Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:115158 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 5298 invoked from network); 26 Jun 2021 13:31:54 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 26 Jun 2021 13:31:54 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id F3CB51804C0 for ; Sat, 26 Jun 2021 06:51:09 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2, SPF_HELO_NONE,SPF_NONE autolearn=no autolearn_force=no version=3.4.2 X-Spam-Virus: No X-Envelope-From: Received: from mail-qk1-f178.google.com (mail-qk1-f178.google.com [209.85.222.178]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Sat, 26 Jun 2021 06:51:09 -0700 (PDT) Received: by mail-qk1-f178.google.com with SMTP id l16so2924319qkp.3 for ; Sat, 26 Jun 2021 06:51:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=newclarity-net.20150623.gappssmtp.com; s=20150623; h=from:mime-version:subject:date:references:to:in-reply-to:message-id; bh=mnC6oiZ0sBkEVrV85AEybaG03Gz+1J0JpBNlXcBcHmc=; b=tXdvhVqkNbjb4UndTwhnU0N3U3aCoOlScgpsAhYgAs6wdePj3JHiEYuFe7r7QLiInB 2cD+OyyERGumnjzTfI6gKYvYHk6Wms6h26Y12UKp00wzGu9anXLgTblZ5TJbZYAFRWq2 GIBGNqDA059wUlrGFqwuOMssmWMbvCtCBIWCv32g84xLuIIO5yYI3ybcArAN1LWOY9or eRXcNlB+SMdxXyqNWe+Rz92u3Mb7UaRRFwP+NnAMELktDWhxBopI83aWAZTckqv+mPB1 pq3XDPkI8n5Qplf/ZS5VtYsfEFb8XUpuqGnF3Qg+944SElKEB9XTRoY3FDPhklCNzc9P jjfw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:mime-version:subject:date:references:to :in-reply-to:message-id; bh=mnC6oiZ0sBkEVrV85AEybaG03Gz+1J0JpBNlXcBcHmc=; b=E/EbJpSNZD/9tL/sz9FLgxH3mBB22CD2B2K3jLkCdCDE1UX6sLsDapia2bf4/AckfV AGB3hygHA4keN66xC0UwZBBIg6MvNP8q39SbZ/3MMcXjwU08ORreqe4wbLFt5UgFZnK2 Qh7EjDISzUiQkOCuI5pEblkUOqqdSYnKeaC3IFXVaEr0SK49CNaan8kYhb6PCVQQDbof kZBxHQvLF8jy/JvscORChwK7Bg5iVkeyBjT3w98uSlxiKhRpiiTqu3NjDaWuVTJuY7Gs 0MHTHBMXF8elK7BT+IdxlHn34tliwj0GD9ABJEfEbe0TsQzAEju8mbqeAwCs3Wi/ovub e8bw== X-Gm-Message-State: AOAM5337BkgVbuVJKVy+WoSLhoD9pa57BBtF7wiBI3sHEhXn2QJD1Yb8 RZNH18P3V2kH2Ksqjil8DvWna1uDSDFSSebZ X-Google-Smtp-Source: ABdhPJyl1vtNRwDUfu7cFsAfQ/8UhTBKo3QUn9erZUaA+O4f4fNzEED31B78KkQVDnjxuJ/oPKlyeg== X-Received: by 2002:a37:e505:: with SMTP id e5mr4133407qkg.37.1624715467737; Sat, 26 Jun 2021 06:51:07 -0700 (PDT) Received: from [192.168.1.10] (c-24-98-254-8.hsd1.ga.comcast.net. [24.98.254.8]) by smtp.gmail.com with ESMTPSA id r18sm143686qtx.82.2021.06.26.06.51.07 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sat, 26 Jun 2021 06:51:07 -0700 (PDT) Content-Type: multipart/alternative; boundary="Apple-Mail=_1E0CBB40-AB40-40B4-B56B-664062D97AA8" Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.7\)) Date: Sat, 26 Jun 2021 09:51:06 -0400 References: To: PHP internals In-Reply-To: Message-ID: X-Mailer: Apple Mail (2.3608.120.23.2.7) Subject: Re: [PHP-DEV] is_literal() is back From: mike@newclarity.net (Mike Schinkel) --Apple-Mail=_1E0CBB40-AB40-40B4-B56B-664062D97AA8 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii The idea behind is_literal() is of good intention, but as they say the = road to hell is paved with good intentions. The RFC proposes to add an internal "literal" flag to a string, the = is_literal() function, and nothing else.=20 Further the RFC states a vision to get "libraries to start using = is_literal() to check their inputs." Again, that comes from a great = intention. =20 The problem lies with the fact that library developer who choose to = disallow non-literal strings will offer solutions when a use-case = literally (pun-intended) cannot produce a literal string.=20 Sure, most leading library developers will offer a solution, but many of = the long-tail library developers will not either because it will add = scope and/or because those library developers don't have to skill and/or = experience to do so. So what will those users of those libraries do when faced with a = required to only use literal strings? They will find a workaround so = they can get their jobs done. And that workaround is really simple: function make_literal(string $non_literal):string { $literal =3D ''; for( $i =3D 0; $i< strlen($non_literal); $i++ ){ $literal .=3D chr(ord($non_literal[$i])); } return $literal; } You can see it in action 3v4l.org here[1] and for = posterity on gist.github.com here[2].=20 Once developers start bypassing the is_literal() check then all those = good intentions will be moot, and many who think they are secure from = injection attacks will be vulnerable: $sql =3D 'SELECT * FROM foo WHERE id=3D' . make_literal( $_GET['id']); $result =3D mysqli_query($conn, $sql); So what am I suggesting we do? =20 1. We postpone passing this is_literal() RFC until we have collectively = addressed how userland developers will be able to handle non-literals in = SQL, HTML, etc. when their use-cases require non-literals. 2. We could also go ahead and add the internal "literal" flag to a = string so that if someone wants to use it to write an extension to add = an is_literal() function in the mean time it would be available, but not = yet standardized into PHP. Thank you in advance for your consideration. -Mike [1] https://3v4l.org/oCBp7#focus=3Drfc.literals = [2] = https://gist.github.com/mikeschinkel/b9abd4178db461568b813269bc936c18 = =20= --Apple-Mail=_1E0CBB40-AB40-40B4-B56B-664062D97AA8--