Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:114954 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 3165 invoked from network); 18 Jun 2021 14:14:33 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 18 Jun 2021 14:14:33 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 426031804C8 for ; Fri, 18 Jun 2021 07:31:50 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,NICE_REPLY_A, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.2 X-Spam-Virus: No X-Envelope-From: Received: from mail-ed1-f44.google.com (mail-ed1-f44.google.com [209.85.208.44]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Fri, 18 Jun 2021 07:31:49 -0700 (PDT) Received: by mail-ed1-f44.google.com with SMTP id b11so8939711edy.4 for ; Fri, 18 Jun 2021 07:31:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=f5yMIh+wqHv3e24pXjp8beA2Nf0tISvzf0K2GahdBO0=; b=Se3yk51DqHcGSPpiheYDxzRim2nVh1ovBrCpA7uSTcf/frJeMAj7NWTx2lxvtb4NWh TKB17uvOi24zN7qy2FVsig8hYr7bzxBFnXS5ohAOqOVRRwZD3UP2AwoBojErc7a3Xi2h XAGYdblkbyDKKIK2s2DXsoB1EmjEt6T3LoTLMEVv5Z2OEgvfnUFYovegp35+ocvZBsXP gZK7OusVVEH3LQJ1307V52ZSCN2ij4fG4mO0LMqA+TfjlE+gFRCsupDbg6D5pfaJmjGE bcKxGumYrYk13yhTYWzKahwZH5g1WVZSxMtU+fdUV6PEVOOU+Dywvn93bJsBKYK0uG2H VjCg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=f5yMIh+wqHv3e24pXjp8beA2Nf0tISvzf0K2GahdBO0=; b=F7q8odr3d2jf8QNZZgfSG7yJTSlAESGRu79t78QlkegcAPjiVaUaVM8RoX7ZXDNM0H H69SBzwFEDDvryuj/aShD+MT0Lbu8H9ee3qrRrXzCjSEjS/ZpV0+XgDhSfAdAOZULLAN zraQSTDn7zvr8oOXp9e2fmziWcUGcjS6h1qFzLVSnyTgAY2SMguvYMwLioQCxECuTqh+ eIPCJOUBu4bFfWbSnbHCIYURj+mJn9fJkt+4KQFHxcX6rWxSz4xH7HM4hLj/b0UzNJ9m DmnM8Q1ZUKsgNiPTImdXYlQtrDrKKq4J22+eBPq1+aBPYOgD9i2hCFucd1nUZS6tzw4z Wz3g== X-Gm-Message-State: AOAM530EkfSflUhp8fBCevSv2JagYyY7kNpYROAJLuMgGUZQYr6ZYwri ICxW5BNkIiOe5d1j4HVkXe/zl37iyto= X-Google-Smtp-Source: ABdhPJyZymMm5YQeZiGbwdniuDLFaut8prIzyIxuvrN/ggzyGEpRn1HvNVWFqpyhCjsr8dwpsQFjJg== X-Received: by 2002:a05:6402:518a:: with SMTP id q10mr5512363edd.198.1624026707730; Fri, 18 Jun 2021 07:31:47 -0700 (PDT) Received: from ?IPv6:2001:983:6fc5:1:49d7:8d77:7cb2:8488? ([2001:983:6fc5:1:49d7:8d77:7cb2:8488]) by smtp.gmail.com with ESMTPSA id q9sm6157330edw.51.2021.06.18.07.31.46 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 18 Jun 2021 07:31:47 -0700 (PDT) To: internals@lists.php.net References: Message-ID: <07e0dbe4-ecfc-50df-2ce5-94555ff4364e@gmail.com> Date: Fri, 18 Jun 2021 16:31:46 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Subject: Re: [PHP-DEV] Re: [RFC] is_literal From: dik.takken@gmail.com (Dik Takken) On 18-06-2021 13:25, Pierre wrote: > Le 18/06/2021 à 12:45, Guilliam Xavier a écrit : >> IIUC, with the addition of integers, the function will return true for >> e.g. >> `'SELECT * FROM foo LIMIT ' . (int)$limit` even if $limit doesn't come >> from >> a "static" value (e.g. random_int() or even `$_GET['limit']`) > > OK I get it. > > I followed the initial discussions but I didn't read everything for a > while. > > Doesn't it mean that is_literal() which doesn't test anymore if > something is literal does a bit more than that ? > > The original intent of being able to tell if a string is literal or not > seems to be a very good idea, but now it forked to something that is > more SQL-OtherDatabase business related: this means that PHP own std > will, in my opinion, take a role it isn't supposed to have, by > arbitrarily (don't take wrongly, all discussions I had read until now > are smart and make sense) telling people what is safe, and what is not ? This is my feeling as well. The original proposal was pure with solid security guarantees, independent of the context (SQL, HTML, ...) in which it is used. Elevating some user input to the same level of security as literals is not ideal. On the other hand, as Craig pointed out to me (thanks!), a feature that is too much of a hassle to use may not be widely adopted and the goal of the proposal (improving security) may not be met. Regards, Dik Takken