Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:130567 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by lists.php.net (Postfix) with ESMTPS id 94D401A00BC for ; Sun, 5 Apr 2026 08:22:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1775377361; bh=kPj1MclZWFKf9p6WekpWNgaOW0zEAL6r8E0xSrFJsks=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=P89v9jQTMMg4pne3cBTpMCu4cR2K8Amb9a5DkDfoQgt4t/P2DBMoQSl/PnCYciU0l +y/DMjyct0AQRBYNyUvngNCq/fHZreT6fR2sl/qVk0pBDrFBXWNlsv5tLs1HVELej7 iUfKsdDN3oDA89M78atS4/PjIdCjMM6hPY0I67GYgHgIzi/KTvhvDv2cqx6rJevsZQ v4CqcAXvm1yqs4yscm9pJ93tZUd4LnRQd0U+w3vi3HbK3W5V/KS4GNKwBWsp/GCCZQ 4dbsiIuYGSlgYY4FsVpf/EGqrYbS7Nq/Hom1UA6FiqzLnCTonnWUKp6ABup+4Dnw1n m10mWdSvDbCjw== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 8C9F8180048 for ; Sun, 5 Apr 2026 08:22:40 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-25) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=0.6 required=5.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,FREEMAIL_FROM, SPF_HELO_PASS,SPF_PASS autolearn=no autolearn_force=no version=4.0.1 X-Spam-Virus: No X-Envelope-From: Received: from sonic.asd.mail.yahoo.com (sonic-euwe4-0022.asd.mail.yahoo.com [34.2.86.21]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Sun, 5 Apr 2026 08:22:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.de; s=s2048; t=1775377344; bh=kPj1MclZWFKf9p6WekpWNgaOW0zEAL6r8E0xSrFJsks=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=sUjFsK8cP/Z25QRQP6GWu1zaWRIEUK9vx8o4acvSO/0uTsxvrS6ze+gQVoLvY8cu6H3iRQWX6GcEBC7TsZki5/150l/LhPvBc0v88pCLBfUSY0+WXnQY+vQhLaRK3eWwmToC8B25TGSqcY33ASezpzEn0fDhKwjYWwyQPFSbY31NWnX4GRA0QCWsSMamOsZzboFwemwq0OMYUqylseZtlFCtQEtMHdmg0Ztnn516p7Es01BbnesRfxrBQbvXmFdiL5KBJceI/MV9b96mcvaiyFlSRV04Ksf+LxgE2w6GJi5okIvIYVRZWHMrjTPcD55FTjeNJzSp7Fint6xVGr7Iwg== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1775377344; bh=cG0ugQ8Dpsqa4TCLupdAVPtNL611uAlKPePoapckm5+=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=f8Bo4HoMGv3sYv37SzfqvqS9+VPLzx6YvktsVmo/8++/Fqr1WQiQBQ9miPFEUqJRycN0JWmuOXQWD14UxdcxNu0PE6r9rabM5DApkV9Yc5FJG1+/aC2QCJew4upxYv+NaP8YcX0FKTN4xNrLj3HNNXVpGHEALXhupaGEiUOFf4bOJfWdpr/BrOpIhU2GV4AedscK494ZaN5d5YQialtiCYdR5VfZSO/gRjfwCwSAj9fzbv4Y94zdj3m19D/FmyKBMbaA9c5vffM3o9uS239kVFCUeyRnxXPZIkfO5dnTbh5/ELiIA75d7wrdhoeeZkVhIqXz3T/igy88aFBoQH66cw== X-YMail-OSG: 8HPu3ecVM1nvgFSSeIW489vbDuZ6ex8.iTOHsGFBk33UpXJeI1aBp1sKQDe6ovW csoN6F0YPCLEK9dMg8xI1uRjGvg2vbhZPG8vp_DZl7H8bhdXL_x5GbiBO1hWWrUxejEGfzN0qBx6 Hr8YHFTlUlRxgJFxeFCgaciAT1V1jIXRLNR0.TohOMAg95gn0PwMY3C5NKM8WV6tbmy71nhyMuur iSiFSt2KO6joJSkdKP26JXxb0Qwfp9uQ_GLlFNSypz0KYWJPD8BFTQE26Wje1I1y3.Vo6dCOKbHf SUTdepZEz3wX6h1KksYbqVArJ9yu8DjGUjayz4Zj.NvxscahiJONXPZptIRlBj_Dw1awp1wXGu9r QYIQdTnR1VUmTnyYFkInKZeyQOvo2pEE4gxMcXMSsP4gUpALh617kO2RkXEyOrr_rRLBk9wOJYxq 7lDsRTC9sIgNJ.qVto.irhubstwy0R58O2IP49N7MxJjWnvtpfiGvx17UQM1WPdDtpR1AO9_y4Qh oEhb9AiUGUl67zV42N.RiITZqpFPr32ozFZMemdPD79iOVudCqBubK29jxbW.7v50Yoot0Kd2Gdp 2C1QaXoIP6ImXI9pfJC0is_XODdsJiFincahFLlHfYHPb61In8QsqJQEukAYEjcjdNnsyaD1faw3 UbcPcwlXyF7MxPCAtRG5kIxm3cbNvR0lY21upP5DbXYnTggL7AfogW_Vx84OU_mG7Q2BzbUZAu7X rh4W1VDQaxGm9y4_mExupCgvjgkZ2HCgODQc8IsOdE_EMERfj3PNLEkQvnaGaOLRVomJE8R726ID DHWK0daaKQ50J7rlwmcSrsZQqAybQkmnATouVdPqHGedKGevJlu718f.f6rA6L3EdVdCj3ELQ5vb mnTEO0w3emt1RR26lu5yM1JO1eESBcvVIWKYFEXwkZgizYOIcYFwzmAd8X4RgJz3wYPwCySZu1Nl WiTVejz6JOTf7uf1r2LdyMPcNYg9NDqKwMA6Sl_eoWOu6U7KZ3Ns1ut65kFK5Nz0zoC_0_8f9vNU lm7Xy9cyogt9iPU_uab6k0YHp96qVNV8QsZTgPXBdQuhQAkwPTPHz2JiufZQl8WNfJpY.8donMdb v1zHcZ.ibJ5Zc.atX7gy3LWdLFVPCVcx.t2Gf_YjBuhuOxrM6d7Dk6e8HdCxfRQ5j72LpwvOTUKs