Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:109187
Return-Path: <craig@craigfrancis.co.uk>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 98213 invoked from network); 21 Mar 2020 21:46:01 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 21 Mar 2020 21:46:01 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id BD8681804C5
	for <internals@lists.php.net>; Sat, 21 Mar 2020 13:09:46 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,
	RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no
	autolearn_force=no version=3.4.2
X-Spam-ASN: AS15169 209.85.128.0/17
X-Spam-Virus: No
X-Envelope-From: <craig@craigfrancis.co.uk>
Received: from mail-wr1-f47.google.com (mail-wr1-f47.google.com [209.85.221.47])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Sat, 21 Mar 2020 13:09:45 -0700 (PDT)
Received: by mail-wr1-f47.google.com with SMTP id z15so11713371wrl.1
        for <internals@lists.php.net>; Sat, 21 Mar 2020 13:09:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=craigfrancis.co.uk; s=default;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=0b5r13mEZWP/M/WkOqytzh2Ntjx5qF2UMo4uYPVKJ30=;
        b=PmebRCcN0KX8ZzOowdeW/2LYiZEn/M3VA9oPL5Ro92eHl4+9cWhBIDbTL7FpRQQhwf
         C8XWuB8eewgU5CCKP+2VNaFyEyW8UZ0ljwL5arbfF8mEbKD97u8tZ1+lZXeCO3inAO7z
         WdKMITzHtK4JyUyZJN8q0Do6lRNJFAEm/tRsw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=0b5r13mEZWP/M/WkOqytzh2Ntjx5qF2UMo4uYPVKJ30=;
        b=CTg2LOy2RLvStQRLO35DDQDyQgRdUrvG4buid3WIbQJAmPzs78kmXquOQ11eTpaJFQ
         4Qqgm4/vLEe940Q5ssTOlA/YTTkxDL8vJujFYeugDfQHjCPz8pFvjPikOGeu4cvyx0Yv
         HvFpujhBZXLSITVRUClG2OrKDvbWWsNmT8IT0IW8lbnF0H3bRS7+s4krI5bMMamjRuJH
         bifQ8CFYhSGYMp61wdOKq2L7AmZRvtyunZQh8M1Bh8XjoPzrv5Em7dL1UiWTsXDIMaRb
         3zFDZ7bAIxSAVSkQSP9OXf6GYC+1Ayxewh3QogA93ceqqE3BffOOy2WxGQLGXijWE7zP
         uhhQ==
X-Gm-Message-State: ANhLgQ0RN9S5VV3kU9iHOMFJzuSq7NE2oR+h863ogRyqWIUBUvxqnv9+
	+uAH5yrpPhe2PhCw01kr730QQ3BeMtpXQS0WdqdQ4krQNVTinBTY
X-Google-Smtp-Source: ADFU+vsvgWzaTDVQFkRb3BTJPMo3X3jekp3d8fy7uJkJd4ihpNMD1guiZ280KdvVr/Fxg/mUdYE1xu2HIkX8dVkmE9U=
X-Received: by 2002:a5d:69cb:: with SMTP id s11mr18585864wrw.47.1584821384841;
 Sat, 21 Mar 2020 13:09:44 -0700 (PDT)
MIME-Version: 1.0
References: <CAFv4g+EXxWsD5jvfbYVKwML7fMCp62vFPfP0VfOmNBLR-tUpHQ@mail.gmail.com>
 <0138464a-b583-4a0a-9e05-d3afc1d62017@www.fastmail.com>
In-Reply-To: <0138464a-b583-4a0a-9e05-d3afc1d62017@www.fastmail.com>
Date: Sat, 21 Mar 2020 20:09:34 +0000
Message-ID: <CAFv4g+FbjHZyYPGtobWitOg_Z3fAvDyNA71uk72G5X8dHToDnQ@mail.gmail.com>
To: Larry Garfield <larry@garfieldtech.com>
Cc: php internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="000000000000ad23cd05a162fb5e"
Subject: Re: [PHP-DEV] [RFC] is_literal()
From: craig@craigfrancis.co.uk (Craig Francis)

--000000000000ad23cd05a162fb5e
Content-Type: text/plain; charset="UTF-8"

On Sat, 21 Mar 2020 at 19:51, Larry Garfield <larry@garfieldtech.com> wrote:

> Eg, there's plenty of very good reasons to put a template string into the
> database rather than a file literal.  Or to build an SQL query dynamically
> in ways that an is_literal check would not allow, at least not without an
> absurdly complex query builder.



Thanks Larry,

I think the examples I've provided should cover the issues that typically
get raised.

The main ones tend to be "WHERE x IN (?,?,?)" and "ORDER BY variable",
where the current work arounds get a bit risky (such as string escaping),
but please let me know if I've missed any.

Craig




On Sat, 21 Mar 2020 at 19:51, Larry Garfield <larry@garfieldtech.com> wrote:

> On Sat, Mar 21, 2020, at 2:13 PM, Craig Francis wrote:
> > Hi,
> >
> > I've written up my suggestion for a is_literal() function:
> >
> > https://wiki.php.net/rfc/is_literal
> >
> > Any feedback would be appreciated.
> >
> > Craig
>
> While I appreciate the intent, without an untaint() or equivalent I fear
> its usefulness will be limited, or else it will get overused and thus cut
> off numerous entirely valid situations.
>
> Eg, there's plenty of very good reasons to put a template string into the
> database rather than a file literal.  Or to build an SQL query dynamically
> in ways that an is_literal check would not allow, at least not without an
> absurdly complex query builder.
>
> Without a way to flag "yes, I know this was built dynamically but I've
> vetted it, it's OK" on a value, I fear such a check will either be unuseful
> or counter-productive.
>
> --Larry Garfield
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

--000000000000ad23cd05a162fb5e--