Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:130565 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by lists.php.net (Postfix) with ESMTPS id EBEDF1A00BC for ; Sun, 5 Apr 2026 06:51:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1775371918; bh=B6orIS6K5n6G5KYclYEeUFQVxS5QhFzt1Wk8AytXZZY=; h=Date:From:To:In-Reply-To:References:Subject:From; b=e0sDBarqh51MhsgNXsvCkfcLQ5bboH09a1OLsfkeSf+AvLe1ivEMHFY2X3vW+aHwT pTGVaVdGM1dbf/UVB2vzb91Hp+xIvuePk8ds+A228C+TQ7ZOg1VFzdaiKYy89RsHeM Mk6w8VXl3aaeM6frRN9sn+1gRDjU8No7lhd4J/g75/JcFwXtOfjwyDRxb9swAzWVHf rK5c/Qq+Yb45JLecXOuaCp30PaBUuxt7YqWgY9N2CVLoqzf8D0OucSW+0lwF+o+9gN 5HH5MX0Yn6o8VuhgUZfZ2YXK1LEq7KDrTNbXODKPVKUkJgDNkq0cufGqv4G0PhDTUL CwFoSwKtGDOlA== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 839A21801D7 for ; Sun, 5 Apr 2026 06:51:57 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-25) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-0.1 required=5.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_MISSING,HTML_MESSAGE, RCVD_IN_DNSWL_LOW,SPF_HELO_PASS,SPF_PASS autolearn=no autolearn_force=no version=4.0.1 X-Spam-Virus: No X-Envelope-From: Received: from fhigh-a2-smtp.messagingengine.com (fhigh-a2-smtp.messagingengine.com [103.168.172.153]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Sun, 5 Apr 2026 06:51:57 +0000 (UTC) Received: from phl-compute-12.internal (phl-compute-12.internal [10.202.2.52]) by mailfhigh.phl.internal (Postfix) with ESMTP id D1A0914000CB for ; Sun, 5 Apr 2026 02:51:51 -0400 (EDT) Received: from phl-imap-05 ([10.202.2.95]) by phl-compute-12.internal (MEProxy); Sun, 05 Apr 2026 02:51:51 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bottled.codes; h=cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm3; t=1775371911; x=1775458311; bh=B6orIS6K5n 6G5KYclYEeUFQVxS5QhFzt1Wk8AytXZZY=; b=LE6wTRUDj7G2dInZiYShSr/fnC nap4g2X3dSfHpvaF5uz9R940H7RsfNfk+hbIRRy6zY2zn4sOMTFo9JcmMDGtLuN4 oCFKQmW8WVfYvm+xJY/B7ICp7JnVGKjoXgYpejVlobsrHFbiEULZGUUvATWNmByu AnjGBQp7ptNbRbh91YkQwAPVxtYlXhOinAQnFbcZWyKnskrQL+IXgjWxVfeamZl8 wKKCn12thRbEU9x51YkkSEupXk4bD3z/teJk8KGSexawX4edOd7inYNsbgAbJYKp xergSs8PjA9Ch0fHB6XhcJJnNOCN/KP20d5yecZRqUuwdwP78rYalxkzIoTw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; t= 1775371911; x=1775458311; bh=B6orIS6K5n6G5KYclYEeUFQVxS5QhFzt1Wk 8AytXZZY=; b=JQFCmNdAN8q1PqhHg5f0g9ZKRvWeCWX+3LhHHxbDNb+4WUdiOQT xDJ8HSvLW9+uumHJB8edGyQIc77xFuM94hOACrIsQhKV7/+J/gtDtZhiUJR9HePv MDBVDtZJiR4r7t/Czj8poSfvoYyaMZPQtxEc65i7oz48KpBxBd6JDiqvPSEv3vgi /ahYRd3WABJDlWOiR1w7ea1cjwtPfFYgW3BJkvF/dCfihU0ox+ANe7F7FM0J4+au hDdwMWucRrltT7fYU1CH0nZxb+4/23LB1NH7S4bvidzby1QAayC5Y6Pd7MduOQ6Z viK9F32l7bJQDG3gQIztMtXG87BrTpqlYVw== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefhedrtddtgddugedtkecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpuffrtefokffrpgfnqfghnecuuegr ihhlohhuthemuceftddtnecunecujfgurhepofggfffhvffkjghfufgtsegrtderreertd ejnecuhfhrohhmpedftfhosgcunfgrnhguvghrshdfuceorhhosgessghothhtlhgvugdr tghouggvsheqnecuggftrfgrthhtvghrnhepheeiffekteeljeeufeejffeuffehvedugf etveefieejveffhffhgeeuteetffelnecuffhomhgrihhnpehphhhprdhnvghtpdhgihht hhhusgdrtghomhenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfh hrohhmpehrohgssegsohhtthhlvggurdgtohguvghspdhnsggprhgtphhtthhopedupdhm ohguvgepshhmthhpohhuthdprhgtphhtthhopehinhhtvghrnhgrlhhssehlihhsthhsrd hphhhprdhnvght X-ME-Proxy: