Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:115011 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 32738 invoked from network); 22 Jun 2021 09:07:35 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 22 Jun 2021 09:07:35 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id D6E5E1804C3 for ; Tue, 22 Jun 2021 02:25:47 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE autolearn=no autolearn_force=no version=3.4.2 X-Spam-Virus: No X-Envelope-From: Received: from mail-qt1-f175.google.com (mail-qt1-f175.google.com [209.85.160.175]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Tue, 22 Jun 2021 02:25:47 -0700 (PDT) Received: by mail-qt1-f175.google.com with SMTP id x21so6379990qtq.9 for ; Tue, 22 Jun 2021 02:25:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=newclarity-net.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=r6f2bq1sCfChFEtFzujr9VPm2SZ2FbzLKohGnx/8ZJc=; b=sfs5dsXobwDwoq36mFNEVS2tHxTD1s4/Y8pYGpzZ1kuf0ofdWH2ULm8exZSjFDk2t2 24T/t6QSY4yMPlxNEnATmMQc64mAh6ynzOb917ZGaePKWk8Ddq+Y6MSB2v60oTd8K2A6 WqCtbBQIeEDAzQ7pC8XwjKhr3vnYAyaE1llBADOHrAZL8rsNpXWTKzMlp/CriZsBylzj ei42HEtOsSR363ofVHcNwgVP99wlWpXSD+a82jjwZaK0/G8HulFSlYb9AngPEwRPZugi Cd3QGyf64dHI63Pem5YsZcGEdicwLDbJOnXeZBe3Wwx0bWo2JK62UPPkaeOYg4q1SvuF pmBQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=r6f2bq1sCfChFEtFzujr9VPm2SZ2FbzLKohGnx/8ZJc=; b=r0b7DbqSSFDrBMPZCKQOoLvsF6Hrmr4j1bEfmZGHs3GpesGKH41tOAav7CWeyjK5Qn azJ93R+daRTT5ax/XMUsPg1+/Cd71zPI7j5dFzsDXKBLGpWAefqeRZbEEiu/XWHf8mUe Bcpm1oCUBc35uSwt+AUOKLpKzik4Up+I4y/DKkmFreatKslwojDWryKIbEmBe+0FOGw2 53tNe56R2f8ntryAGvVFAmgEfslH4JMU3ynMtyRWEPb2SvXQh5EkKHnvyqoNEfqstGUV lbG9Q2p+Ig+nZwLFbQXc8sUvCJe6Aowx6iDbXV/ltPKOXQ4mbcnyXcj+1tKikqnV97SK cQzQ== X-Gm-Message-State: AOAM533ezbxz44XE//dZQrYFlChucCXhJwl8SCi0540iQowDn/U7Q1HP ifG697x4Y2LKgOGzf1EfMWuZSCu5MXkGFi6r X-Google-Smtp-Source: ABdhPJygSrR07cb+yPFTzfuwHKxxNLJp+FdhSLO+Q9Yxek2Glc8YRP6Pq5a68E1vXDKE40fIloDZRQ== X-Received: by 2002:ac8:7dc9:: with SMTP id c9mr2566323qte.169.1624353944277; Tue, 22 Jun 2021 02:25:44 -0700 (PDT) Received: from [192.168.1.10] (c-24-98-254-8.hsd1.ga.comcast.net. [24.98.254.8]) by smtp.gmail.com with ESMTPSA id w2sm11958458qkf.88.2021.06.22.02.25.43 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 22 Jun 2021 02:25:43 -0700 (PDT) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.7\)) In-Reply-To: Date: Tue, 22 Jun 2021 05:25:42 -0400 Cc: PHP internals Content-Transfer-Encoding: quoted-printable Message-ID: References: To: Dan Ackroyd X-Mailer: Apple Mail (2.3608.120.23.2.7) Subject: Re: [PHP-DEV] [RFC] is_literal From: mike@newclarity.net (Mike Schinkel) > On Jun 22, 2021, at 4:53 AM, Dan Ackroyd = wrote: >=20 > The whole point of the idea of literal strings is to make it be easier > to write some code that: >=20 > i) is safe. > ii) can be reasoned about at scale. >=20 > Passing bare strings around is not so great for either of those > things. You have to manually remember "this is a string that is > intended to be used in a particular way. And doing that in a large > code base, when your engineering department is large enough to work in > separate teams is particularly difficult. >=20 > Instead of using bare strings, using a more specific type e.g. > HtmlAttribute::fromString('#fff'); and then passing that around would > be much easier to reason about. THIS. > Similarly for the thoughts about concatenating numbers into strings. > Yeah, people might think they want that, but in practice using an SQL > builder that allows you to put the number in the right place like: >=20 > $sqlBuilder->add('SELECT * FROM foo LIMIT %d', FIXED_LIMIT); >=20 >=20 > And then predictable when the request comes in to allow users to set > their own limit, changing it to: >=20 > $sqlBuilder->add('SELECT * FROM foo LIMIT %d', $_GET['limit']); >=20 > Doesn't take any time to refactor the code, because it's already using > an appropriate library that handles variables correctly. So, IMO this begs the question:=20 Should(n't?) PHP add a basic SQL builder class that can be extended for = special cases, e.g. different flavors of SQL? =20 The problem with depending on userland to do this is that there will = never be a single standard adopted. If built into PHP it could: 1. Legitimize it across all PHP developers,=20 2. To make sure its always available in the most basic PHP install,=20 3. To allow implementing a performant SQL parser (which is not = reasonably done in PHP), 4. To make creating a target for polyfills for prior versions possible,=20= 5. And to create a standard that all PHP projects that use SQL can = adopt? -Mike P.S. PHP could also implement a sanitizing templating language for SQL = as possibly a different or even additional approach.=