Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:115125
Return-Path: <mike@newclarity.net>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 9740 invoked from network); 24 Jun 2021 16:40:48 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 24 Jun 2021 16:40:48 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 0F8AC180507
	for <internals@lists.php.net>; Thu, 24 Jun 2021 09:59:36 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,
	SPF_HELO_NONE,SPF_NONE autolearn=no autolearn_force=no version=3.4.2
X-Spam-Virus: No
X-Envelope-From: <mike@newclarity.net>
Received: from mail-qk1-f178.google.com (mail-qk1-f178.google.com [209.85.222.178])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Thu, 24 Jun 2021 09:59:35 -0700 (PDT)
Received: by mail-qk1-f178.google.com with SMTP id o6so16096416qkh.4
        for <internals@lists.php.net>; Thu, 24 Jun 2021 09:59:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=newclarity-net.20150623.gappssmtp.com; s=20150623;
        h=from:message-id:mime-version:subject:date:in-reply-to:cc:to
         :references;
        bh=VKMBPx5Bnpj6gaCt1OqhrvVsLr1JLKmObYUzpMxXQMM=;
        b=ZbW6WencwInnzI5JU9xWm8SIqIWX3QsvsgMfgDQD1YHldVMAgHKN2nGx9k5PRJLK4E
         t7by5xAzqfUBEYRYFHAmY15OcY87CveSH3lRRomwTJDrVqwdzhbTbfMCEdb4MzIfSZXj
         dTaAlu5vtFtDIuqIx595lQKS9zv1OYQnABSsoUTk6JGMJ9zc75JVOND7tuHRGxJeokuE
         0X+YVq2Tf4eokcifUiRkXAm7JG93XnRsoH8dF2OIpUJnQBSNEuJY14sdf+BygkVJU+G0
         GgdjaFJvusrJJWZqDX9ZFlDh5nj2i+xvZuVplz9CNK96MpnqUrGGntgNwswtOYMMQRG6
         dOgA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:message-id:mime-version:subject:date
         :in-reply-to:cc:to:references;
        bh=VKMBPx5Bnpj6gaCt1OqhrvVsLr1JLKmObYUzpMxXQMM=;
        b=X0tR9k15Sm4p1hyy9X2AYbMSUrCSgmoUJurLSVnZKhvhKHe4KOG4Tg+Qhj9UzakVD7
         FFHlqq4wQrJ+h0cp+mQOsmsATyj4ZCoe8xcSFurJ5fKs/HPVjaSHeNv0gBP8PJ3F0x+y
         F6Vynop4bqIzIAlJngxx2uxTtjF5UnAAbe/wQqjWavAQx6scMD+wNAvVPHr/J0tJaKRi
         ynulpubDb7U6ZzgSSeYwEr8eU2elfN2E4C2LDOZFMBkirphquFJ0svuQBRI7zoUpQVoU
         VDyhIV0EIhdY+Y48EGs3ztQQjrdfB0g2N5Opuujrjr0LRmCRu0eoAWgUgU5K9MXXcvtY
         KFVw==
X-Gm-Message-State: AOAM533PYoZi9sHw/zykQg7SKpajHTcdnzYTghqGmm6JAbrn4Xd0mq/2
	4VCGolq1xWhsK6OpULodhRGufunXqBL9RSVG
X-Google-Smtp-Source: ABdhPJzqX1Bib0n9VRI1v1ldm3or3TAf6Ox6ZXznHTYyPL+rPSC8+RPywSdli53Z2FuJbevu/mYmEg==
X-Received: by 2002:a05:620a:d49:: with SMTP id o9mr6685175qkl.378.1624553972702;
        Thu, 24 Jun 2021 09:59:32 -0700 (PDT)
Received: from [192.168.1.10] (c-24-98-254-8.hsd1.ga.comcast.net. [24.98.254.8])
        by smtp.gmail.com with ESMTPSA id v19sm2804760qkf.42.2021.06.24.09.59.31
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Thu, 24 Jun 2021 09:59:31 -0700 (PDT)
Message-ID: <24E12B58-7613-4E67-852C-3312F4AE769C@newclarity.net>
Content-Type: multipart/alternative;
	boundary="Apple-Mail=_3C228E10-8DCD-4E41-8665-9FC8D379D4F4"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.7\))
Date: Thu, 24 Jun 2021 12:59:30 -0400
In-Reply-To: <26037CB4-4723-4DC5-BD92-BBDC4F548E17@koalephant.com>
Cc: php internals <internals@lists.php.net>
To: Stephen Reay <php-lists@koalephant.com>
References: <CAFv4g+Gv1qQ2Gtx2Qwo0Dx2Cb_gOXJ=rm7rVy+Jo89PmD-3jnA@mail.gmail.com>
 <CAEMvS4GRaqMBPn7ocBX-XU3jzrtpe+9uGfYpG10qc_iKZY80UA@mail.gmail.com>
 <03f7955c-69a8-4841-9245-449d7851e207@www.fastmail.com>
 <CAFv4g+EaT309KDWz63j3S7n8E58czEWTKUEw9hAvgt7s6R9eKQ@mail.gmail.com>
 <CAKws9z02yCZTb2_mw-5xUO5-QLc4jbOUcBRfJ8nFSNPP1rgO3g@mail.gmail.com>
 <CA+hqhpfUiOMLDZyXTqP+mm9jjG6v+K94Ug7K_zvuuZus_XhOaQ@mail.gmail.com>
 <CAKws9z34nTT0_CXoo4Yq7zO2CZX622has23xmfHbWjfaDrgLqA@mail.gmail.com>
 <CA+hqhpdR=W8nbWy8UBgLtKdvb_KCss5mpzturS67HhqRj4q6BQ@mail.gmail.com>
 <CAKws9z1=6fmCxJWYVfN+xKT+u=_ZTq0m7C0nZPT6LB5scbfpXQ@mail.gmail.com>
 <95D16F2E-E9DD-4964-A0E2-62E1FB0D976B@koalephant.com>
 <CAKws9z1M6aLMJ+T7KEAYbEu7N3ufFi8Lsqpr4GP6G06+8aG3SQ@mail.gmail.com>
 <4DE5E2EC-26D6-4D2C-95A9-B843B440EE87@koalephant.com>
 <CAGBsUrfar+bY+4R9Wp=WfTr5r7-Ur0pVDmNYGJTt1nh9AQ3-Zw@mail.gmail.com>
 <26037CB4-4723-4DC5-BD92-BBDC4F548E17@koalephant.com>
X-Mailer: Apple Mail (2.3608.120.23.2.7)
Subject: Re: [PHP-DEV] [RFC] Name issue - is_literal/is_trusted
From: mike@newclarity.net (Mike Schinkel)

