Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:115159 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 7146 invoked from network); 26 Jun 2021 13:44:32 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 26 Jun 2021 13:44:32 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 94F37180501 for ; Sat, 26 Jun 2021 07:03:48 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.2 X-Spam-Virus: No X-Envelope-From: Received: from mail-lj1-f180.google.com (mail-lj1-f180.google.com [209.85.208.180]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Sat, 26 Jun 2021 07:03:48 -0700 (PDT) Received: by mail-lj1-f180.google.com with SMTP id f13so16772194ljp.10 for ; Sat, 26 Jun 2021 07:03:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=craigfrancis.co.uk; s=default; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=n/f3b190c8+qW82+g72o6vyaIIraQq5uvSp3FQ4BdI8=; b=gKcPecPPbLN379+SlUhSKc4oB648y6nFHmviAc1ppeLirDXLQnedTlo1k3GymlJEeL 31Q23/BKLcTTrhHJ4y16rIjs+GcIfk7+Sia/8hRYzp/89anBfgPB5RvH8LXs028gZVzs 6YyK/9erhCoV64kr/felB5r/fV6BzRXIh6AqA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=n/f3b190c8+qW82+g72o6vyaIIraQq5uvSp3FQ4BdI8=; b=fpOJ3yFO4KAQ7+bCdL4MaMsxrxFpJX2hQqciRiBp+RZIkE9pMkArUCMaL5D6DcWZm8 G/7BIGLiJ+GcE7OzIzC3yvXz7Imij1HeXdjcf7mlMRNSL8rMKxXuo2uC1rqCVsFIiVff iLB094e0l+jr/qA0zhiFsxduaFSnTZsQYJ0ajj1maI5OHoXdkz2Z3k1n3by4q3+o4yoq EJ9kFH8W4EEZaFEDDKHqVTimcXAcPrEQcLGjF9S7fJjYFwx8Eq0GVzubb8jIzZq47UGI qmzY6pS/0MyIjJuJVYdu1pZgkNbarjbzyYuILVlmZ5R+6szuId2FBzwXqg95vrJIH+h7 jcyQ== X-Gm-Message-State: AOAM533aimEnQegCHjNOX2ovXu7ftEcj9jHgInDJFjR+LdVsVNd0M/Ul nePqlYFc4cpjoEYze7c85QanKrLWYyojRfVHy7M/VfOv6xdtHg== X-Google-Smtp-Source: ABdhPJx8tErLPWdF9+zN3St/w6P5OFcDKZ3wYPamulfDuR/zxjezVRJXYvrrpVuF83jo4Hyhm7Trtlh1W4X6pqGd86Y= X-Received: by 2002:a2e:3506:: with SMTP id z6mr12964294ljz.238.1624716221564; Sat, 26 Jun 2021 07:03:41 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: Date: Sat, 26 Jun 2021 15:03:30 +0100 Message-ID: To: Mike Schinkel Cc: PHP internals Content-Type: multipart/alternative; boundary="0000000000003f544305c5abb9e8" Subject: Re: [PHP-DEV] is_literal() is back From: craig@craigfrancis.co.uk (Craig Francis) --0000000000003f544305c5abb9e8 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Just a quick reply at the moment, but what happens if a db library had a method to set what was in the LIMIT part of a query, you did the MySQL thing of =E2=80=9C30, 10=E2=80=9D to get paginated results, and then one da= y the library changed to require the argument to be an integer? On Sat, 26 Jun 2021 at 2:51 pm, Mike Schinkel wrote: > The idea behind is_literal() is of good intention, but as they say the > road to hell is paved with good intentions. > > The RFC proposes to add an internal "literal" flag to a string, the > is_literal() function, and nothing else. > > Further the RFC states a vision to get "libraries to start using > is_literal() to check their inputs." Again, that comes from a great > intention. > > The problem lies with the fact that library developer who choose to > disallow non-literal strings will offer solutions when a use-case literal= ly > (pun-intended) cannot produce a literal string. > > Sure, most leading library developers will offer a solution, but many of > the long-tail library developers will not either because it will add scop= e > and/or because those library developers don't have to skill and/or > experience to do so. > > So what will those users of those libraries do when faced with a required > to only use literal strings? They will find a workaround so they can get > their jobs done. And that workaround is really simple: > > function make_literal(string $non_literal):string { > $literal =3D ''; > for( $i =3D 0; $i< strlen($non_literal); $i++ ){ > $literal .=3D chr(ord($non_literal[$i])); > } > return $literal; > } > > You can see it in action 3v4l.org here[1] and for > posterity on gist.github.com here[2]. > > Once developers start bypassing the is_literal() check then all those goo= d > intentions will be moot, and many who think they are secure from injectio= n > attacks will be vulnerable: > > $sql =3D 'SELECT * FROM foo WHERE id=3D' . make_literal( $_GET['id']); > $result =3D mysqli_query($conn, $sql); > > So what am I suggesting we do? > > 1. We postpone passing this is_literal() RFC until we have collectively > addressed how userland developers will be able to handle non-literals in > SQL, HTML, etc. when their use-cases require non-literals. > > 2. We could also go ahead and add the internal "literal" flag to a string > so that if someone wants to use it to write an extension to add an > is_literal() function in the mean time it would be available, but not yet > standardized into PHP. > > Thank you in advance for your consideration. > > -Mike > > [1] https://3v4l.org/oCBp7#focus=3Drfc.literals < > https://3v4l.org/oCBp7#focus=3Drfc.literals> > [2] https://gist.github.com/mikeschinkel/b9abd4178db461568b813269bc936c18 > --0000000000003f544305c5abb9e8--