZqtNXCzcH4apyc=8VkLS_H+7-KYnazoZQ@mail.gmail.com>
To: PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="000000000000a3db5805a06ed911"
Subject: Re: [PHP-DEV] Re: Literal / Taint checking
From: rowan.collins@gmail.com (Rowan Tommins)

--000000000000a3db5805a06ed911
Content-Type: text/plain; charset="UTF-8"

On Mon, 9 Mar 2020 at 13:47, Craig Francis <craig@craigfrancis.co.uk> wrote:

> Hi,
>
> As I'm not sure how to make any more process on this, I've added added a
> Feature Request:
>
> https://bugs.php.net/bug.php?id=79359
>
> It shows how this change in PHP could stop SQL injection, and proposes a
> way it could be used against HTML injection as well.
>


Hi Craig,

In my experience, the bug tracker is likely to get you less attention than
this list, rather than more. For this kind of significant change, the way
to get a more in-depth discussion going is to draft an RFC; there are some
instructions and tips on how to go about that at
https://wiki.php.net/rfc/howto and
https://blogs.oracle.com/opal/the-mysterious-php-rfc-process-and-how-you-can-change-the-web

The idea of an RFC is to sit down and design exactly how the proposed
feature would work; that helps move the discussion forward, because people
can see exactly how it might look, and means you're offering something to
the community rather than asking it of them. The RFC doesn't have to
include a full implementation, but if you don't know much about the
technical details, you might need help from someone who does to make sure
the proposal is realistic.

I see you've linked an older RFC in the feature request; it would be worth
digging out the archived discussion from when that was proposed, to see why
it stalled. It may just be that people were distracted by other things, or
there may be issues raised which you can consider in a new proposal. If you
haven't already, you could try contacting the author as well.

In general, I think it's an interesting idea, but as the saying goes "the
devil is in the detail", so I don't have much to say without a concrete
proposal for what it would look like.

Regards,
-- 
Rowan Tommins
[IMSoP]

--000000000000a3db5805a06ed911--