Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:116003 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 71610 invoked from network); 8 Sep 2021 07:55:46 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 8 Sep 2021 07:55:46 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id C5333180540 for ; Wed, 8 Sep 2021 01:33:26 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE, SPF_PASS autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS36024 206.123.114.0/23 X-Spam-Virus: No X-Envelope-From: Received: from mail1.25mail.st (mail1.25mail.st [206.123.115.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Wed, 8 Sep 2021 01:33:26 -0700 (PDT) Received: from smtpclient.apple (unknown [49.48.245.5]) by mail1.25mail.st (Postfix) with ESMTPSA id E0E85605BF for ; Wed, 8 Sep 2021 08:33:23 +0000 (UTC) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\)) Date: Wed, 8 Sep 2021 15:33:21 +0700 References: To: PHP internals In-Reply-To: Message-ID: <3BDF823C-3DAC-4E2F-AF3C-B5293858A2E7@koalephant.com> X-Mailer: Apple Mail (2.3654.120.0.1.13) Subject: Re: [PHP-DEV] [RFC] [VOTE] is_literal From: php-lists@koalephant.com (Stephen Reay) > On 8 Sep 2021, at 13:33, Claude Pache wrote: >=20 >=20 >=20 >> Le 7 sept. 2021 =C3=A0 11:49, Craig Francis = a =C3=A9crit : >>=20 >>=20 >> Obviously I'd still like libraries to be able to protect everyone = from >> introducing Injection Vulnerabilities (as the majority of programmers = don't >> use static analysis), but that's for another day. >>=20 >=20 >=20 > Hi,=20 >=20 > We all want to protect from injection vulnerability, but I think there = are better way than is_literal. >=20 > One way is to use templates, an area where PHP is ironically lagging = behind. I suggest looking at JS tagged templates: >=20 > = https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Template= _literals = >=20 > For example: >=20 >=20 > $qb->select('u') > ->from('User', 'u') > ->where('u.id =3D ' . $_GET['id']); // INSECURE > could be written as >=20 >=20 > $qb->exec ` > SELECT u > FROM User u > WHERE u.id =3D %{ $_GET['id'] } > ` > ?> >=20 > where the part between %{ ... } is transformed into an SQL literal = string (with delimiters "...", not just =E2=80=9Cescaping=E2=80=9D) when = it is a string; into the SQL expression NULL when it is null; into an = SQL subexpression if it is an object (provided by the library) that = represents a well-formed SQL subexpression, etc. >=20 > =E2=80=94Claude >=20 Resending from on-list address because I=E2=80=99m an idiot. Apologies = for the dupe Claude/Craig. Hi Claude, I had my share of issues with Craig=E2=80=99s PR, but I think the = original goal of it was a good and useful concept - provide developers = (mostly lib authors, but its not like it couldn=E2=80=99t be used by end = developers too) a way to _know_ that a string came from something hard = coded in a php file.=20 A =E2=80=98tagged template=E2=80=99 like that doesn=E2=80=99t help solve = the problem in any way that parameterised queries can=E2=80=99t already = do, and if you want to make it more =E2=80=99templated=E2=80=99 like = that, you could implement the same thing already by passing a = printf-compatible template and the arguments to a function/method. None of that helps solve what the `is_literal` function (or potential = type hint) would help with: when the part of the query that needs to be = substituted, is something that cannot be parameterised at the SQL level = (i.e. a column name) you _really_ don=E2=80=99t want that to accept user = input of any kind. Cheers Stephen=