Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:120699
Return-Path: <danack@basereality.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 64609 invoked from network); 27 Jun 2023 13:49:19 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 27 Jun 2023 13:49:19 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 522601804A7
	for <internals@lists.php.net>; Tue, 27 Jun 2023 06:49:18 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-0.5 required=5.0 tests=BAYES_05,DKIM_SIGNED,
	DKIM_VALID,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE,
	T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2
X-Spam-ASN: AS15169 209.85.128.0/17
X-Spam-Virus: No
X-Envelope-From: <danack@basereality.com>
Received: from mail-ed1-f52.google.com (mail-ed1-f52.google.com [209.85.208.52])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Tue, 27 Jun 2023 06:49:17 -0700 (PDT)
Received: by mail-ed1-f52.google.com with SMTP id 4fb4d7f45d1cf-51d9890f368so2709414a12.2
        for <internals@lists.php.net>; Tue, 27 Jun 2023 06:49:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=basereality-com.20221208.gappssmtp.com; s=20221208; t=1687873756; x=1690465756;
        h=to:subject:message-id:date:from:mime-version:from:to:cc:subject
         :date:message-id:reply-to;
        bh=V8jYEqDTQw06a2c2WhrfaVQ7nM/TAkPYOWsGAH6VrYc=;
        b=xygo1+v1Fe/2z2f60ckvqcZa2nItyPBSstDHqjZvj8ykp1Ew4jIJBUjT8wnwFHoBms
         KIfAz+Odca4AuIpd0cjfva0JPQFqEKspv50TyZx2P5CtauTGgH0KV0URIJ58Z1PLCUD8
         fuMFrA7seuSgI4x9/UxibKoNUPt4sdKsFwbGDQpi5vGhkqIokZ0TaucuSx85nY84oplY
         w+Oh2L/AiT/bUB8Szoe2oSO+igthOouVwnG5rMyGRqWg9fPcdg4xZ91dF2qm5XtWRXvF
         Cf1gROkzvLXRrosH7/J2WzuxXD4KlYxnphF/kit97p+juAwYd+mw4f9sPJ/Rkg/kxjOG
         H1jg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1687873756; x=1690465756;
        h=to:subject:message-id:date:from:mime-version:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=V8jYEqDTQw06a2c2WhrfaVQ7nM/TAkPYOWsGAH6VrYc=;
        b=H8fqVpbLzWyrTeumc3IJkEuGMNwfttUVi4jL5VedQX8hHwZWJy2/HG/nzK6xJovQFQ
         yi+8zQspzSKgxsFdz6fLw//VtmqSRPKLUtEcBbZQwnM01QFmoo53UkjkmAi3HPVvIvps
         L9KlD2rt5vJhX5XPOE6Wc047rc7Icx+3Bilz8DDD74azHqRt4a+gj/azsglmSXUWLToe
         ZAjquZNBvUcGp1g6iKLhaTWJCfO3Xl1ZlOS6m58XHnUsCH/us236HwS3qa7tcvpN8d08
         IlCfMHmC5/pER5u7sYambsaOihEf9aNrXYvrYpotSsQ/qOcZb3kD4+ErQUnfxcn+vTZ4
         lY5A==
X-Gm-Message-State: AC+VfDw2rvl410tqja4D10xHps0kq+aiQ5wm/87StppOpFbLMU1BFDcG
	llF+d45p/qXz44jRWtEBE3bBJvWLFTJEYWbc24odszBI+X8a9t6HICw=
X-Google-Smtp-Source: ACHHUZ5BAkcEy+DArp6azY+noCtTm0JUvYv71ImA94xgf91qFeY98yA0n2xi9m/J0lowuyyrS4Hn0M9aKQZFkAJ9t7k=
X-Received: by 2002:a50:fb16:0:b0:51d:9830:8c43 with SMTP id
 d22-20020a50fb16000000b0051d98308c43mr4282025edq.3.1687873755817; Tue, 27 Jun
 2023 06:49:15 -0700 (PDT)
MIME-Version: 1.0
Date: Tue, 27 Jun 2023 15:49:04 +0200
Message-ID: <CA+kxMuTccYGT7fH+8u7N+iZtFzd3yZviu+1_+Afs01YvE5YvQg@mail.gmail.com>
To: PHP internals <internals@lists.php.net>
Content-Type: text/plain; charset="UTF-8"
Subject: PDO Subclasses coming to vote soon.
From: Danack@basereality.com (Dan Ackroyd)

Hi everyone,

Just giving an update on the
https://wiki.php.net/rfc/pdo_driver_specific_subclasses RFC as time is
running out. The RFC text has been updated with the implemented
subclasses stubs.

There are a few small things to note, and one larger thing:

Marc Bennewitz wrote:
> It would be great if driver specific constants would be added to the
driver specific sub-classes without the driver name repeated in the
const name.

Okay, that will be done before it goes to vote. It probably has a
downside of making there need to be a large duplication of tests,
rather than being able to re-use the existing tests, but I guess it's
probably worth doing.

>> Create all DB sub-classes?
>
> yes please

k. That has been done.

Rowan Tommins wrote:
> but as a minimum there should be an internal API for
> registering a sub-class, without any modification to ext/pdo.

There is now.

The larger issue is whether to add an ini setting for SQLite extension
loading or not.

The sqlite3 PHP extension has an ini setting which limits extensions
to be loaded from a particular directory, presumably as a safety
precaution.

The Sqlite3 extension uses the code:

  sqlite3_enable_load_extension(sqlite_handle, 1);

which affects both the C api and loading extensions through SQL code.

However, in the proposed PdoSqlite class this code:

  sqlite3_db_config(db, SQLITE_DBCONFIG_ENABLE_LOAD_EXTENSION, 1);

is used to temporarily enable extension loading, which only enables it
through the C api.

As that means that SQLite extensions can only be loaded through C code
(not through SQL), and if someone can upload and execute code to your
server, your server is compromised anyway, having to edit ini files to
enable extension loading, seems like a bad tradeoff.

Thoughts?

cheers
Dan
Ack