Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:114879 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 50865 invoked from network); 15 Jun 2021 08:39:42 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 15 Jun 2021 08:39:42 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 459E81804C0 for ; Tue, 15 Jun 2021 01:56:10 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-0.4 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS,URIBL_SBL, URIBL_SBL_A autolearn=no autolearn_force=no version=3.4.2 X-Spam-Virus: No X-Envelope-From: Received: from mail-ed1-f42.google.com (mail-ed1-f42.google.com [209.85.208.42]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Tue, 15 Jun 2021 01:56:09 -0700 (PDT) Received: by mail-ed1-f42.google.com with SMTP id s6so50024746edu.10 for ; Tue, 15 Jun 2021 01:56:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=57Gt4i9WTRxVpk7JhWgWzbr0uBrF7Gs4HVue9gK4Dnk=; b=BIFNGpVFeB1Gkcko+lGPvUVqgTQr1KyjgFnZ2nh59MmaUoKUmxjJ1yVYWt2XVelQrt NnkN7OSjwTqCHIsswlNHEvQJleY7EB0XO5ZCUgPWwc/vp1I44pi+0evZeL3SgUngOLbz 4/sInnnQlHh8m6emwjVzDKJOpw1MJU/WiNpgMV4x6V09NT/mafrW9vZvuRTTuDdIixNn JxPUJM1XzL5pHe/8F4ckltmBr2YbY06dhXEvp5Hwp6YaoU8p4CKZiEJaaAkwiM69zl9g gle5Ss+HyOf+16f868E5AxmCQMmwi0RNp8UoI+h+kDm2WwceifcheZsv8/zoOR0zMovc Jy5A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=57Gt4i9WTRxVpk7JhWgWzbr0uBrF7Gs4HVue9gK4Dnk=; b=dNnYA/8cVJwf4HE4ZEQme6O70kT92LX41oQnYtZZtou3zqfz5cEnciJZ+hCFJ8u2QO XQ/LCoCFpQoFurjWo68VYKRVSt4icUt3pLBv06tJfrNEprTIUp2PgTiQzGj4l6pMhch6 RQhr14LMoX6A0P0n0Blrvj0kf7LSV92JM2SPWex4tQd42XbF8Up8/MdjqfPRUibbCNv9 Unkn2fhVs1rD9wgr/RWK5kiGaxKPfF6+UmYaQsn2wjbEYuhEZlAh1I1iZqbbOPen8AIY rptdFYr+nCN3qU1vVrsZYperWFG4UW4EYkEKDwAYeqtHq03zYwtnz4RXEyUlA3ghd+Fv zRiA== X-Gm-Message-State: AOAM530Z3dNEGQnZisSOd82NeZr64ULJWD4UU8DkviP0XWKwqDKLacSn P56mb3iazPfBdl4zKmrY7oU= X-Google-Smtp-Source: ABdhPJw9XdIYZ6lWrhs5I+v9tuT/7L4fx2TjmHfr1cRkfjnTcQOW8xxfy22HxqTmDLPuTv7SLAgD8w== X-Received: by 2002:a05:6402:1609:: with SMTP id f9mr21513703edv.76.1623747367773; Tue, 15 Jun 2021 01:56:07 -0700 (PDT) Received: from claude.fritz.box ([89.249.45.14]) by smtp.gmail.com with ESMTPSA id g8sm8044709edw.89.2021.06.15.01.56.06 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 15 Jun 2021 01:56:07 -0700 (PDT) Message-ID: <46BF9BC3-8F34-4495-AD29-08E6FE12D7A8@gmail.com> Content-Type: multipart/alternative; boundary="Apple-Mail=_5DD02320-2057-4E06-85CA-8E659578BE94" Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.7\)) Date: Tue, 15 Jun 2021 10:56:05 +0200 In-Reply-To: Cc: Craig Francis , PHP internals To: Joe Watkins References: X-Mailer: Apple Mail (2.3608.120.23.2.7) Subject: Re: [PHP-DEV] [RFC] is_literal From: claude.pache@gmail.com (Claude Pache) --Apple-Mail=_5DD02320-2057-4E06-85CA-8E659578BE94 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > Le 15 juin 2021 =C3=A0 09:19, Joe Watkins a =C3=A9cr= it : >=20 > Morning, >=20 > https://3v4l.org/nJhc1/rfc#focus=3Drfc.literals = >=20 > It's not so much a bug as a side effect or quirk.=20 >=20 > Note that, the result is correct, in the sense that you do have a = literal string - it is not marking an unsafe string as safe. >=20 > It's just that existing implementation details - RETURN_CHAR using = interned strings, and literal constant strings being interned by the = compiler - lead to a literal string being "re-used". >=20 > This is just a natural consequence of literal strings retaining their = literalness in the way we want them too, nothing dangerous is going on. Hi, I disagree that it is not dangerous. At the very least, it makes = `is_literal()` unpredictable, therefore unreliable, which is bad. The = following git is more illustrative of the issue: https://3v4l.org/SNJDJ/rfc#focus=3Drfc.literals = The fact that a given string happens to be written literally somewhere = else in the program doesn=E2=80=99t mean that it is written literally in = that context. Taking the example from the RFC: $qb->select('u') ->from('User', 'u') ->where('u.id =3D ' . $_GET['id']); // INSECURE I want that the `$qb->where()` method is able to reliably detect that = the string provided is not literal, even when it happens by chance that = the exact same string appears literally somewhere else in my code. =E2=80=94Claude --Apple-Mail=_5DD02320-2057-4E06-85CA-8E659578BE94--