Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:130569 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by lists.php.net (Postfix) with ESMTPS id 2B7211A00BC for ; Sun, 5 Apr 2026 09:12:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1775380349; bh=ugkbk73RnNoewT2KOSCiEIuDgkdq/DUlnsfl9QamS2Y=; h=Date:From:Cc:In-Reply-To:References:Subject:From; b=mSsUlkdpKkZVfRfkDyv/WhcK+VOLfuLmgr66tsAzNgr9UxYpJtYwY535rK4PL58fN KhsnfBKMpj3O2M2XqpWb1tvLX/T8XkhhFvaFvWCpbTCLybY6gDnX1hDCQyRMDtlCli DXh0Fp7kx5Vth6zdVTx5Uy98ih4L9/3B6KNklw+UPlAbxnt9iMPV/+xqM3Byyz2CFe lUd8EQvTBI/04ByxRUnpRkSEJgIXwuuQh1BIcF2+3JisXPuAS5bgItGsVdYOeMVMlj jQDkzTWUQaJzebAlT4oCEhFjQMlZHPbCG6SeGb7Ih3BT24e2PswlJcg1PEYPv1vGaz /IDwyu4TqfCmQ== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id E4AC51801E9 for ; Sun, 5 Apr 2026 09:12:28 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-25) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=0.9 required=5.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_MISSING,HTML_MESSAGE, MISSING_HEADERS,RCVD_IN_DNSWL_LOW,SPF_HELO_PASS,SPF_PASS autolearn=no autolearn_force=no version=4.0.1 X-Spam-Virus: No X-Envelope-From: Received: from fhigh-a4-smtp.messagingengine.com (fhigh-a4-smtp.messagingengine.com [103.168.172.155]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Sun, 5 Apr 2026 09:12:28 +0000 (UTC) Received: from phl-compute-12.internal (phl-compute-12.internal [10.202.2.52]) by mailfhigh.phl.internal (Postfix) with ESMTP id 71780140002E for ; Sun, 5 Apr 2026 05:12:23 -0400 (EDT) Received: from phl-imap-05 ([10.202.2.95]) by phl-compute-12.internal (MEProxy); Sun, 05 Apr 2026 05:12:23 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bottled.codes; h=cc:cc:content-type:content-type:date:date:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:subject:subject:to; s=fm3; t=1775380343; x=1775466743; bh=ugkbk73RnNoewT2KOSCiEIuDgkdq/DUlnsfl9QamS2Y=; b=VQQhsXOM8VCM GB7+aXH8UE+odFn7OJxalWyfjcMo5e+qN0SvuhF571h5DhryhuK4IU68MCLMYTFl LQVxNLOox5CTRA8bisOYkA5/CCOSQ+Rgcxl0MW2/2XJLYWoXd3yJT4P14Fya551I I8IpVNnwlav8TBYTT//QH1EJOag2uTUjIQjTQBFzooas1fN82nhwKehZ5zdHJ6mh KF0Ol/IbPkqv4gHFXU8CKJ044i/+7Cl19wp2uT9U04aoL43jHFGDiqCW2acdchrz 3iWQDm16B/fNRrHShTcdRLppSj91jQHfqe1X1RQZ3lfo2mqQCgT5jwZ1V8OugXch gfVuvWmaNg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; t= 1775380343; x=1775466743; bh=ugkbk73RnNoewT2KOSCiEIuDgkdq/DUlnsf l9QamS2Y=; b=piT3wkelLY3j/Ur5UlINlxPXo7cqnb0+/TKbgrEu0ek86ssa1Qe zTeQOmaPVo+5aSamqwvfuhcTL+d8ZzrlasZBYHnftIqTyP2ObFXGJc6FogtKvRCD w/2TvHHPYmqlFepA5YXyCp+Cqjr+tM00eZNjIrKu6MuHg1SqBZjH+JMMx7qvUbX5 Ec1A45+70btupsk29Sv+PMLpZfskzHipPQk+z3OOo8NfB78nPK4QBFFgZhA1uy+f 18e2g6rnQ/mBRAIZg4aB3m4rPUKJ60ZMjx3+HfM95m0SUyTqWl8zpFunAgqpQNZk kHiTwI43fcG9PSAUGHwNHJ5hMhurtFxumPw== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefhedrtddtgddugeefiecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpuffrtefokffrpgfnqfghnecuuegr ihhlohhuthemuceftddtnecumhhishhsihhnghcuvffquchfihgvlhguucdlfedtmdenuc fjughrpefoggffhfevkfgjfhfutgesrgdtreerredtjeenucfhrhhomhepfdftohgsucfn rghnuggvrhhsfdcuoehrohgssegsohhtthhlvggurdgtohguvghsqeenucggtffrrghtth gvrhhnpeeggfffleelveeukeelffejudetiedujedtieejheehueehteduieegiedvleek leenucffohhmrghinhepphhhphdrnhgvthdpghhithhhuhgsrdgtohhmnecuvehluhhsth gvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomheprhhosgessghothhtlhgv ugdrtghouggvshdpnhgspghrtghpthhtohepuddpmhhouggvpehsmhhtphhouhhtpdhrtg hpthhtohepihhnthgvrhhnrghlsheslhhishhtshdrphhhphdrnhgvth X-ME-Proxy: Feedback-ID: ifab94697:Fastmail Received: by mailuser.phl.internal (Postfix, from userid 501) id 2E728182007A; Sun, 5 Apr 2026 05:12:23 -0400 (EDT) X-Mailer: MessagingEngine.com Webmail Interface Precedence: list list-help: list-unsubscribe: list-post: List-Id: x-ms-reactions: disallow MIME-Version: 1.0 X-ThreadId: AeWzGyuMXtOs Date: Sun, 05 Apr 2026 11:12:02 +0200 Cc: internals@lists.php.net Message-ID: In-Reply-To: <1775376880059.1437066672.2965818070@yahoo.de> References: <2c0a3342-aba5-4ca2-969e-350dd4cfcd9d@app.fastmail.com> <1775376880059.1437066672.2965818070@yahoo.de> Subject: Re: [PHP-DEV] [RFC] [Discussion] array_get and array_has functions Content-Type: multipart/alternative; boundary=c4adfbe89985415f8bc6f3446a3f3ccc From: rob@bottled.codes ("Rob Landers") --c4adfbe89985415f8bc6f3446a3f3ccc Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On Sun, Apr 5, 2026, at 10:22, Hans Krentel wrote: >=20 >=20 >=20 >=20 > On Sunday 05 April 2026 08:51:30 (+02:00), Rob Landers wrote: >=20 > > On Sat, Apr 4, 2026, at 16:06, Barel wrote: > > > Hi, > > >=20 > > > I would like to open the discussion on my proposal to add two smal= l, focused array functions for retrieving and checking nested array elem= ents using dot notation. > > >=20 > > > This is the link to the RFC: https://wiki.php.net/rfc/array_get_an= d_array_has > > >=20 > > > This is the link to the proposed implementation: https://github.co= m/php/php-src/pull/21637 > > >=20 > > > Thanks!! > > >=20 > > > Carlos > >=20 > > Hi Barel, > >=20 > > Interesting! As dot-notation isn't used anywhere else, and I don't s= ee it discussed as part of the RFC, how are developers to prevent inject= ions of dots in user input? With SQL, we have parameters and escaping ..= . but I don't see any of that here. > >=20 > > As an example: > >=20 > > $user =3D [ 'data' =3D> [...], 'password' =3D> 'secret' ]; > >=20 > > If the path is completely user-controlled (as in the examples given)= , then they can access sensitive information in the array. Even if it is= prefixed, ie., "data.%s" -- an attacker can simply enumerate all possib= le keys and subkeys. > >=20 > > As it stands, it appears to add a new vulnerability to PHP that will= be unfamiliar with PHP developers -- unless they're using a framework t= hat already does this sort of notation. >=20 > I wouldn=E2=80=99t go that far, but I=E2=80=99d like to start by empha= sizing that the dot notation described here clearly does not provide a m= echanism for escaping the dot. That=E2=80=99s probably a shortcoming, bu= t if any user-supplied string key poses a security risk, then PHP arrays= are also affected, and this vulnerability would be nothing new! (Rather= , it would be to be expected.) >=20 > -- hakre >=20 My point is that this is different and distinct from regular array vulne= rabilities and injections. $user['data'][$key] !=3D=3D array_get($user['data'], $key, null); In the former 'some.key' is a full key; in the latter, it would access [= 'some']['key']. Further, the former could be a valid key, but there is no way to access = it using the proposed RFC =E2=80=94 Rob --c4adfbe89985415f8bc6f3446a3f3ccc Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable


