Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:115030 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 84140 invoked from network); 22 Jun 2021 15:23:15 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 22 Jun 2021 15:23:15 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id CBF051804C3 for ; Tue, 22 Jun 2021 08:41:31 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_LOW,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL, SPF_HELO_PASS,SPF_NONE autolearn=no autolearn_force=no version=3.4.2 X-Spam-Virus: No X-Envelope-From: Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Tue, 22 Jun 2021 08:41:31 -0700 (PDT) Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id C19F05C010B for ; Tue, 22 Jun 2021 11:41:30 -0400 (EDT) Received: from imap43 ([10.202.2.93]) by compute1.internal (MEProxy); Tue, 22 Jun 2021 11:41:30 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=J9RFTc gDkdFoIxq8M+sJdCe5hj/M0ymTfzxj3d5mbDE=; b=e8L/Xcrnvst2ZYUf6jLVri wSg/Pr2LOt5QBfJkuD+acJhH5in66zRffP89Jyqjrj8znI6yvj29+rwtwhG8SErF pU1SKeeWkD9UAo2Pq4kRpYXxe3Fn4S3L4XhV3oO1K9Qj9Xj+7YHMkp6xzMU1xAr8 Wf71ovBrlaPjNKY4MMp/dDGrLiHQGccwXl4dG/zEIthC/ytBtsxFkWxJ90lhdx/1 MeE4TDazWrHKpokDtnzopbPRb8HV6APaWxJ8b1bSvItWE4ibi5vijp1ZP3mMX4w4 fG8E5ImaDm3nKoYZ72+ib+QBgxZGeK0RpqoQwGVho5rqy4tFbCaXVN2umrJAunjA == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrfeeguddgleduucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepofgfggfkjghffffhvffutgesthdtredtreerjeenucfhrhhomhepfdfnrghr rhihucfirghrfhhivghlugdfuceolhgrrhhrhiesghgrrhhfihgvlhguthgvtghhrdgtoh hmqeenucggtffrrghtthgvrhhnpeelhfejudeugedugefhhedugfdvfeelffefueetveeu tdejffekteekieevjeekgfenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmh grihhlfhhrohhmpehlrghrrhihsehgrghrfhhivghlughtvggthhdrtghomh X-ME-Proxy: Received: by mailuser.nyi.internal (Postfix, from userid 501) id 846E6AC0072; Tue, 22 Jun 2021 11:41:30 -0400 (EDT) X-Mailer: MessagingEngine.com Webmail Interface User-Agent: Cyrus-JMAP/3.5.0-alpha0-530-gd0c265785f-fm-20210616.002-gd0c26578 Mime-Version: 1.0 Message-ID: <9e8faf2b-fdc7-49f4-bdc1-0822841616e2@www.fastmail.com> In-Reply-To: References: <4FFA0160-1A05-4DA0-9C9A-79F778443A35@newclarity.net> Date: Tue, 22 Jun 2021 10:41:09 -0500 To: "php internals" Content-Type: text/plain Subject: =?UTF-8?Q?Re:_[PHP-DEV]_Sql_Object_Model_Parser_&_Sanitizer_(was_[RFC]_i?= =?UTF-8?Q?s=5Fliteral)?= From: larry@garfieldtech.com ("Larry Garfield") On Tue, Jun 22, 2021, at 8:39 AM, Mike Schinkel wrote: > > On Jun 22, 2021, at 9:00 AM, Kamil Tekiela wrote: > > > > Hi Mike, > > > > Please don't do this. We already have PDO with prepared statements. The data must be bound. This is the secure way of writing SQL queries. > > The problem is that over 40% of the web currently runs on PHP code that > using mysqli. That CMS does not support PDO nor prepared statements, > and is unlikely to switch to it anytime some in the foreseeable future. WordPress is not going to leverage anything we do here until and unless there is a major change of leadership and culture at that project. Please don't waste any mental effort on it; they clearly waste no mental effort on what the rest of the PHP community considers good, secure practices. Anything involving them is tilting at windmills. Mike, speaking as someone who has written an SQL abstraction layer and query builder with significant usage (Drupal 7-9), you are *grossly* under-estimating the complexity of what you describe. It might be possible to hack together for SQL92, aka "what most PHP devs actually use because they haven't noticed that it's not 1992 anymore", but that's already been done. We have DBTNG in Drupal, we have Doctrine, problem solved. Modern SQL, though, is a stupidly complex and stupidly inconsistent beast. Most of the syntax beyond the basics is different on every damned database. The official spec *is not even publicly available*, and costs a lot of money to access. And no DB engine actually supports all of it; they all support different subsets with their own different extensions that may or may not be comparable. Building a tool that parses an arbitrary string to an AST for a spec that is inconsistent, inaccessible, and not implemented correctly by anyone is a fool's errand, and that's just the first part of it. That's not even getting into designing an API for people to modify it, or questions of performance, or compiling the AST back into a DB-specific string, AND then doing parameter binding which varies from one database to another. You're talking about reimplementing major portions of MySQL, PostgreSQL, Oracle, etc. themselves in PHP, all at the same time. Well, good luck, you're going to need it. Personally I've long since concluded that database portability is no longer an achievable or even desirable feature. SQL is just too fragmented a language, leaving you with a least common denominator that is grossly under-whelming for modern needs. If you want more than SQL92, it's not really viable anymore. --Larry Garfield