Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:115101
Return-Path: <scott@paragonie.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 49172 invoked from network); 24 Jun 2021 09:00:50 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 24 Jun 2021 09:00:50 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id CEEBC1804D9
	for <internals@lists.php.net>; Thu, 24 Jun 2021 02:19:30 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS
	autolearn=no autolearn_force=no version=3.4.2
X-Spam-Virus: No
X-Envelope-From: <scott@paragonie.com>
Received: from mail-lj1-f173.google.com (mail-lj1-f173.google.com [209.85.208.173])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Thu, 24 Jun 2021 02:19:30 -0700 (PDT)
Received: by mail-lj1-f173.google.com with SMTP id d13so6776627ljg.12
        for <internals@lists.php.net>; Thu, 24 Jun 2021 02:19:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=paragonie-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc:content-transfer-encoding;
        bh=rHxLBPaDBsKo8QislUkWLan4GG4dsWBtnI08dIpb0cg=;
        b=iVAIIVX8UyG+U4J/If5FtbyuZ1s+NjDGqN4+15eahgR1mmLtU/fn01AoiosDYE1TB5
         nZa1ca2zDmIPkLcpwd2/wmMDyr0zJ5ZytFkEh1HZC2/go45Lclc05baA6Bz3coKOR7wa
         rafhhyMCEJCYmHVsu5YDUk6XHLwpuiERoIhhXnyHUQIAlRV+z2a2X8/5ZIgVNc+9vQEk
         BxgQIdoQoW1qwUZ10ZqGNlh2bXBOwxyF17T/UNC8Ghoao+H0HN3qgwEHFrLaVronHAGy
         bw598iiDSuUgkfB5HS2yJl1Lj5HXTys4P5GIXS2zFKfWGTCvQ5tAUg7hsLXDQrHROK0x
         spzw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc:content-transfer-encoding;
        bh=rHxLBPaDBsKo8QislUkWLan4GG4dsWBtnI08dIpb0cg=;
        b=p5GsooW09kbM4x0xRLXDUMmnvrnrJOxT9fYjERr7WEo8XOhM8zpe/fHCUqzK8ZsLyL
         T649ng0VdSnA6V7pfy471JeQA4A0CQyaG2+IU1R5UXPxAoCndw21KbG7awSAtLt5Ny1t
         5szzNkN0rP3XUUQQKhljzp6GOxip6ULv0kIFtCt3zebCgm55nTW9upjHXD15iPt9Sglk
         j+csVocO6BwxVAXt+sosJYoQmk/VBmzX2z/pcFk/OV5oRlm4JjC3P9990ZXqYFcDgVeL
         pHE3izlOk5f+t1nQKSnJaxYMKNhGI0LqRTaKHGj1pAQL3KfISAnhz1cJXOQ/F2ODZIp8
         uAyA==
X-Gm-Message-State: AOAM531SkydjhyB7z+N0N9EQLJvIzNhIy7TJcygGjlwRw42k7q+UbECm
	hwCcDzvxGzZ0NsKiG9/WDVs7dagjbT2Px+1M18TyXw==
X-Google-Smtp-Source: ABdhPJyPUrl7s/TqACAQaN/17HwrjVlRoA7jKbjJTWoV4cX2ksCyc5ua2tvjye5QERWhTiexWys7gF4/AiIimY5yXXs=
X-Received: by 2002:a2e:9a87:: with SMTP id p7mr3067792lji.449.1624526368724;
 Thu, 24 Jun 2021 02:19:28 -0700 (PDT)
MIME-Version: 1.0
References: <CAFv4g+Gv1qQ2Gtx2Qwo0Dx2Cb_gOXJ=rm7rVy+Jo89PmD-3jnA@mail.gmail.com>
 <CAEMvS4GRaqMBPn7ocBX-XU3jzrtpe+9uGfYpG10qc_iKZY80UA@mail.gmail.com>
 <03f7955c-69a8-4841-9245-449d7851e207@www.fastmail.com> <CAFv4g+EaT309KDWz63j3S7n8E58czEWTKUEw9hAvgt7s6R9eKQ@mail.gmail.com>
 <CAKws9z02yCZTb2_mw-5xUO5-QLc4jbOUcBRfJ8nFSNPP1rgO3g@mail.gmail.com>
 <CA+hqhpfUiOMLDZyXTqP+mm9jjG6v+K94Ug7K_zvuuZus_XhOaQ@mail.gmail.com>
 <CAKws9z34nTT0_CXoo4Yq7zO2CZX622has23xmfHbWjfaDrgLqA@mail.gmail.com>
 <CA+hqhpdR=W8nbWy8UBgLtKdvb_KCss5mpzturS67HhqRj4q6BQ@mail.gmail.com>
 <CAKws9z1=6fmCxJWYVfN+xKT+u=_ZTq0m7C0nZPT6LB5scbfpXQ@mail.gmail.com>
 <95D16F2E-E9DD-4964-A0E2-62E1FB0D976B@koalephant.com> <CAKws9z0CbyjeKas=DNKi0ScdUxt8CnvNOLymXpWvQTaJtB0xkw@mail.gmail.com>
 <CAC5V6gjV6sis6sVN8g2AZGb7VQf5ncVT9DCZfp1xi=+moj4aew@mail.gmail.com>
In-Reply-To: <CAC5V6gjV6sis6sVN8g2AZGb7VQf5ncVT9DCZfp1xi=+moj4aew@mail.gmail.com>
Date: Thu, 24 Jun 2021 05:19:17 -0400
Message-ID: <CAKws9z08xyGcXv380EstiNy0fZZijQ0TZ=mZUvW=_ii4yXLsrw@mail.gmail.com>
To: Guilliam Xavier <guilliam.xavier@gmail.com>
Cc: php internals <internals@lists.php.net>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Subject: Re: [PHP-DEV] [RFC] Name issue - is_literal/is_trusted
From: scott@paragonie.com (Scott Arciszewski)

On Thu, Jun 24, 2021 at 4:34 AM Guilliam Xavier
<guilliam.xavier@gmail.com> wrote:
>
>
> On Thu, Jun 24, 2021 at 9:14 AM Scott Arciszewski <scott@paragonie.com> w=
rote:
>>
>> On Thu, Jun 24, 2021 at 2:10 AM Stephen Reay <php-lists@koalephant.com> =
wrote:
>>
>> > I would absolutely make use of a function that tells me if the string =
given is in fact from something controlled by the developer. But once that =
same string can also include input from the request or the environment or w=
hatever by nature of integers, the function becomes useless for the stated =
purpose.
>>
>> Why not two functions then?
>>
>> - is_noble_string() -- more restrictive
>> - is_noble() -- YOLO
>
>
> I was going to ask basically the same [with different names] a few days a=
go ("why can't we have both?"), but then remembered https://externals.io/me=
ssage/114835#114951 , esp. the end:
>
> """
> And to support having 2 functions, we would need 2 flags on strings. Thes=
e
> flags are limited, and managing 2 flags would affect performance.
> """
>
> Regards,
>
> --
> Guilliam Xavier

Thanks for the reference to that part of the discussion that I missed.

Aside:

I encourage everyone to look at EasyDB (especially EasyStatement) for
handling `WHERE x IN (a, b, c, ...)` statements in SQL.
https://github.com/paragonie/easydb

Additionally, Ionizer is useful for input filtering and asserting type
safety: https://github.com/paragonie/ionizer

If you're doing dynamic, on-the-fly SQL query generation (based, in
part, on user input), these are two framework-agnostic tools that can
help make your code safer against code injection and other attacks.