Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:109219
Return-Path: <mike@newclarity.net>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 96774 invoked from network); 23 Mar 2020 01:44:38 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 23 Mar 2020 01:44:38 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 48AEF1801FD
	for <internals@lists.php.net>; Sun, 22 Mar 2020 17:08:40 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE
	autolearn=no autolearn_force=no version=3.4.2
X-Spam-ASN: AS15169 209.85.128.0/17
X-Spam-Virus: No
X-Envelope-From: <mike@newclarity.net>
Received: from mail-qk1-f176.google.com (mail-qk1-f176.google.com [209.85.222.176])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Sun, 22 Mar 2020 17:08:39 -0700 (PDT)
Received: by mail-qk1-f176.google.com with SMTP id d11so13620347qko.3
        for <internals@lists.php.net>; Sun, 22 Mar 2020 17:08:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=newclarity-net.20150623.gappssmtp.com; s=20150623;
        h=mime-version:subject:from:in-reply-to:date:cc
         :content-transfer-encoding:message-id:references:to;
        bh=aV5jxpF7FL8PK9gkc0oMGkNqjWDR2GmOT/o7UKw9Sh0=;
        b=qpAMaCLyCYdKNKTD48UIxN2i2spos8DfXJiuRsNFQYQG6I/ROqlR0oyP0G4goiaz+e
         FW+9OwVUlNqAnf8w+NbBAUoVuJpRiQEj0MpORborvIjjX6EbiGJV4AESvf2dYQHesKJ1
         1jIqzkG0IYXy/XeQE6Izr1FjeOZG7qyOvJwIPTL38pGvkP1k3HTl/OoZkj2jBHUPEbB8
         AJ0stBjHVxLslM3F8qZbh2D4gBeQUUYTrAmZh6ZMqGostq5YiSXYkXKZV27Cit8MOP5q
         aEoZAwPfZL+yVdWOnwqN6QGIuAj1MR0EPkJAXWTryUFVyaG+K5uPnfMzpoJCHm+f9vb6
         XUoA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc
         :content-transfer-encoding:message-id:references:to;
        bh=aV5jxpF7FL8PK9gkc0oMGkNqjWDR2GmOT/o7UKw9Sh0=;
        b=MEkKhdD6Xqu7Ar08KuTgwd3kllnqxM7l4nNWZE9obkb6+IHudGdbl7oI5+kVLBF6mD
         i5fuNF0D7HJvZ6Ade+zXiLj9WUHIxlza0uLdMDQaRREK87fWRnQPdWtMzmlhRGG1E703
         pup190wOB+xOcF5ciUfzLxdWCMrNBOOK+t/H6TQkytHtNpeOxfb5Fn2mMQHjsBX9Ezey
         lVB9xfNeqDbf2V5TjLg0JHTr1Ac0+hTfigoNE9htdxmf4iJrdoIvLx8aoq+wFn7zdvDT
         lE5AY0k3toenC7YphCO8zxYs+6AUubUuwcTg+3y5H7Pdt3EU5De8UVH1f9JlxfYTnOMY
         O+SA==
X-Gm-Message-State: ANhLgQ23EH8HCOgRigoFDQjfldYPQxCO6XMSbeAjOQXjdSD5ka4YPZ9S
	ZfN7hmRD/APSV97V8o7e5mtfbg==
X-Google-Smtp-Source: ADFU+vsAUK3df9hIk+OD0q1I82fIy5dGAejAyficzoyRAJsBGdcjBJcqHl0615OBgaC72/yBEzYeSA==
X-Received: by 2002:a37:4785:: with SMTP id u127mr3268505qka.135.1584922119367;
        Sun, 22 Mar 2020 17:08:39 -0700 (PDT)
Received: from ?IPv6:2601:c0:c680:5cc0:b161:bce7:21ab:aa25? ([2601:c0:c680:5cc0:b161:bce7:21ab:aa25])
        by smtp.gmail.com with ESMTPSA id u51sm11363373qth.46.2020.03.22.17.08.38
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Sun, 22 Mar 2020 17:08:38 -0700 (PDT)
Content-Type: text/plain;
	charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
In-Reply-To: <3F33C0E3-8AE9-4E13-80F1-05E804942488@craigfrancis.co.uk>
Date: Sun, 22 Mar 2020 20:08:37 -0400
Cc: PHP internals <internals@lists.php.net>
Content-Transfer-Encoding: quoted-printable
Message-ID: <2872489E-2D70-45E0-AE1C-2CCC272BC45D@newclarity.net>
References: <3F33C0E3-8AE9-4E13-80F1-05E804942488@craigfrancis.co.uk>
To: Craig Francis <craig@craigfrancis.co.uk>
X-Mailer: Apple Mail (2.3445.104.11)
Subject: Re: [PHP-DEV] is_literal() + WordPress
From: mike@newclarity.net (Mike Schinkel)

> On Mar 22, 2020, at 7:14 PM, Craig Francis <craig@craigfrancis.co.uk> =
wrote:
>=20
> On Sun, 22 Mar 2020 at 19:11, Mike Schinkel <mike@newclarity.net> =
wrote:
>> IMO getting that in WordPress core is highly unlikely
>=20
> Good point, like all systems, WordPress will need to consider older =
versions of PHP.
>=20
> But, because this is a new function, they can avoid that issue by =
using `function_exists()`, as in...
>=20
>    if (function_exists('is_literal') && !is_literal($sql)) {
>        trigger_error('This is an unsafe $query, please use =
$wpdb->prepare()', E_USER_NOTICE);
>    }

True....

> This would be a pretty easy way for WordPress to show they take =
security seriously, and helping developers to avoid these "all too =
common" mistakes.
>=20
> But I do appreciate how much effort it can be to introduce anything in =
to WordPress :-)

...but I will let you be the one to champion that cause given how much =
effort not being a core developer and getting anything added to =
WordPress it is.  :-)

-Mike