Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:115024 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 63517 invoked from network); 22 Jun 2021 13:08:25 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 22 Jun 2021 13:08:25 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id CD4201804C9 for ; Tue, 22 Jun 2021 06:26:41 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-1.5 required=5.0 tests=BAYES_00,KHOP_HELO_FCRDNS, SPF_HELO_NONE,SPF_NONE,UNPARSEABLE_RELAY autolearn=no autolearn_force=no version=3.4.2 X-Spam-Virus: No X-Envelope-From: Received: from processus.org (ns366368.ip-94-23-14.eu [94.23.14.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits)) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Tue, 22 Jun 2021 06:26:41 -0700 (PDT) Received: from authenticated-user (PRIMARY_HOSTNAME [PUBLIC_IP]) by processus.org (Postfix) with ESMTPA id F1D715101324; Tue, 22 Jun 2021 13:26:39 +0000 (UTC) To: Kamil Tekiela , Mike Schinkel Cc: PHP internals References: <4FFA0160-1A05-4DA0-9C9A-79F778443A35@newclarity.net> Message-ID: Date: Tue, 22 Jun 2021 15:26:39 +0200 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US Authentication-Results: processus.org; auth=pass smtp.auth=pierre-php@processus.org smtp.mailfrom=pierre-php@processus.org X-Spamd-Bar: / Subject: Re: [PHP-DEV] Sql Object Model Parser & Sanitizer (was [RFC] is_literal) From: pierre-php@processus.org (Pierre) Le 22/06/2021 à 15:00, Kamil Tekiela a écrit : > Hi Mike, > > Please don't do this. We already have PDO with prepared statements. The > data must be bound. This is the secure way of writing SQL queries. The idea > behind SQL builder is to generate SQL, not to allow the data to be > sanitized. > Every time I hear the word sanitize I get goose bumps. You can't remove any > characters from a string to make it safe. If you want to use escaping, then > you need to do it context aware and properly formatted. Don't sanitize > anything. Format the SQL properly instead. > > On a general note. Implementing SQL builder in PHP would be an enormous > task, which is not feasible. There are so many dialects, so many options, > and even then it won't ever be accurate as you don't have the full context > in PHP. SQL is a very powerful language, and building a parser for it in > PHP would mean that we either limit it to a subset of valid SQL commands, > or we try to create a super tool that is more powerful than MySQL, Oracle, > PostgreSQL, etc. combined. > There's absolutely nothing wrong with writing SQL in PHP and preparing it > on the server. For database servers that don't support prepared statements > we already have PDO which is an abstraction library that tries to escape > and format data within SQL. It works 99% of the time. > > The example you suggested already has a simple syntax in PHP. > > $conn = mysqli_connect(...); > $stmt = $conn->prepare($sql); > $stmt->execute([$_GET['openings'], $_GET['limit']]); > > Regards, > Kamil > I fully agree with you. Any attempt to be smart in doing this will eventually end-up in no-so-smart corner-case bugs that will be very, very hard to deal with. It's almost an impossible mission. And if by any luck you'd succeed in making this work, it probably would be a maintenance nightmare. Regards, -- Pierre