Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:114911
Return-Path: <craig@craigfrancis.co.uk>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 57577 invoked from network); 16 Jun 2021 20:44:34 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 16 Jun 2021 20:44:34 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id C3E0B1804C0
	for <internals@lists.php.net>; Wed, 16 Jun 2021 14:01:24 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-0.7 required=5.0 tests=BAYES_05,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,
	RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no
	autolearn_force=no version=3.4.2
X-Spam-Virus: No
X-Envelope-From: <craig@craigfrancis.co.uk>
Received: from mail-lj1-f171.google.com (mail-lj1-f171.google.com [209.85.208.171])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Wed, 16 Jun 2021 14:01:24 -0700 (PDT)
Received: by mail-lj1-f171.google.com with SMTP id s22so5724710ljg.5
        for <internals@lists.php.net>; Wed, 16 Jun 2021 14:01:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=craigfrancis.co.uk; s=default;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=innrxamYb8MXcXzhCeg3BTBPxZIoEuKr1m3dNJ9czPI=;
        b=S8HN47La11wZua/Eh1ksu9RO6nhiM+X3Vf7/2GjfeALt3WHMrQNNCLmx53xZwbJ/rp
         N87XFDYogEalUz6ln7BthEOYl5A3o9spfXA3CcrC0o/xJBPZvb5RcQhWaKeBqxtNBhLE
         KSQwW6Rt9vP8xxQIC7KaAqLkZjMk3VlH4/Bno=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=innrxamYb8MXcXzhCeg3BTBPxZIoEuKr1m3dNJ9czPI=;
        b=peUjMtZgOcWo6DkgY1AffuF5QpqoZ3tfaSLBKmpcb/up0XnM6nxwmSKpFtjdTCLCe9
         iM1nN789kGM2h1afk369+TwzX8eP+s2xhNZ9aJauqlSSlBbzYdz0Kpt1YZfCdn1Zw+Ik
         qf/yVOzXJ+uHoTDbthC927M5TOlRZ6y77W375zZVQh+OHp+JmXIBTuGXtF9DHQzF418o
         5YZVkRnhMyXpDuV+4AiPDdgkPuj5IW4SAb6vixNVXX50d27IAaJtcJO8sSJz1ZyrSB2H
         mW8H9TsVtt2+NgZRZHVAIw8ObLijJYSKMTzBD+xhNm3gGFiLQ3kUhG3hkbZB2wZ207RU
         12lA==
X-Gm-Message-State: AOAM532ub3gfA3E3Jpf8QHQEv8hG2kgnbWzUsVkY1MOmnQ6F91VRqkKA
	ZynyN7lobiuK9EXZCLtlgiDaSn8aKvuIcVgnDDkb1g==
X-Google-Smtp-Source: ABdhPJwRlKes+n7PG3ltOqnSt0j7h/LjPPLjD5JWo+Bvx3/dOURcIlZe5kaa0nRxxMqBN0T2j2D96it8xwLyx9ZVCng=
X-Received: by 2002:a05:651c:49d:: with SMTP id s29mr1534504ljc.279.1623877279557;
 Wed, 16 Jun 2021 14:01:19 -0700 (PDT)
MIME-Version: 1.0
References: <CAFv4g+F-7F7o6va5wCrojKe+Uysx2Ec3H4yV_mUZYEyNm3MkdQ@mail.gmail.com>
 <CAFv4g+GYwH-nQ8bLGbm=ThARghGUG5hMpw7W5SjMnSPMTom7+g@mail.gmail.com> <e179b4f4-22ae-5dbb-ce9a-28fb909f90b9@gmail.com>
In-Reply-To: <e179b4f4-22ae-5dbb-ce9a-28fb909f90b9@gmail.com>
Date: Wed, 16 Jun 2021 22:01:08 +0100
Message-ID: <CAFv4g+Ejohe70=-7qobJ9z4HzHzGnBE1zYXUrAvivtf+Ad8onQ@mail.gmail.com>
To: Dik Takken <dik.takken@gmail.com>
Cc: internals@lists.php.net
Content-Type: multipart/alternative; boundary="000000000000683de905c4e864d0"
Subject: Re: [PHP-DEV] Re: [RFC] is_literal
From: craig@craigfrancis.co.uk (Craig Francis)

--000000000000683de905c4e864d0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Wed, 16 Jun 2021 at 9:13 pm, Dik Takken <dik.takken@gmail.com> wrote:

> On 16-06-2021 19:24, Craig Francis wrote:
> > Matthew Brown wants to support integer values, simply because so much
> code
> > already includes them, and I cannot find a single way that integers alo=
ne
> > can cause issues from an Injection Vulnerability point of view.
>
> [=E2=80=A6]
>
> Expanding the 'literal' concept to other types than just strings
> sounds like a good idea. However, limiting it to just integers sounds a
> little arbitrary. If people want to insert a float or boolean into their
> query and they are happy with the way those are coerced into strings, why
> not allow it?
>



Applying this to floats and booleans might be dangerous, as what=E2=80=99s =
put in
might not be what comes out (I want to keep the scope as limited as
possible). is_literal can be used for strings because we can flag what=E2=
=80=99s
user and what=E2=80=99s developer defined, and with Matthew=E2=80=99s reque=
st, it could do
integers (because an integer value alone is not inherently risky, and it=E2=
=80=99s
already used a lot). However because of things like true/TRUE getting
converted to "1", we can=E2=80=99t apply the same certainty to floats and b=
ooleans
- it wouldn=E2=80=99t be a consistent secure approach.


> Which leads us to the name, because "is_literal" may be, uh, too literal.
> > So can we come up with something better?
>
> Throwing in another idea: is_hard_coded().
>


I=E2=80=99d be a little hesitant on the name =E2=80=98is_hard_coded=E2=80=
=99, if we allow integers,
that means that it=E2=80=99s no longer strictly hard coded, and might get c=
onfusing.

--000000000000683de905c4e864d0--