Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:114910 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 53469 invoked from network); 16 Jun 2021 19:56:19 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 16 Jun 2021 19:56:19 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id D5DA6180537 for ; Wed, 16 Jun 2021 13:13:08 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,NICE_REPLY_A, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.2 X-Spam-Virus: No X-Envelope-From: Received: from mail-ed1-f41.google.com (mail-ed1-f41.google.com [209.85.208.41]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Wed, 16 Jun 2021 13:13:08 -0700 (PDT) Received: by mail-ed1-f41.google.com with SMTP id s15so739183edt.13 for ; Wed, 16 Jun 2021 13:13:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=FuzAfbTGAL05Tjh8QxnFPh0pABm+34YVdSEZEGmfJQE=; b=uuZdIooA7PzpoDJ8LPAMwRwOUjLGgoyPKLJv5EzSPHL8XnghyVPH5dXGo0sB6Vt8iu G8JYII1G2AjE3fzjPD8l2bFgUT1DhI2WSTOn76DPo9QlVN2VIoQsC5D0vYY8b/P5LOhy PXSkuHCKvqS4cE0b9iGraBQi6mrxVTJ9vzlcemfPDqM8b1aR0J6Z3y0fYYibTpm6uM+Z wR4XcHElCg0wbptAWmBlxIG0fg+nYlUI5HJNsPvIZOXi1liLv0DAbJqoIViUBnhM6rN7 fobjXNtoe1D701lwqb/ic4Su0gU7gyxCealAz5Ir5auY79CEcU6VLXM68lZTEHHtkOmk BZqg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=FuzAfbTGAL05Tjh8QxnFPh0pABm+34YVdSEZEGmfJQE=; b=CcgHb6E2WI6V3b9qYa0gDu1YhKxgSymhREeV818eFucGP/iD+kjZ+P6svqg5YJzYR1 aKV7xXCOldGsf9gKqP6kSi2TSvrZkk8UyX0sjCez8JejFloPYvOtIs3punsP28FawuVd WkIufQHwj7XYYGHOKK/FimEHNFrYouyq3JjphBrcktR0sT46EaAMOtbhKv+eM3EvuBXm XQiyu1llSpH1oDTcFfgmB5zMu5S6FJML2Wdyk3Rlzjr/uqYI+mSJB18Em5rjRL2K2JHQ HUW73+fdcIkAGJJ6VJYphQLdeJJObLZYOK1lStCQC6B5m2FWZTX7ez1sTrHBI7b91wyR WPcQ== X-Gm-Message-State: AOAM530XFj4DYWNGv6z7iCQlFlFyDC4PwNz/07vHmG03gfA7MEmtdbzo TmjAC1u+Ko72b7g39VtbRQnWjp/fXjU= X-Google-Smtp-Source: ABdhPJyUvn+orII93tQGVAEBnR7ETCAzx474nHGIio/koj14mxc7tDk9B88MJTsM2Cs8wwZejt/BRw== X-Received: by 2002:a05:6402:1a:: with SMTP id d26mr1858891edu.105.1623874387145; Wed, 16 Jun 2021 13:13:07 -0700 (PDT) Received: from ?IPv6:2001:983:6fc5:1:49d7:8d77:7cb2:8488? ([2001:983:6fc5:1:49d7:8d77:7cb2:8488]) by smtp.gmail.com with ESMTPSA id aq21sm2501971ejc.83.2021.06.16.13.13.05 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 16 Jun 2021 13:13:06 -0700 (PDT) To: internals@lists.php.net References: Message-ID: Date: Wed, 16 Jun 2021 22:13:04 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Subject: Re: [PHP-DEV] Re: [RFC] is_literal From: dik.takken@gmail.com (Dik Takken) On 16-06-2021 19:24, Craig Francis wrote: > On Sat, 12 Jun 2021 at 18:00, Craig Francis > wrote: > >> I'd like to start the discussion on the is_literal() RFC: >> https://wiki.php.net/rfc/is_literal >> > > > > Hi Internals, > > Following up on the is_literal() RFC, thanks for the feedback. It looks > like there are only 2 minor open issues - updating the implementation to > allow integers, and what to call the flag/function. > > Matthew Brown wants to support integer values, simply because so much code > already includes them, and I cannot find a single way that integers alone > can cause issues from an Injection Vulnerability point of view (but if > anyone can, I absolutely welcome their input). Other variable types like > floats and booleans will still be excluded (because the value you put in > often is not what you get out, e.g. true/TRUE being converted to "1"). The security concerns that this RFC is addressing arise from data that an attacker might control, like user input. In that respect I guess there need not be any difference between types of literals. Expanding the 'literal' concept to other types than just strings sounds like a good idea. However, limiting it to just integers sounds a little arbitrary. If people want to insert a float or boolean into their query and they are happy with the way those are coerced into strings, why not allow it? > Which leads us to the name, because "is_literal" may be, uh, too literal. > So can we come up with something better? > > It needs to be a name that suggests: This variable contains programmer > defined strings, integers, and interned values (as noticed by Claude Pache > and Rowan Tommins). Ideally staying in the standard convention of > ‘is_singleword’. > > Joe has suggested is_known(), where "we have the concept of known strings > internally", which I like (though might clash with more userland functions > than ‘is_literal’). Last night I also wondered about `is_constrained()`, as > the value has limited sources. But I'd also welcome more suggestions, and > am happy to set up a poll (thanks Dharman for the strawpoll.com suggestion). Throwing in another idea: is_hard_coded(). > I've also updated the RFC Future Scope to note how this could be a > dedicated type (thanks someniatko, Matthew Brown, and Dik Takken); and I'm > really impressed to see the addition to Psalm so quickly. > > Craig >