--Apple-Mail=_3C228E10-8DCD-4E41-8665-9FC8D379D4F4
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8


> On Jun 24, 2021, at 6:33 AM, Stephen Reay <php-lists@koalephant.com> =
wrote:
>=20
>> On 24 Jun 2021, at 17:07, Kamil Tekiela <tekiela246@gmail.com> wrote:
>>=20
>> Hi Stephen,
>>=20
>> I believe the idea was for dynamically generate table names, or =
numbered tables/columns. E.g.=20
>>=20
>> function getTable(string $table){
>>    // is_literal check here
>> }
>>=20
>> $number =3D (int) $_GET['tableno'];
>> if($number < 0 || $number > 10) {
>>    throw new Exception("Invalid number");
>> }
>>=20
>> $tablename =3D 'table_'.$number;
>> getTable($tablename);
>>=20
>> The number is concatenated to the table name.=20
>>=20
>> =E2=80=94Kamil
>=20
> Hi Kamil,
>=20
> Thanks for at least trying to answer this question.
>=20
> I=E2=80=99m sure someone somewhere does that and thinks its a good =
idea. I respectfully (to you; probably less respectfully to someone if =
they tell me they do this) disagree. I don=E2=80=99t think PHP should =
necessarily shy away from features because they=E2=80=99re potentially =
dangerous, but I also don=E2=80=99t think it should be adding new =
features/functions that are more dangerous, just to make some weird (IMO =
bad-practice) edge cases easier.

WordPress Multisite does exactly that. =20

Whether or not them doing so is a "good idea" is irrelevant as there are =
a large number of website that use that mode of WordPress currently =
active on the web.


> I=E2=80=99d suggest if they insist on that bizarre naming pattern, =
_and_ want to use a literal string check, they could define an array of =
string numbers that represent their table names.
>=20
> $tbls =3D [=E2=80=980=E2=80=99, =E2=80=981=E2=80=99, =E2=80=982=E2=80=99=
, =E2=80=983=E2=80=99, =E2=80=984=E2=80=99, =E2=80=985=E2=80=99, ...];
>=20
> getTable(=E2=80=99table_=E2=80=99 . $tbls[$number]);

Some WP MS installations support millions of thousands sites. See =
WordPress.com <http://wordpress.com/>.

But yes, I guess it could be possible for them to hack hack together =
'table_983761' out of literals via a Rube Goldbergian-function, if =
forced to.


> On Jun 24, 2021, at 6:35 AM, Stephen Reay <php-lists@koalephant.com> =
wrote:
>=20
>> On 24 Jun 2021, at 17:16, Craig Francis <craig@craigfrancis.co.uk> =
wrote:
>>=20
>> On Thu, 24 Jun 2021 at 10:55, Stephen Reay <php-lists@koalephant.com> =
wrote:
>>=20
>>> but still I have to keep asking: Why integers at all?
>>>=20
>>=20
>> While I'm not a fan of this approach, there is a lot of existing code =
and
>> tutorials that use:
>>=20
>> $sql =3D 'WHERE id IN (' . implode(',', array_map('intval', $ids)) . =
')';
>>=20
>> $sql =3D sprintf('SELECT * FROM table WHERE id =3D %d;', =
intval($id));
>>=20

And WordPress (and I am sure a lot of other legacy code) does not =
support parameterized queries in the DB object, at least not without =
jumping through tons of hoops.  Not to mention the 60k existing =
open-source plugins and the likely million custom plugins in the wild.

-Mike
P.S. Of course we could ignore the entirety of WordPress, but that just =
does not strike me as a prudent course of action.=

--Apple-Mail=_3C228E10-8DCD-4E41-8665-9FC8D379D4F4--