Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:115128 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 16880 invoked from network); 24 Jun 2021 17:53:19 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 24 Jun 2021 17:53:19 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 209121804E3 for ; Thu, 24 Jun 2021 11:12:08 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE, SPF_PASS autolearn=no autolearn_force=no version=3.4.2 X-Spam-Virus: No X-Envelope-From: Received: from mail-ot1-f41.google.com (mail-ot1-f41.google.com [209.85.210.41]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Thu, 24 Jun 2021 11:12:07 -0700 (PDT) Received: by mail-ot1-f41.google.com with SMTP id n99-20020a9d206c0000b029045d4f996e62so6545985ota.4 for ; Thu, 24 Jun 2021 11:12:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=+OHdRcg0FiQLae8kbHB9Z0Tzl5TqQCVymOVeTA5hsNY=; b=YvqKl4zjLp8/SGudNZlV9Vq4KXVJKqG/s/tRfG4TnVgEAtsuBfoSTyrGme487SLqvi N1qjQ3i23ZDLpBwhFzOZbf9+4dRbAEFgUsIZTZDvWmuXdZVl6nW5Ex0rw2C9dPHhUrZo d5fsepoUstFh9PtJfhGI9Y5CfzQqaPnog+flgDbjvV6atemILBwNHhzgn7L62JmOfrbf MkQUqW645Qr7aH6V4c2/b8QhzYa7C8hKE+t+aWMmamgD1N21Dho8f05BY0ayz7Tmeret 67QM2p1hi+ojEhOmNz+yv7tE+rdDTN7jKZOSI+dRs7TxPWeZ2b62wZH4/hmzxJhPOdQr iS1Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=+OHdRcg0FiQLae8kbHB9Z0Tzl5TqQCVymOVeTA5hsNY=; b=hrixYsccMmMVYVCLBFHALLJV6X9gZE4N4LpGXdW4g3NTC/TnWXscEY2GA7qjZjMNmY CVgSdOze4jqO09CbMECKJeJqufn/B9LDz5g9ZBWu+VxZ2en/6SwjQLICH4SpvA3MPQN2 Dz4FgIC99EObSXKMKeY/iKk5S96dg35A1J1TL3adopbjmUTZIr62xg1yLmzKLF/UHMR5 BVoYh5TBGQ2ZKaBHWTHCo2uOEq13bWqKjhN595hc2oI1z1yXGj7eAJdfmG8mXNizovXk jY0+gW+ASuWtJyZ0e99kGk/kn77TQUjeIJ/WXpC5EYlRVmdm4rqdv5CTu9RHATa9yAZy reOA== X-Gm-Message-State: AOAM5327cYPkTmfToJ+f2zgocJYfPX1kE/1S0tAF+1r6MSn9o8gvouKJ 5m7nESZyvrQe64TbDC73ic4QgKB3lk9723483L0= X-Google-Smtp-Source: ABdhPJySZTWyLucj3OG368XO/wMaoehskBs3GzFkmI1ijpBwZEoifZQuLVCvc03UrQv+3eWN/wN5Gq8d4o5fCULQuKk= X-Received: by 2002:a05:6830:1114:: with SMTP id w20mr5912319otq.278.1624558324666; Thu, 24 Jun 2021 11:12:04 -0700 (PDT) MIME-Version: 1.0 References: <03f7955c-69a8-4841-9245-449d7851e207@www.fastmail.com> <95D16F2E-E9DD-4964-A0E2-62E1FB0D976B@koalephant.com> <4DE5E2EC-26D6-4D2C-95A9-B843B440EE87@koalephant.com> <26037CB4-4723-4DC5-BD92-BBDC4F548E17@koalephant.com> <24E12B58-7613-4E67-852C-3312F4AE769C@newclarity.net> In-Reply-To: <24E12B58-7613-4E67-852C-3312F4AE769C@newclarity.net> Date: Thu, 24 Jun 2021 20:11:53 +0200 Message-ID: To: Mike Schinkel Cc: Stephen Reay , php internals Content-Type: multipart/alternative; boundary="000000000000dbd47805c586f5ec" Subject: Re: [PHP-DEV] [RFC] Name issue - is_literal/is_trusted From: krakjoe@gmail.com (Joe Watkins) --000000000000dbd47805c586f5ec Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Nobody has demonstrated that "string" . int can lead to anything but mistakes. It CANNOT lead to injection, and that's what we're talking about, we're not talking about a function that protects you from all possible security concerns or bugs. The actual definition of injection matters, when we are talking about injection, obviously. You