Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:114949 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 86599 invoked from network); 18 Jun 2021 12:13:31 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 18 Jun 2021 12:13:31 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id BA5571804B0 for ; Fri, 18 Jun 2021 05:30:43 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2, SPF_HELO_NONE,SPF_NONE autolearn=no autolearn_force=no version=3.4.2 X-Spam-Virus: No X-Envelope-From: Received: from mail-qv1-f52.google.com (mail-qv1-f52.google.com [209.85.219.52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Fri, 18 Jun 2021 05:30:43 -0700 (PDT) Received: by mail-qv1-f52.google.com with SMTP id df15so2547189qvb.10 for ; Fri, 18 Jun 2021 05:30:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=newclarity-net.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=08Ijni8vuyU8NRTFOgBwdD1nh8gpFGbmyTU+Nqu8P9g=; b=R29sLb53inAK6wquxnz1KeEMj314WBv8VG7QtMP/cOT0FS1EnNbkI5eHesOqCRUd17 soYFjKFpH7ZnY8wiSfZXnpRCxlq3vtPuFoXeIw73PmW27pcSrAdm7hKQXNemTNyHeSws g+jPk63fWlucgZfAhe5C10qj0SCzfoko+jIS2ELMr9NwVwBZKnR80fS1AUex8HFKQUCp IiGicOzhszNCfvRK0owNItyApedpaUbXisKzqYmFZigv8hCmWghJxlYuZj5sTygdXctK Rm+P7pBNF3JfGywIJLl37v3t7gwGEx5fKWphyljEh3FKGBvQJNuaiLlUlpbDBMcAmtFx XdFA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=08Ijni8vuyU8NRTFOgBwdD1nh8gpFGbmyTU+Nqu8P9g=; b=ZJM1KPwmwvs+FuHD3DicWH2MiQLFbd0rnmM2usOHcZQ/raBCOQ8RSFB91YdgaylhUo 71uKEpmvJgS5cv99ulY0ANXliHVzsA6/t0MjybUH7Z9q0BKH44768GEKMAHW35clKEKO e35KFR5vasiO0KrSk3NMiLHYhuvl/cO6YRAeDw5MhE/65F0IEUuSI6KucmD8XC/G9y3h devx/1jN1D8HyNigE4gkf5vOrwM2MTR8bjhDGT5MvxJGkB5oB6BqLV87cnBwLC+Vdk0P svUp0CbgB77/4AAEjmXzcTbRzglisTsNjywj3FMYYhaaOU/9b7qCXqYdEZ2eePvZa852 c4Cg== X-Gm-Message-State: AOAM533gPbppZFpHTLpJ6hG2kkv+BMXkduydZpwVOmsJZdI838edgDC3 2fBXh3lKtX6xnCJNSjZVl9CnYjrkBmwSVLPZ X-Google-Smtp-Source: ABdhPJxZ+nxtL60vyIjshxty0GzgVrjuVGsR9/P/k/uXgwq9AiodbTuGSB2D8JigSU9jwVAFlG+6mw== X-Received: by 2002:a05:6214:1021:: with SMTP id k1mr5513797qvr.4.1624019441663; Fri, 18 Jun 2021 05:30:41 -0700 (PDT) Received: from [192.168.1.10] (c-24-98-254-8.hsd1.ga.comcast.net. [24.98.254.8]) by smtp.gmail.com with ESMTPSA id t30sm3798299qkm.11.2021.06.18.05.30.40 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 18 Jun 2021 05:30:40 -0700 (PDT) Message-ID: Content-Type: multipart/alternative; boundary="Apple-Mail=_E3D349E2-35A9-4253-B456-4915E6D18CD4" Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.7\)) Date: Fri, 18 Jun 2021 08:30:39 -0400 In-Reply-To: Cc: php internals To: Craig Francis References: X-Mailer: Apple Mail (2.3608.120.23.2.7) Subject: Re: [PHP-DEV] [RFC] is_literal From: mike@newclarity.net (Mike Schinkel) --Apple-Mail=_E3D349E2-35A9-4253-B456-4915E6D18CD4 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On Jun 18, 2021, at 7:22 AM, Craig Francis = wrote: >=20 > On Fri, 18 Jun 2021 at 11:45 am, Guilliam Xavier = > wrote: >=20 >> IIUC, with the addition of integers, the function will return true = for e.g. >> `'SELECT * FROM foo LIMIT ' . (int)$limit` even if $limit doesn't = come from >> a "static" value (e.g. random_int() or even `$_GET['limit']`) >=20 > Yes, that=E2=80=99s correct. >=20 > Supporting integers from any source helps with adoption, and we cannot = find > any security issues (it=E2=80=99s a fairly small change to the RFC, = and that > prompted the new name, especially as the original is_literal wasn=E2=80=99= t > perfect). For the avoidance of doubt can you confirm that this $sql would indeed = be trusted? $ids =3D array_map( 'intval', $_GET['ids'] ?? [] ); $where =3D implode( ',', $ids ); $sql =3D 'SELECT * FROM foo WHERE id IN (' . $where . ')'; Also, as it is painful to have to use string concatenation, can we = please consider supporting only the '%s' and '%d' format specifiers when = used with trusted strings and integers for sprintf(), respectfully: $sql =3D sprintf( 'SELECT * FROM foo WHERE id IN (%s)', $where ); And $sql =3D sprintf( 'SELECT * FROM foo LIMIT %d', (int)$limit ); -Mike= --Apple-Mail=_E3D349E2-35A9-4253-B456-4915E6D18CD4--