Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:115057 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 864 invoked from network); 23 Jun 2021 10:09:05 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 23 Jun 2021 10:09:05 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 7B9CA1804DB for ; Wed, 23 Jun 2021 03:27:34 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.2 X-Spam-Virus: No X-Envelope-From: Received: from mail-lf1-f48.google.com (mail-lf1-f48.google.com [209.85.167.48]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Wed, 23 Jun 2021 03:27:34 -0700 (PDT) Received: by mail-lf1-f48.google.com with SMTP id t17so3322442lfq.0 for ; Wed, 23 Jun 2021 03:27:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=0Ff3ZjP7oW3qM5XVC357oHFWK2A7rfggDlnNnoSjYGk=; b=SuXN06yxW3Lug+OlQnItwEkEvBywAD5RneKfIpmiIxfJEM0OhTMWpgRiZiWS0FrwNt sswaczbkans/C2p4+l0WAh+38e7/xnEROypt7e7qYIkoQx/KvQRc6XgM6YOJVvdLlvbE Yt/MjeOpwIKtvYRAk+Q/pSGfM2YZWuugaveAVdpnOJaNIMDr8fx88g7jQM98hzPlfKMr fZpVf00ISLcnyta/IcWftuz3SnLbhejWSU+VnyK0KzOFkq5FmHVJsj1z2LUoF/x5IGI6 I3aB+5Ll0ZotVZeUPFucuQFs5RMPa16BZ07VrqK2O6qp/ohrtLQyBinfWy8liRigkZ/8 X//w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=0Ff3ZjP7oW3qM5XVC357oHFWK2A7rfggDlnNnoSjYGk=; b=KBlpZuRhyUy1+B3WmV1xmyF53ICQ9bjTiswF98PnkDjQo1mpRBic4Wwvhw7AQliH0t 13tLOkx4VYXdMpHDidOjMF3DPzzJGgvk/cuOQlFJ7yFyO1pdZsyyfvM7bS4UoGzg8j2U cROUwHoNWhloAEft/nrLr+gzxNXeQMKZYbOgHWvJUHEwRsSAFgN0wegNTYQ/qFKfg7+j WXNfpaUwzp/9YphCBIoS6sirRWN5nHPE4WS9EUEy7qqLq0HYHy+RRWRgubYm5SjZb40c 3JGYg7FkM5T7UPPYGPuVGeAevgxv3Kn9xUJo3SckV0WCzqm6I0g19S9/ienjygp41ae2 JX1A== X-Gm-Message-State: AOAM5308/2jt1nZEeJd1o+aflsb7s930S7lLm6y/yTuxPrUuRQsC5vGO dulkggpd/xOzY9oegiik4zP9iwmRKNx0nNvrjw== X-Google-Smtp-Source: ABdhPJxls9fHQ+VDIFbXYRN94JVMioBS+MsektYdWNsWALwsc46YJqIkyWUSf4J02G56FHwPZ8Byvno3wdG8Lr24gho= X-Received: by 2002:a05:6512:3749:: with SMTP id a9mr6667578lfs.110.1624444049124; Wed, 23 Jun 2021 03:27:29 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: Date: Wed, 23 Jun 2021 12:27:18 +0200 Message-ID: To: Craig Francis Cc: PHP internals Content-Type: multipart/alternative; boundary="000000000000816f0905c56c5ae7" Subject: Re: [PHP-DEV] [RFC] Name issue - is_literal/is_trusted From: guilliam.xavier@gmail.com (Guilliam Xavier) --000000000000816f0905c56c5ae7 Content-Type: text/plain; charset="UTF-8" On Tue, Jun 22, 2021 at 8:11 PM Craig Francis wrote: > > The Function: > - Is a security-based function that prevents Injection Vulnerabilities in > PHP. > - Flags strings written by the developer, including when concatenated. > - Also accepts integer values, which as purely numerical cannot contain > code/dangerous characters. (Due to technical limitations within PHP, it's > not possible for these to be flagged as user or developer in the codebase > itself without performance issues). > - `is_safe_from_injections()`? - `is_secure_against_injections()`? - `can_be_trusted_to_not_contain_injection_vulnerabilities()`? (okay not this one) Alternatively, if integers are too controversial, how about reverting the implementation to `is_literal()` but provide a function like `to_literal(int $int): string` (or just a "polyfill" for userland, could be a one-liner `implode(array_map(fn ($c) => ['0','1','2','3','4','5','6','7','8','9','-'=>'-'][$c], str_split((string)$int)))`), so that those `implode(',', [1,2,3])` could use `implode(',', array_map('to_literal', [1,2,3]))`? Regards, -- Guilliam Xavier --000000000000816f0905c56c5ae7--