Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:114909
Return-Path: <craig@craigfrancis.co.uk>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 40780 invoked from network); 16 Jun 2021 17:08:16 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 16 Jun 2021 17:08:16 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id BF39D1804D9
	for <internals@lists.php.net>; Wed, 16 Jun 2021 10:25:04 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-0.7 required=5.0 tests=BAYES_05,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,
	RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no
	autolearn_force=no version=3.4.2
X-Spam-Virus: No
X-Envelope-From: <craig@craigfrancis.co.uk>
Received: from mail-lf1-f44.google.com (mail-lf1-f44.google.com [209.85.167.44])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Wed, 16 Jun 2021 10:25:04 -0700 (PDT)
Received: by mail-lf1-f44.google.com with SMTP id x24so5540155lfr.10
        for <internals@lists.php.net>; Wed, 16 Jun 2021 10:25:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=craigfrancis.co.uk; s=default;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to;
        bh=jcmH/4KeKO+xSibZQQEDVAz1Tl0jb0Mw7aEZhNob+fE=;
        b=cTg6eCVYzVxf4u9ZD8KCJ/aZuKINXnu/Jzjtu391aC2OUC2zHr7wAyojxfZR31YYdX
         vxqSqeS46JCdSeWZ51AarySRVhHan7kaQ6KIgrwjqkM/mDLMm6ikYFMjwq+FAwwSC7k/
         AOjSn6alcsS4ZicNH/9Fm2bY0l33CzyfW/sT8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to;
        bh=jcmH/4KeKO+xSibZQQEDVAz1Tl0jb0Mw7aEZhNob+fE=;
        b=GTY64ulcKNYqiPGtx05srRISL+JA/QLTgGfQYS0eXR+fzC8VCErOJjeQy8BammfE7H
         oPrMguWLljifigEXJ4G6vKQfNFyOtL6aDCRdj4Bx26jPr43UZnPSNYaHyv4nl8OJ3LTo
         IZv0pHmq1R1VUZv0rLCO8UCY896RYLqSnsxrEj/yuKrJdrFNtYZMFC7EQrIH3LTTzdSZ
         5ZGv9VdemriW5oBevbx9Km4WLWYPzxloln5SdIqwn6asCwyihxlHMfiqyvd7LQaJpk4d
         DUOBIeJ2wX0IKUtDU9uJOe7UsrsUUFeNlSo2ikRZ29ltP+j5o5xJBjfvXDXqETQY6g1Y
         qbIw==
X-Gm-Message-State: AOAM532B7TOLdNNJRLMPILwSxllDK/ZjieQBOCMN8nB8miXZ7Tp3JwDP
	mOY2oxnooE6tmmY8hgG9WRNeUd8P+5GxsMyT2r8Mtm1JxdIsmg==
X-Google-Smtp-Source: ABdhPJxEMop+ObfRllWvgRQlQRhFBT4X7+3PB2bASQcz2VCGvNhGuMB1/dfO24dd0ZPOjF9OOJFN9ZhWO3eCxmw7DWI=
X-Received: by 2002:a19:a406:: with SMTP id q6mr548110lfc.616.1623864302112;
 Wed, 16 Jun 2021 10:25:02 -0700 (PDT)
MIME-Version: 1.0
References: <CAFv4g+F-7F7o6va5wCrojKe+Uysx2Ec3H4yV_mUZYEyNm3MkdQ@mail.gmail.com>
In-Reply-To: <CAFv4g+F-7F7o6va5wCrojKe+Uysx2Ec3H4yV_mUZYEyNm3MkdQ@mail.gmail.com>
Date: Wed, 16 Jun 2021 18:24:46 +0100
Message-ID: <CAFv4g+GYwH-nQ8bLGbm=ThARghGUG5hMpw7W5SjMnSPMTom7+g@mail.gmail.com>
To: PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="000000000000e4222f05c4e55e47"
Subject: Re: [RFC] is_literal
From: craig@craigfrancis.co.uk (Craig Francis)

--000000000000e4222f05c4e55e47
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Sat, 12 Jun 2021 at 18:00, Craig Francis <craig@craigfrancis.co.uk>
wrote:

> I'd like to start the discussion on the is_literal() RFC:
> https://wiki.php.net/rfc/is_literal
>



Hi Internals,

Following up on the is_literal() RFC, thanks for the feedback. It looks
like there are only 2 minor open issues - updating the implementation to
allow integers, and what to call the flag/function.

Matthew Brown wants to support integer values, simply because so much code
already includes them, and I cannot find a single way that integers alone
can cause issues from an Injection Vulnerability point of view (but if
anyone can, I absolutely welcome their input). Other variable types like
floats and booleans will still be excluded (because the value you put in
often is not what you get out, e.g. true/TRUE being converted to "1").

Which leads us to the name, because "is_literal" may be, uh, too literal.
So can we come up with something better?

It needs to be a name that suggests: This variable contains programmer
defined strings, integers, and interned values (as noticed by Claude Pache
and Rowan Tommins). Ideally staying in the standard convention of
=E2=80=98is_singleword=E2=80=99.

Joe has suggested is_known(), where "we have the concept of known strings
internally", which I like (though might clash with more userland functions
than =E2=80=98is_literal=E2=80=99). Last night I also wondered about `is_co=
nstrained()`, as
the value has limited sources. But I'd also welcome more suggestions, and
am happy to set up a poll (thanks Dharman for the strawpoll.com suggestion)=
.

I've also updated the RFC Future Scope to note how this could be a
dedicated type (thanks someniatko, Matthew Brown, and Dik Takken); and I'm
really impressed to see the addition to Psalm so quickly.

Craig

--000000000000e4222f05c4e55e47--