Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:114987
Return-Path: <craig@craigfrancis.co.uk>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 49228 invoked from network); 21 Jun 2021 20:06:55 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 21 Jun 2021 20:06:55 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id AB9CE1804D9
	for <internals@lists.php.net>; Mon, 21 Jun 2021 13:25:00 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,
	RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no
	autolearn_force=no version=3.4.2
X-Spam-Virus: No
X-Envelope-From: <craig@craigfrancis.co.uk>
Received: from mail-lj1-f181.google.com (mail-lj1-f181.google.com [209.85.208.181])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Mon, 21 Jun 2021 13:25:00 -0700 (PDT)
Received: by mail-lj1-f181.google.com with SMTP id u11so16061951ljh.2
        for <internals@lists.php.net>; Mon, 21 Jun 2021 13:25:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=craigfrancis.co.uk; s=default;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=sFjAeP0FCDmiqX3AonypK/a0Lv31E2vO0nWhgw84ziQ=;
        b=Pz1tzyIBr7b1TQwu3Rx5XIBxyYTd3JiIGEqFtDILcU7PFyvRUmbJ3NKxHtETFHPLxb
         UAykul01XSNP5bYGLjuvXunfmVAca2j4m2XotSDnyRlLVz7FMvjfujvn+dIFZQ29siyh
         1BI/4L1mqZPk2Xb/q2pK/lpYBLteP64XebHp4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=sFjAeP0FCDmiqX3AonypK/a0Lv31E2vO0nWhgw84ziQ=;
        b=AvJSVC1jZIncy44CKwr5BDRJsa6O1KcMR4H7squJMqAG2u13pDxVMJ/0uIOHacyBEa
         v4+R+XIpabPS8Hw3ye+8Y+GPNVYdr8LBGOBLD/8T+sXb7xMNjZqjP4JMt/Am7CHObDqH
         0XZlTUBndwMNFIReK+j85QajjWOeP4oOE2JTBTFLVVwpNeY9iiBjPAIvSdzMEDYzLGW0
         j08iF4H5sxU8wImqvidEs2lFYOvuDrr1U8rM/0YAtwVXVhRccDd0uXkSHPpV+uktIyMZ
         +9jDaAC7vYlWKWd8e87QPxamEFqfAEQdqDoHVMxYbjBqNUyyPzfJb7RLBGPMDr+kTORx
         Pxtw==
X-Gm-Message-State: AOAM530CKEk8lnpMVb1LsLAgcf/ciCPcQMfM3CmsNrTek5X2UUSpEGUd
	7NEP90ShAGp553/U3FKg8wv9kKdsqbwUyyvPJpVE1aurhC2V4g==
X-Google-Smtp-Source: ABdhPJzI5FG2LYqYDXhTtY4bmQ4+18vNdjEGSRpigqP57YSXIkfpRZjWX1uqEQWYODEg2vFPq9Sr7ga2/8ZnkdDtQpI=
X-Received: by 2002:a2e:3506:: with SMTP id z6mr25273ljz.238.1624307098333;
 Mon, 21 Jun 2021 13:24:58 -0700 (PDT)
MIME-Version: 1.0
References: <CAFv4g+F-7F7o6va5wCrojKe+Uysx2Ec3H4yV_mUZYEyNm3MkdQ@mail.gmail.com>
 <CAFv4g+GYwH-nQ8bLGbm=ThARghGUG5hMpw7W5SjMnSPMTom7+g@mail.gmail.com>
 <CAFv4g+GA9y62phk1TB8Z9EakpAXwmOa5pGxT1pdBVZwkCNxsVA@mail.gmail.com>
 <f9c70ab3-3218-6fc0-06b3-4041f3f78cd4@processus.org> <CAC5V6gi_U-ZHHbYj_MvOw_ifp5hCwnQt6+A3pmS==UDAKO74Yw@mail.gmail.com>
 <CAFv4g+FPGtqZ9cu2qK0HGYH-mOrQvVbnx9L=kLRO9iAXTztDjg@mail.gmail.com> <DF4B726F-8365-44C2-852F-41DC8EF15FA9@newclarity.net>
In-Reply-To: <DF4B726F-8365-44C2-852F-41DC8EF15FA9@newclarity.net>
Date: Mon, 21 Jun 2021 21:24:47 +0100
Message-ID: <CAFv4g+EsFdP+sGVmTiiH8nzoSv0Jy2MV4zF=NfiVOV7Q1g3qtQ@mail.gmail.com>
To: Mike Schinkel <mike@newclarity.net>
Cc: php internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="0000000000009a438405c54c77c3"
Subject: Re: [PHP-DEV] [RFC] is_literal
From: craig@craigfrancis.co.uk (Craig Francis)

--0000000000009a438405c54c77c3
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Fri, 18 Jun 2021 at 1:30 pm, Mike Schinkel <mike@newclarity.net> wrote:

> For the avoidance of doubt can you confirm that this $sql would indeed be
> trusted?
>
> $ids =3D array_map( 'intval', $_GET['ids'] ?? [] );
>
> $where =3D implode( ',', $ids );
> $sql =3D 'SELECT * FROM foo WHERE id IN (' . $where . ')';
>
>
> Also, as it is painful to have to use string concatenation, can we please
> consider supporting only the '%s' and '%d' format specifiers when used wi=
th
> trusted strings and integers for sprintf(), respectfully:
>
> $sql =3D sprintf( 'SELECT * FROM foo WHERE id IN (%s)', $where );
>
>
> And
>
> $sql =3D sprintf( 'SELECT * FROM foo LIMIT %d', (int)$limit );
>
>

On Fri, 18 Jun 2021 at 1:32 pm, Mike Schinkel <mike@newclarity.net> wrote:

> Sorry, that should have been:
>
$ids =3D array_map( 'intval', $_GET['ids'] ?? [0] );
>



Yes, I can confirm that that $sql would be trusted.

Yes, sprintf() does support =E2=80=98%s=E2=80=99 and =E2=80=98%d=E2=80=99; =
the function has been updated so
it will return a trusted string if all the inputs are trusted (including
other specifiers).

Both your examples work, as we support integers now (so developers do not
need to change their existing code that use these valid approaches), and if
you want to try it I=E2=80=99ve put your examples on 3v4l.org so you can se=
e it
working here:

https://3v4l.org/FvtpW/rfc#focus=3Drfc.literals

While using parameterised queries is preferred for integers too, it is a
common pattern, and doesn't introduce any Injection Vulnerabilities.

Craig

--0000000000009a438405c54c77c3--