Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:115023
Return-Path: <craig@craigfrancis.co.uk>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 61342 invoked from network); 22 Jun 2021 12:55:09 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 22 Jun 2021 12:55:09 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 08E0E1804DA
	for <internals@lists.php.net>; Tue, 22 Jun 2021 06:13:23 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,
	RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no
	autolearn_force=no version=3.4.2
X-Spam-Virus: No
X-Envelope-From: <craig@craigfrancis.co.uk>
Received: from mail-lf1-f48.google.com (mail-lf1-f48.google.com [209.85.167.48])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Tue, 22 Jun 2021 06:13:22 -0700 (PDT)
Received: by mail-lf1-f48.google.com with SMTP id u13so16579194lfk.2
        for <internals@lists.php.net>; Tue, 22 Jun 2021 06:13:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=craigfrancis.co.uk; s=default;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=Pp80ZfBrTNJCg5yFjH8hLX/9a+OJsM0tsJoT5EG1m6k=;
        b=Nz5UQs/aNVsS+6pqixQx5z26fkevAsTLduAuj7woPsvDpAaggUInNEYUFmjMpZ9T/a
         Pge1b0FmvY0BfK25VkdE9gr1Ae96bjMQ4PmHt32xs4alseQM5vgp/ndyVL8/nJN2HO6Y
         py2ycA1UHJjQPDLa22divqjxzJr0VOIaAWyD4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=Pp80ZfBrTNJCg5yFjH8hLX/9a+OJsM0tsJoT5EG1m6k=;
        b=qw+oXJIsdN0fHAAxqLhcWOdl5kWZhWtRMr33AIVVj1ELdIfU0HqKe8DHPzl9coAREc
         mEKooTpN/O7jIqbQq8Xo6bS6kNnbJlLLmOinODVldn6hV8OE+Be3TAgWiTQXtZ22VH+E
         JVTdvoMG2ZlvAHTK5UnjYQbvv0b3h+KHV0vJUk4WTu9bW+vACt1oB2UyotMSwCkzor/X
         +1yJOOLxB50r4UTvDdLHBWvrSjeUP9cUES4BxC5DbpW+Ew3FHERvQjE9wlHd85q5VBwd
         EN8B6apUrgsy8Hd5gu10YVOszABNyFSy/cQeXoXWnaLxNbuqjlCv+0W8Z3l6JRPp8idb
         qaQw==
X-Gm-Message-State: AOAM530aLOSA4CssbN/eqw4tAUc/+cfGUPJReykHngKEnLskTPy94xb4
	a5vQC3O2F3PfiIJwjAxwyzI1KNam7qwmPxygnuvvfg==
X-Google-Smtp-Source: ABdhPJyAi3cIE+Xmm2GNGPr8vOJAeO+N/i5gLQ6EM/jluQ3/UOU7r1+Eg0aWsIWpD6zunDXjk9W6FJZN2C0UVgStFug=
X-Received: by 2002:a19:a406:: with SMTP id q6mr2774382lfc.616.1624367598153;
 Tue, 22 Jun 2021 06:13:18 -0700 (PDT)
MIME-Version: 1.0
References: <CAFv4g+GjXqiZkA2fawt7jHDtDAKjB0rv=Lfbcobu7bn8B=wvpw@mail.gmail.com>
 <CAGa2bXbGv33zHfRpu-hN_wNcNKPpFw_ed1ZRnn96tpDf0ROcLg@mail.gmail.com>
 <0CD1762E-6094-4DEB-B1B5-22CFBDAAFF44@php.net> <CAG9XoMQUUYGhA6QL3Se4FNJgydjzX0MAeR_CWr5O1SH8xgypLA@mail.gmail.com>
 <CAFv4g+ET4YDpygjKqGbAwxt+jkA8kWTeUrmTcR3hbFGEGNgmDg@mail.gmail.com> <BFFD3FBB-721B-491B-ADDB-DE3CA535BB52@koalephant.com>
In-Reply-To: <BFFD3FBB-721B-491B-ADDB-DE3CA535BB52@koalephant.com>
Date: Tue, 22 Jun 2021 14:13:07 +0100
Message-ID: <CAFv4g+GJrX6uNSAq=kAXDk2Lx=NLx=GxAw9Qh+cpZwbaVdgtJA@mail.gmail.com>
To: Stephen Reay <php-lists@koalephant.com>
Cc: Benjamin Morel <benjamin.morel@gmail.com>, Derick Rethans <derick@php.net>, 
	PHP Internals <internals@lists.php.net>, Yasuo Ohgaki <yohgaki@ohgaki.net>
Content-Type: multipart/alternative; boundary="000000000000ac42e105c55a8d5d"
Subject: Re: [PHP-DEV] [RFC] is_trusted - was is_literal
From: craig@craigfrancis.co.uk (Craig Francis)

--000000000000ac42e105c55a8d5d
Content-Type: text/plain; charset="UTF-8"

On Tue, 22 Jun 2021 at 09:59, Stephen Reay <php-lists@koalephant.com> wrote:

> So I just want to make sure I understand the progression on this so far.
> It started out with people wanting a way to check that a string was a
> literal string, in code somewhere, and does not come from user input. Ok
> makes sense. The name makes sense too.
>



The primary reason was never just to define literal strings, the intention
has always been to create a practical, implementable solution to address
the issue of Injection Vulnerabilities (SQl/HTML/CLI/etc).

The name `is_literal()` has always just been a placeholder, it came up when
I first started looking at this problem because that was the most obvious
thing I knew we could anchor around. (Unfortunately I think it was easy to
make assumptions based solely on that name, rather than focussing on the
issue it is meant to address).

So, we cannot look for literals only - while it was part of the solution,
it was very much incomplete. Bearing in mind, there is considerable amount
of existing code and tutorials out there which include integers in their
SQL/HTML/CLI/etc, and they are perfectly safe in doing so. Making a
solution which does not support integers is not going to be adopted/used
because the task of rewriting and changing everything, for no benefit, will
not be considered by developers.

Likewise, a lot of code already builds SQL/HTML/CLI/etc strings via
concatenation and sprintf(), and forcing everyone to use a query builder is
likely to cause most people to not even consider using this.

It's all well thinking of one thing that might theoretically/idealistically
solve the issue, but it also needs to have a plan on how this will be
practically implemented and used by developers (which this has done).

Craig

--000000000000ac42e105c55a8d5d--