Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:114948 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 81138 invoked from network); 18 Jun 2021 11:07:55 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 18 Jun 2021 11:07:55 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 091151804A8 for ; Fri, 18 Jun 2021 04:25:10 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-1.5 required=5.0 tests=BAYES_00,KHOP_HELO_FCRDNS, SPF_HELO_NONE,SPF_NONE,UNPARSEABLE_RELAY autolearn=no autolearn_force=no version=3.4.2 X-Spam-Virus: No X-Envelope-From: Received: from processus.org (ns366368.ip-94-23-14.eu [94.23.14.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Fri, 18 Jun 2021 04:25:09 -0700 (PDT) Received: from authenticated-user (PRIMARY_HOSTNAME [PUBLIC_IP]) by processus.org (Postfix) with ESMTPA id AFF915101324; Fri, 18 Jun 2021 11:25:07 +0000 (UTC) To: Guilliam Xavier Cc: internals@lists.php.net References: Message-ID: Date: Fri, 18 Jun 2021 13:25:07 +0200 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US Authentication-Results: processus.org; auth=pass smtp.auth=pierre-php@processus.org smtp.mailfrom=pierre-php@processus.org X-Spamd-Bar: / Subject: Re: [PHP-DEV] Re: [RFC] is_literal From: pierre-php@processus.org (Pierre) Le 18/06/2021 à 12:45, Guilliam Xavier a écrit : > IIUC, with the addition of integers, the function will return true for e.g. > `'SELECT * FROM foo LIMIT ' . (int)$limit` even if $limit doesn't come from > a "static" value (e.g. random_int() or even `$_GET['limit']`) OK I get it. I followed the initial discussions but I didn't read everything for a while. Doesn't it mean that is_literal() which doesn't test anymore if something is literal does a bit more than that ? The original intent of being able to tell if a string is literal or not seems to be a very good idea, but now it forked to something that is more SQL-OtherDatabase business related: this means that PHP own std will, in my opinion, take a role it isn't supposed to have, by arbitrarily (don't take wrongly, all discussions I had read until now are smart and make sense) telling people what is safe, and what is not ? The original is_literal() function idea is nice, why not having both, is_literal() that exposes a purely technical information in one side, and is_secure() that is more specialized and supposes what is safe or not considering more than simply string static state, for std provided SQL database layers ? In such scenario, userland libraries could use, depending on their own need, one or both of theses functions. I'd much like to have the is_literal() function for my own needs, I do maintain an SQL query builder, but I don't expect it to handle int and other types as well, I'll probably continue to handle those by myself since I have a custom escaping API. In my use case, I'd probably not use the is_secure() function but I would use the is_literal() one, mostly for performance reasons (avoid to escape something that doesn't need to be). I think that both being introduced at the same time is a good idea. Regards, -- pierre