Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:116000 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 61630 invoked from network); 8 Sep 2021 05:55:38 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 8 Sep 2021 05:55:38 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id B63101804DB for ; Tue, 7 Sep 2021 23:33:14 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS15169 209.85.128.0/17 X-Spam-Virus: No X-Envelope-From: Received: from mail-ed1-f53.google.com (mail-ed1-f53.google.com [209.85.208.53]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Tue, 7 Sep 2021 23:33:14 -0700 (PDT) Received: by mail-ed1-f53.google.com with SMTP id 9so195265edx.11 for ; Tue, 07 Sep 2021 23:33:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=wk0iTrx36kQGzOvjkHUOVY8oVbMYz1KBb1fHrJLhN7E=; b=jJ2KXtQa3elijO2rsaeEr/kLebPzLlBXvFJ9VogP6Qlu68MNSLzySs0mDz2ZJ4/h+v 8wRmES5Ryhv/ERzkn9Xn67g2peX6pQS6W2uFzopwaDGEj81U4Xt0MwkDhZSrblIL9/sO Yj+UhZfTF1xObeusj5duhJttbkYF2fBct1lmk0oiaUNwPSpfIsZJg/Q2KBfaeRjKAbUO EwPGLXisVSV/kOaGrMflaTEit44VSRbZznEzMhtKmyvqFbuNd9TtRVI2hxGiAC+phCQm p819mnop8WOH1vNNDJIedSYb7Vt8DM+9eBlMH6O0uo6w7ntzSQwFJ5qE8agCEr9TQn0w pI4A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=wk0iTrx36kQGzOvjkHUOVY8oVbMYz1KBb1fHrJLhN7E=; b=DIZXv6TIHLzVALZy9Fg9YEQqDVd+BQjPd583k36L8ajHowjZRL4nzLy5+9f9qWcY+s 3wyzRl7Ct9EQ8JtK/UwwDe2UmNdAxSW/tOKtZAXHQ6lIoNHGNweuR+ynB8xH6DlAdOuv yXsUF0RdxiExPGu799BjbvSnT14EgrZ0W8Ur67FwIGirZkBJgND8AiTOTIcayzSAuipz HLGNLUjD1c8vLubsiGGU6r5a4iZ4f+szexTICxDy6dBpebtuC1pasoo0gfFhz2bnWtqE C5SXFvua/7sBj3QXBpd2U7uM3hjKaMbx9PNCIGUINlP+xz0lzfYG4eABPZkdkt/sFtfQ RBdQ== X-Gm-Message-State: AOAM532tFRn9foHggBT7xSnOoldO14tcykgPxQdNqLPRj7Jzmpm/zPnC tG74J5JPwTpKBmY6UH+riI5mAU6uAsY= X-Google-Smtp-Source: ABdhPJwWZhDVyqCbCegRlPUVObLbS32TYHLBoJVoEWdUVGos+QF/AxsdC1H5EREBkChsQj7aaEJ6GQ== X-Received: by 2002:a05:6402:1455:: with SMTP id d21mr2227113edx.161.1631082790742; Tue, 07 Sep 2021 23:33:10 -0700 (PDT) Received: from claude.fritz.box ([89.249.45.14]) by smtp.gmail.com with ESMTPSA id b15sm450785ejq.83.2021.09.07.23.33.09 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 07 Sep 2021 23:33:09 -0700 (PDT) Message-ID: Content-Type: multipart/alternative; boundary="Apple-Mail=_21A2F8CF-1A29-4116-A0C3-AE42CB27B364" Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.7\)) Date: Wed, 8 Sep 2021 08:33:09 +0200 In-Reply-To: Cc: PHP internals To: Craig Francis References: X-Mailer: Apple Mail (2.3608.120.23.2.7) Subject: Re: [PHP-DEV] [RFC] [VOTE] is_literal From: claude.pache@gmail.com (Claude Pache) --Apple-Mail=_21A2F8CF-1A29-4116-A0C3-AE42CB27B364 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > Le 7 sept. 2021 =C3=A0 11:49, Craig Francis = a =C3=A9crit : >=20 >=20 > Obviously I'd still like libraries to be able to protect everyone from > introducing Injection Vulnerabilities (as the majority of programmers = don't > use static analysis), but that's for another day. >=20 Hi,=20 We all want to protect from injection vulnerability, but I think there = are better way than is_literal. One way is to use templates, an area where PHP is ironically lagging = behind. I suggest looking at JS tagged templates: = https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Template= _literals = For example: $qb->select('u') ->from('User', 'u') ->where('u.id =3D ' . $_GET['id']); // INSECURE could be written as exec ` SELECT u FROM User u WHERE u.id =3D %{ $_GET['id'] } ` ?> where the part between %{ ... } is transformed into an SQL literal = string (with delimiters "...", not just =E2=80=9Cescaping=E2=80=9D) when = it is a string; into the SQL expression NULL when it is null; into an = SQL subexpression if it is an object (provided by the library) that = represents a well-formed SQL subexpression, etc. =E2=80=94Claude --Apple-Mail=_21A2F8CF-1A29-4116-A0C3-AE42CB27B364--