Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:114880
Return-Path: <krakjoe@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 57338 invoked from network); 15 Jun 2021 09:38:37 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 15 Jun 2021 09:38:37 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id BC6AB1804CC
	for <internals@lists.php.net>; Tue, 15 Jun 2021 02:55:05 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-0.4 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE,
	RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,
	SPF_PASS,URIBL_SBL,URIBL_SBL_A autolearn=no autolearn_force=no
	version=3.4.2
X-Spam-Virus: No
X-Envelope-From: <krakjoe@gmail.com>
Received: from mail-ot1-f43.google.com (mail-ot1-f43.google.com [209.85.210.43])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Tue, 15 Jun 2021 02:55:05 -0700 (PDT)
Received: by mail-ot1-f43.google.com with SMTP id w23-20020a9d5a970000b02903d0ef989477so13691456oth.9
        for <internals@lists.php.net>; Tue, 15 Jun 2021 02:55:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=2TJSlbkN99UzsZgspubz4c/vEaQndoNq+FcoDr3hz1Q=;
        b=GJe1VV8iomBWv/9Fi7RKPBT7XHeExV46aAH8N3oZyycWgHAcpmS3xmVL6wwsAc+YA0
         ubs02+uO5D62KsfXDZVzvrWtmZC+WVZd7HdOxwvqqPHngu7Eq3JlFkVflDKbgePzJ2/n
         AXxq8YwHOuIBpGAX9rtyFpCE2UiaIu6U5U14kZPPY3M0kI6FHj7Rv2OjtDGkkzEdJoAn
         0h2CK1FZYcg/mB/P2qRhDH/d2ka1j/jSK4ziOcX6HZH68TIOqJ9C1Iva4d9KcWwLmzdI
         8muCQENUFWmx3jp4htATHp1kXJEHXQXGcGrwoBn2y/EjJlj4G16z6Xfl1rajSmjUlPMy
         nLVQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=2TJSlbkN99UzsZgspubz4c/vEaQndoNq+FcoDr3hz1Q=;
        b=Be+7MD8VC2dLGTurpx1a19uBV1mKrhXWikeVrKeWbwoeN+llXxddqRpdccYSaoXGFM
         dWOKA5xPay8yQpvpKSTDHcmgJ/7uRqQXi2Wu6OE4YFTOxkBUt194B1ZMQ+ghgqLSeNfH
         g91wteAz9T/riAkGltm8e0OLFvHQyqC+U4rivZd6HCZrrAEFrMM/RztKts5bDhW8y/DB
         4tODC8r1mKAvOHlI98/trqp8S/Fy0UP+hu1X66YN2l0Br6oU0rn453y4xLsfx1U++Mjg
         lbrpMfMv7lNzDsJoLgnp8lpYM//0pH2v73ItzSagrOSi58/Ga7J3ywE2GqqqJHJOJcdg
         ktcw==
X-Gm-Message-State: AOAM532Ngi69ip8nKV72RaX7pIg3CL38DNZH5NXOrIX+DrWSqGsQ2aoz
	4suaECPi4hEVwGJvmRDXAQ8jsYYv9yNhSHWY/Ic=
X-Google-Smtp-Source: ABdhPJzAnVxZ5I7YCZBavZB3NSCPfGThsKG46qKUtCTKfwDc2KLxsHLVWDuhXwNzDH0Bx8ldw4TT9GPiOnDhcF51vdA=
X-Received: by 2002:a9d:39e3:: with SMTP id y90mr17673334otb.257.1623750904710;
 Tue, 15 Jun 2021 02:55:04 -0700 (PDT)
MIME-Version: 1.0
References: <CAFv4g+F-7F7o6va5wCrojKe+Uysx2Ec3H4yV_mUZYEyNm3MkdQ@mail.gmail.com>
 <C2605471-8EC9-4C36-88D4-E98F5C291BCF@gmail.com> <CAOwTYAu2hQaJYM4mJN0DDYmPhP9BHcnrxM1f459wKa-jj1TnDg@mail.gmail.com>
 <46BF9BC3-8F34-4495-AD29-08E6FE12D7A8@gmail.com>
In-Reply-To: <46BF9BC3-8F34-4495-AD29-08E6FE12D7A8@gmail.com>
Date: Tue, 15 Jun 2021 11:54:53 +0200
Message-ID: <CAOwTYAs7JZLfi_aA_zWKKsGFtBg3TYESr1Ha0h87ajrUsCBNqg@mail.gmail.com>
To: Claude Pache <claude.pache@gmail.com>
Cc: Craig Francis <craig@craigfrancis.co.uk>, PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="000000000000e10c9905c4caf753"
Subject: Re: [PHP-DEV] [RFC] is_literal
From: krakjoe@gmail.com (Joe Watkins)

--000000000000e10c9905c4caf753
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hi,

It's not unpredictable.

krakjoe@Fiji:/opt/src/php-src$ cat nothing.php
<?php
$var =3D 'not-literal';

var_dump(
    $_ENV['var'],
    is_literal($_ENV['var']));
?>
krakjoe@Fiji:/opt/src/php-src$ var=3Dnot-literal sapi/cli/php nothing.php
string(11) "not-literal"
bool(false)

The engine doesn't intern "randomly", and doesn't intern input.

Cheers
Joe

On Tue, 15 Jun 2021 at 10:56, Claude Pache <claude.pache@gmail.com> wrote:

>
>
> Le 15 juin 2021 =C3=A0 09:19, Joe Watkins <krakjoe@gmail.com> a =C3=A9cri=
t :
>
> Morning,
>
> https://3v4l.org/nJhc1/rfc#focus=3Drfc.literals
>
> It's not so much a bug as a side effect or quirk.
>
> Note that, the result is correct, in the sense that you do have a literal
> string - it is not marking an unsafe string as safe.
>
> It's just that existing implementation details - RETURN_CHAR using
> interned strings, and literal constant strings being interned by the
> compiler - lead to a literal string being "re-used".
>
> This is just a natural consequence of literal strings retaining their
> literalness in the way we want them too, nothing dangerous is going on.
>
>
> Hi,
>
> I disagree that it is not dangerous. At the very least, it makes
> `is_literal()` unpredictable, therefore unreliable, which is bad. The
> following git is more illustrative of the issue:
>
> https://3v4l.org/SNJDJ/rfc#focus=3Drfc.literals
>
> The fact that a given string happens to be written literally somewhere
> else in the program doesn=E2=80=99t mean that it is written literally in =
that
> context. Taking the example from the RFC:
>
> $qb->select('u')
>    ->from('User', 'u')
>    ->where('u.id =3D ' . $_GET['id']); // INSECURE
>
> I want that the `$qb->where()` method is able to reliably detect that the
> string provided is not literal, even when it happens by chance that the
> exact same string appears literally somewhere else in my code.
>
> =E2=80=94Claude
>
>
>

--000000000000e10c9905c4caf753--