Feedback-ID: ifab94697:Fastmail Received: by mailuser.phl.internal (Postfix, from userid 501) id 65D30182007E; Sun, 5 Apr 2026 02:51:51 -0400 (EDT) X-Mailer: MessagingEngine.com Webmail Interface Precedence: list list-help: list-unsubscribe: list-post: List-Id: x-ms-reactions: disallow MIME-Version: 1.0 X-ThreadId: AeWzGyuMXtOs Date: Sun, 05 Apr 2026 08:51:30 +0200 To: internals@lists.php.net Message-ID: <2c0a3342-aba5-4ca2-969e-350dd4cfcd9d@app.fastmail.com> In-Reply-To: References: Subject: Re: [PHP-DEV] [RFC] [Discussion] array_get and array_has functions Content-Type: multipart/alternative; boundary=ceda96355f5c45d892a533391998f811 From: rob@bottled.codes ("Rob Landers") --ceda96355f5c45d892a533391998f811 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On Sat, Apr 4, 2026, at 16:06, Barel wrote: > Hi, >=20 > I would like to open the discussion on my proposal to add two small, f= ocused array functions for retrieving and checking nested array elements= using dot notation. >=20 > This is the link to the RFC: https://wiki.php.net/rfc/array_get_and_ar= ray_has >=20 > This is the link to the proposed implementation: https://github.com/ph= p/php-src/pull/21637 >=20 > Thanks!! >=20 > Carlos Hi Barel, Interesting! As dot-notation isn't used anywhere else, and I don't see i= t discussed as part of the RFC, how are developers to prevent injections= of dots in user input? With SQL, we have parameters and escaping ... bu= t I don't see any of that here. As an example: $user =3D [ 'data' =3D> [...], 'password' =3D> 'secret' ]; If the path is completely user-controlled (as in the examples given), th= en they can access sensitive information in the array. Even if it is pre= fixed, ie., "data.%s" -- an attacker can simply enumerate all possible k= eys and subkeys. As it stands, it appears to add a new vulnerability to PHP that will be = unfamiliar with PHP developers -- unless they're using a framework that = already does this sort of notation. =E2=80=94 Rob --ceda96355f5c45d892a533391998f811 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable
On Sat, Apr = 4, 2026, at 16:06, Barel wrote:
Hi,

I wo= uld like to open the discussion on my proposal to add two small, focused= array functions for retrieving and checking nested array elements using= dot notation.

This is the link to the RFC:&nbs= p;https://w= iki.php.net/rfc/array_get_and_array_has

Thi= s is the link to the proposed implementation: https://github.com/php/php-src/pull/216= 37

Thanks!!

= Carlos

Hi Barel,
<= br>
Interesting! As dot-notation isn't used anywhere else, and= I don't see it discussed as part of the RFC, how are developers to prev= ent injections of dots in user input? With SQL, we have parameters and e= scaping ... but I don't see any of that here.

A= s an example:

$user =3D [ 'data' =3D> [...], 'password' =3D> 'secret' ];<=
/pre>

If the path is completely user-controlled (as i=
n the examples given), then they can access sensitive information in the=
 array. Even if it is prefixed, ie., "data.%s" -- an attacker can simply=
 enumerate all possible keys and subkeys.

As it=
 stands, it appears to add a new vulnerability to PHP that will be unfam=
iliar with PHP developers -- unless they're using a framework that alrea=
dy does this sort of notation.

=E2=80=94 Rob

--ceda96355f5c45d892a533391998f811--