oSrb0SI2C2U9S_Utq6QudgLbxgusXV2_BUJ7wS_kHTB8couBvCe5_MWywLYWqPTJBodeRnDpSjqB vxw6uW_4hjut_DQPBnvXLkf2gPwkPsBkIl3Wei0RaEIwe5CSpg6AaAZ1uLyl4vImLfTueTHJn3_h a4lWCCyx84r6K1Kron3sRw.oLgigAqtOK4sJ4n_0a.rC4NJ.cSDIEZGVso2Q6LT_IA5GBiiTQUGn 7mnIXgOo6v3u0C7CGp5UApjU0wktmyoYwJuysI63CuTyP_aVcuTDZo49.GEn2BWJmIYse4UBfxuc ROBQYzGlygCPVJ6dZfHMTXfabZTQaENQ957ZM1AXYqlFJfUA18JTdJx7GBU9VTaBDA3w__4Aa7EP W3IDziT_wFb.DxJZzn2a_C3mQ94ANV7TwbJjmqEcy90awqKFMRRF0qRTgtOMohR6y12c3mGsOeTX 8brthRMBXPKrh1r7duHQebjB8KXK72KmoEgwS4GG1ikzaJfUnOHNKQsqRKFpyayqXwOjYF958AZQ zrfAd6_e7i413Vse753i0PJQTyvlCunPsfA3Sip6XYQKR1UrIeNI9NdmksNnPZUU2o8b5yXmV0bV afSy83UAZCJ3jNAGj1e7YjAI2vbFeiGLbQqizY6wzhTgrXTkuanygZq4Y63VJfYXMHqKTPRTXGbd ohReFni2oDXRJ_25ny3pn3FzHJV_Dh7z5bS5hU07swmIABhWoLXDeAHFH1ESepU47sXA9XN9iFui aruQ0fZwC.kG1eRQeiA-- X-Sonic-MF: X-Sonic-ID: d5b5e213-dbc3-4bf4-acba-6652d562aeec Received: from sonic.gate.mail.ne1.yahoo.com by mail-asdoutdeli-p-cin-euwe4-prod-sonicconsumer-svc-102 with HTTP; Sun, 5 Apr 2026 08:22:24 +0000 Received: from dip115.lsn.ir2.yahoo.com ([87.248.99.124]) by hello (SMTP) with SMTP ID 7e136dce3431e7ce7fc31e587bd187f7; Sun, 05 Apr 2026 08:22:19 +0000 (UTC) Content-Type: text/plain; charset=utf-8 Message-ID: <1775376880059.1437066672.2965818070@yahoo.de> To: rob@bottled.codes Cc: internals@lists.php.net Subject: Re: [PHP-DEV] [RFC] [Discussion] array_get and array_has functions Date: Sun, 05 Apr 2026 08:22:18 +0000 In-Reply-To: <2c0a3342-aba5-4ca2-969e-350dd4cfcd9d@app.fastmail.com> References: <2c0a3342-aba5-4ca2-969e-350dd4cfcd9d@app.fastmail.com> X-Mailer: Vivaldi Mail User-Agent: Vivaldi Mail/7.9.3970.47 Content-Transfer-Encoding: quoted-printable Precedence: list list-help: list-unsubscribe: list-post: List-Id: x-ms-reactions: disallow MIME-Version: 1.0 From: hanskrentel@yahoo.de (Hans Krentel) On Sunday 05 April 2026 08:51:30 (+02:00), Rob Landers wrote: > On Sat, Apr 4, 2026, at 16:06, Barel wrote: > > Hi, > >=20 > > I would like to open the discussion on my proposal to add two small, = focused array functions for retrieving and checking nested array elements = using dot notation. > >=20 > > This is the link to the RFC: https://wiki.php.net/rfc/array_get_and_arr= ay_has > >=20 > > This is the link to the proposed implementation: https://github.= com/php/php-src/pull/21637 > >=20 > > Thanks!! > >=20 > > Carlos >=20 > Hi Barel, >=20 > Interesting! As dot-notation isn't used anywhere else, and I don't see it= discussed as part of the RFC, how are developers to prevent injections of = dots in user input? With SQL, we have parameters and escaping ... but I = don't see any of that here. >=20 > As an example: >=20 > $user =3D [ 'data' =3D> [...], 'password' =3D> 'secret' ]; >=20 > If the path is completely user-controlled (as in the examples given), = then they can access sensitive information in the array. Even if it is = prefixed, ie., "data.%s" -- an attacker can simply enumerate all possible = keys and subkeys. >=20 > As it stands, it appears to add a new vulnerability to PHP that will be = unfamiliar with PHP developers -- unless they're using a framework that = already does this sort of notation. I wouldn=E2=80=99t go that far, but I=E2=80=99d like to start by = emphasizing that the dot notation described here clearly does not provide a= mechanism for escaping the dot. That=E2=80=99s probably a shortcoming, but= if any user-supplied string key poses a security risk, then PHP arrays are= also affected, and this vulnerability would be nothing new! (Rather, it = would be to be expected.) -- hakre