can't have your own definition. Cheers Joe On Thu, 24 Jun 2021 at 18:59, Mike Schinkel wrote: > > > On Jun 24, 2021, at 6:33 AM, Stephen Reay > wrote: > > > >> On 24 Jun 2021, at 17:07, Kamil Tekiela wrote: > >> > >> Hi Stephen, > >> > >> I believe the idea was for dynamically generate table names, or > numbered tables/columns. E.g. > >> > >> function getTable(string $table){ > >> // is_literal check here > >> } > >> > >> $number =3D (int) $_GET['tableno']; > >> if($number < 0 || $number > 10) { > >> throw new Exception("Invalid number"); > >> } > >> > >> $tablename =3D 'table_'.$number; > >> getTable($tablename); > >> > >> The number is concatenated to the table name. > >> > >> =E2=80=94Kamil > > > > Hi Kamil, > > > > Thanks for at least trying to answer this question. > > > > I=E2=80=99m sure someone somewhere does that and thinks its a good idea= . I > respectfully (to you; probably less respectfully to someone if they tell = me > they do this) disagree. I don=E2=80=99t think PHP should necessarily shy = away from > features because they=E2=80=99re potentially dangerous, but I also don=E2= =80=99t think it > should be adding new features/functions that are more dangerous, just to > make some weird (IMO bad-practice) edge cases easier. > > WordPress Multisite does exactly that. > > Whether or not them doing so is a "good idea" is irrelevant as there are = a > large number of website that use that mode of WordPress currently active = on > the web. > > > > I=E2=80=99d suggest if they insist on that bizarre naming pattern, _and= _ want to > use a literal string check, they could define an array of string numbers > that represent their table names. > > > > $tbls =3D [=E2=80=980=E2=80=99, =E2=80=981=E2=80=99, =E2=80=982=E2=80= =99, =E2=80=983=E2=80=99, =E2=80=984=E2=80=99, =E2=80=985=E2=80=99, ...]; > > > > getTable(=E2=80=99table_=E2=80=99 . $tbls[$number]); > > Some WP MS installations support millions of thousands sites. See > WordPress.com . > > But yes, I guess it could be possible for them to hack hack together > 'table_983761' out of literals via a Rube Goldbergian-function, if forced > to. > > > > On Jun 24, 2021, at 6:35 AM, Stephen Reay > wrote: > > > >> On 24 Jun 2021, at 17:16, Craig Francis > wrote: > >> > >> On Thu, 24 Jun 2021 at 10:55, Stephen Reay > wrote: > >> > >>> but still I have to keep asking: Why integers at all? > >>> > >> > >> While I'm not a fan of this approach, there is a lot of existing code > and > >> tutorials that use: > >> > >> $sql =3D 'WHERE id IN (' . implode(',', array_map('intval', $ids)) . '= )'; > >> > >> $sql =3D sprintf('SELECT * FROM table WHERE id =3D %d;', intval($id)); > >> > > And WordPress (and I am sure a lot of other legacy code) does not support > parameterized queries in the DB object, at least not without jumping > through tons of hoops. Not to mention the 60k existing open-source plugi= ns > and the likely million custom plugins in the wild. > > -Mike > P.S. Of course we could ignore the entirety of WordPress, but that just > does not strike me as a prudent course of action. --000000000000dbd47805c586f5ec--