On Sun, Apr 5, 2026, at 10:22, Hans Krentel wrote:



On Sunday 05 April 2026 08:51:= 30 (+02:00), Rob Landers wrote:

> On Sat, Ap= r 4, 2026, at 16:06, Barel wrote:
> > Hi,
>= > 
> > I would like to open the discussion on m= y proposal to add two small, focused array functions for retrieving and = checking nested array elements using dot notation.
> >&n= bsp;
> > This is the link to the RFC: https://wiki.php.net/rfc= /array_get_and_array_has
> > 
> &g= t; This is the link to the proposed implementation: https://github.com/php/php-src/pu= ll/21637
> > 
> > Thanks!!
> > 
> > Carlos
> Hi Barel,
> Interesting! = As dot-notation isn't used anywhere else, and I don't see it discussed a= s part of the RFC, how are developers to prevent injections of dots in u= ser input? With SQL, we have parameters and escaping ... but I don't see= any of that here.
> As an example:
> $user =3D [ 'data' =3D> [...], 'pas= sword' =3D> 'secret' ];
> If the pa= th is completely user-controlled (as in the examples given), then they c= an access sensitive information in the array. Even if it is prefixed, ie= ., "data.%s" -- an attacker can simply enumerate all possible keys and s= ubkeys.
> As it stands, it appears to = add a new vulnerability to PHP that will be unfamiliar with PHP develope= rs -- unless they're using a framework that already does this sort of no= tation.

I wouldn=E2=80=99t go that far, but I=E2= =80=99d like to start by emphasizing that the dot notation described her= e clearly does not provide a mechanism for escaping the dot. That=E2=80=99= s probably a shortcoming, but if any user-supplied string key poses a se= curity risk, then PHP arrays are also affected, and this vulnerability w= ould be nothing new! (Rather, it would be to be expected.)
-- hakre


My point is that this is different and distinct from regular array vul= nerabilities and injections.

$user['data'][$key] !=3D=3D array_get($user['data'=
], $key, null);

In the former 'some.key' is a f= ull key; in the latter, it would access ['some']['key'].

<= /div>
Further, the former could be a valid key, but there is no way = to access it using the proposed RFC

=E2=80=94 Rob
--c4adfbe89985415f8bc6f3446a3f3ccc--