Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:114839
Return-Path: <lauri.kentta@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 55573 invoked from network); 12 Jun 2021 20:30:08 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 12 Jun 2021 20:30:08 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 4ACCE1804AE
	for <internals@lists.php.net>; Sat, 12 Jun 2021 13:45:59 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-0.4 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE,
	RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,
	SPF_PASS,URIBL_SBL,URIBL_SBL_A autolearn=no autolearn_force=no
	version=3.4.2
X-Spam-Virus: No
X-Envelope-From: <lauri.kentta@gmail.com>
Received: from mail-ej1-f45.google.com (mail-ej1-f45.google.com [209.85.218.45])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Sat, 12 Jun 2021 13:45:58 -0700 (PDT)
Received: by mail-ej1-f45.google.com with SMTP id ci15so9792316ejc.10
        for <internals@lists.php.net>; Sat, 12 Jun 2021 13:45:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:date:from:to:cc:subject:in-reply-to:references
         :user-agent:message-id;
        bh=RQrW+x8I4nYDDy5uVcArP9C9anvUeO4BuJdIlqy3Pew=;
        b=FqJcURu/vQ6jxc03yoxDevI+djFhy9xn8GE1W0fMPCGsjlWbXdfI4rHh7b8cdfjVj6
         +l1bE+ZbJP58bh5ckWDdjFl+gsI5nwJQ4q6w1gFEEXPGx4lUNzcbsrIfYalfCJFAB3Uf
         h//asMY6WylC6iC5z9oL8wbBpmYCm71NUmSCeeMmKTCwS3JWyvfrSDYtUkwQp40tM2CR
         9xZSOlTqZokyWj/H197brA9pl/6Xockd/CyamuL30JA1isOBS+pfqcH5Op6LRscQFh21
         /peDGCPntF05EEp0jtvpoRKGzcaCnCi1jW30OTThTnMTFwqwEvzBbCVSukXxYQyTqqYk
         qxBA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:date:from:to:cc:subject:in-reply-to
         :references:user-agent:message-id;
        bh=RQrW+x8I4nYDDy5uVcArP9C9anvUeO4BuJdIlqy3Pew=;
        b=QQSMvUiy2MMv0xhBBFHqcOh59U9AI0s0vjhngi3nRfZLjcAy2Apk6lPyq5ZF3tH4K9
         H3iB/WbzBsSeuM8U7H9plGyAWw4wQ/OstzTXONhCWdqNBgzQV8FWaSl84kTK4+l4ejBx
         JlJmmWaP0iUiUbNyp9rLpr8s5rRklBPb/Wdl65mcCoshHhM75obaXyHzfV4jMjrQkB5P
         26gbiOJyNH7afJdwDAYFdERiCOrWMWKjjWXQd+3TPFJmGZjFUg6jJDMXL+Qu07WYZCrj
         x0P4A/jPA/otJDP2O+LdWjY6dwyrGFBYI7E3U1Q6M6KNsB+/uB0Bkjru+o+IZisPZuJH
         TooQ==
X-Gm-Message-State: AOAM5333S9EaVRbn/ABLYVjTtLGSiKxF2LL6ZjCqCkwIxUdtxAXGI3Eh
	ffncAMf9gx9cc7yGjEDnbd4=
X-Google-Smtp-Source: ABdhPJyjZbxoMrvFHVB4iDc5Mh9Rc/zYHm+Oie7wjzeb3RR2a5KGAmhMwcDygu78tMcoX/Udi/H0WA==
X-Received: by 2002:a17:906:2bd9:: with SMTP id n25mr298132ejg.513.1623530756676;
        Sat, 12 Jun 2021 13:45:56 -0700 (PDT)
Received: from k-piste.fi (k-piste.fi. [95.179.136.7])
        by smtp.gmail.com with ESMTPSA id j22sm3629730ejt.11.2021.06.12.13.45.55
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 12 Jun 2021 13:45:56 -0700 (PDT)
MIME-Version: 1.0
Date: Sat, 12 Jun 2021 23:45:55 +0300
To: Craig Francis <craig@craigfrancis.co.uk>
Cc: PHP internals <internals@lists.php.net>
In-Reply-To: <CAFv4g+HfMGwhqH71Gm_mWbwP2=Oq9_QfPa1D+aff22v=FHaazg@mail.gmail.com>
References: <CAFv4g+F-7F7o6va5wCrojKe+Uysx2Ec3H4yV_mUZYEyNm3MkdQ@mail.gmail.com>
 <315be10c00c5e68238fb210ee543df1d@gmail.com>
 <CAFv4g+HfMGwhqH71Gm_mWbwP2=Oq9_QfPa1D+aff22v=FHaazg@mail.gmail.com>
User-Agent: Roundcube Webmail/1.4.11
Message-ID: <0479231c51cebfecedce59b367f3a934@gmail.com>
X-Sender: lauri.kentta@gmail.com
Content-Type: multipart/alternative;
 boundary="=_51c7679660437ce88b372fa23f45b2fb"
Subject: Re: [PHP-DEV] [RFC] is_literal
From: lauri.kentta@gmail.com (=?UTF-8?Q?Lauri_Kentt=C3=A4?=)

--=_51c7679660437ce88b372fa23f45b2fb
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset=UTF-8;
 format=flowed

On 2021-06-12 22:21, Craig Francis wrote:

> On Sat, 12 Jun 2021 at 19:59, Lauri Kenttä <lauri.kentta@gmail.com> 
> wrote:
> 
>> Hi,
>> 
>> I wrote the untaint() / make_literal() function, just in case.
>> 
>> implode("", array_map(fn($c) => $chars[ord($c)], str_split($s, 1)))
>> 
>> https://3v4l.org/EaN9Z#focus=rfc.literals
>> 
>> Sorry and bye.
> 
> Yes, I have a similar example in the RFC (eval).

Oh, the irresponsible use of eval was so overwhelming that I missed the 
new string literal there. You could add var_export to make it more 
realistic.

Anyway, the RFC is well motivated and thoroughly thought out. The 
approach is very simple but fits many use cases, compared to previous 
alternatives which were complex but more limited in the end. When 
libraries and PDO start to use this, we can finally get rid of SQL 
injections and a number of self-made input handling tricks, if only 
people have learned to read warnings...

So thanks for writing this RFC. I hope it passes.

-- 
Lauri Kenttä
--=_51c7679660437ce88b372fa23f45b2fb--