Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:130572
X-Original-To: internals@lists.php.net
Delivered-To: internals@lists.php.net
Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5])
	by lists.php.net (Postfix) with ESMTPS id C67DD1A00BC
	for <internals@lists.php.net>; Sun,  5 Apr 2026 09:35:14 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail;
	t=1775381719; bh=TTyPYGfz7004TyJL6GpaAlUUYdmXk9naAM56RLzzM38=;
	h=References:In-Reply-To:From:Date:Subject:To:Cc:From;
	b=O8/tJ1UVVSYtXJ7On2nOeikV3grC2U0ghb37/0BcSx3kIueuT8U95cLUDDHCfzyiP
	 hFxDC0xQB7S+/tV+SLJl1oqEWeYBXC6UAcOdpd3nAT6CjpZ0fT8kHx9Juh/25JV8Pz
	 kvBNVWnLJkFhEEavAk8fs+RxA6Sbv1UT3jq6UIjxArfuQNEJPOQ/taj6ci4lgURT4e
	 K4nQkJ91zBjCcIwVLihd09A4g66FS4tfp+QzkhwYKoPttVeioMPhntgEQTpOu2ffqf
	 PhZBgue9kjkNCIU59psYE2g6YFz+J0SwifVQkXzKMLJlghy1cYqdKrUUssqMxubh9t
	 w/8gU+XI5ZPnA==
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 089911801FD
	for <internals@lists.php.net>; Sun,  5 Apr 2026 09:35:17 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-25) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=0.6 required=5.0 tests=ARC_SIGNED,ARC_VALID,BAYES_50,
	DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,
	FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,
	SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=4.0.1
X-Spam-Virus: No
X-Envelope-From: <barel.barelon@gmail.com>
Received: from mail-qv1-f51.google.com (mail-qv1-f51.google.com [209.85.219.51])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Sun,  5 Apr 2026 09:35:14 +0000 (UTC)
Received: by mail-qv1-f51.google.com with SMTP id 6a1803df08f44-8a5800772f3so27638496d6.2
        for <internals@lists.php.net>; Sun, 05 Apr 2026 02:35:09 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1775381709; cv=none;
        d=google.com; s=arc-20240605;
        b=KFeB66nSAikqp5apJGPopjN4l9p1izLXSS6RB0JTOLbXYVisQ5YdcAWHXJ2kXHXmLp
         jMykBvhn9qN+TIBiThxCteX47jr6NInT97wCAtodfnd4McEwYDvdBiWZnyREEgSG9FIX
         pos76Cg5PmXGCHXloaLYxQztFCVTIrZ6GxMsHsy2FgJgK/SpVPpdNM+f3j9J3dx9IaWk
         HK9RFGErfgIcwcMkI+1xmDmG+EBO+UKjSxiujo+rpB8vnB9NwYmzvuAiQZpB4LsI7Olv
         fk9jp+jiqqFf8Tro7ZKBHhWpTS1NWGAx2Dx88zXddc7UZCheRvWE79vmhNEZgzXk1U7P
         iL1Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:dkim-signature;
        bh=TTyPYGfz7004TyJL6GpaAlUUYdmXk9naAM56RLzzM38=;
        fh=a2UmS3UPhOQSEgu4f/utmrOFMcvVWR9qKLeZmQUqoNc=;
        b=RsqOqkQTT0bp7w9NvyxVoXH3rpbkJuSvwKd9KtAXX+uUmvMvHVuZAd0rsjdXiJqG6C
         Galad5T5WXtawWMZxWPt0cZ5KJwBK8swaOUP3+gkH24JK0KZp4xCykamDHqBV1RHsvk0
         J8dwmA1ME4ag/dNaMmYWhTC9+8ghkX5yJAhIJGVUx+mfinZAuQNPh9VAZrWZ91Xg8cu1
         Y+ymokcYQggSeSZqKEsWSODPM26ItZwaByiNog7TWUqWnIFVo+gxWtXom9Bsvwpar8XQ
         bE77RFFL4NMVarK1UeZxECWrtCbBp4nuubLn6op9GgBf6WidCg8ybuB4YwmGZxMlMsAx
         +1Zg==;
        darn=lists.php.net
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1775381709; x=1775986509; darn=lists.php.net;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc:subject:date:message-id:reply-to;
        bh=TTyPYGfz7004TyJL6GpaAlUUYdmXk9naAM56RLzzM38=;
        b=CQQxRGzhtwWCN65NHneEcSbVZENEMnTFKMAOQmV0NQcNw+bHAPzrETgzuVkgzxq5+J
         Q1U4eAMJHKCpK4QO/uMnXnHMpjYd4ky3vbhhhSN9sL7DCYXKX3X1uygS+JwajrsAOCMi
         zvcmeGGUdtevBMFTyLffeIZp5LiWwAu2z4B/shpqvIUiO/qX37ww6SEEkf7Ha7M3yz/d
         RSScy4brCIr083IniRxZDWXPhCa+Fy5TOS0EMmXLTOTi33zNayI70mz7Gfpq4NTmSbJe
         CavsWZ+rUQYSElkxQef3odoVKMj2giQrUYtEQ4y2qlmESJ75gbn12HN2qdcNvB3q6G1u
         PKIQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1775381709; x=1775986509;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=TTyPYGfz7004TyJL6GpaAlUUYdmXk9naAM56RLzzM38=;
        b=M2P+NIc4s0KdSv/5Ms1rSDv5rZcMfbdlTySyitZS+5Ckjn3bQEWsYph5KUQDjnLpIl
         vRZT1RYa/s93k3TXZQ7jbj7631YV+NFzIW3XZR6wN0wo1WNpC5QnhLOqhwla6O0ncsQp
         eLYXHwRLARJ7DnWu3zcq4MNED7tfXP+B58/+LCbcYUlHa90BY0SCnhqMD/Ql64O7fFFA
         V2x+oHhgGiokPtrF475LSmr6hk5+DQVBVE1lcHZq5VZO5W0KUzp9DfjRTbAWZYkizkrH
         41I0KZRtDN8cMpr0Hhvlyh6ecDOKwQiBNDquxMpwPQnmsMeDBzbdt+b6S6tlhIE2R0bh
         r2bw==
X-Gm-Message-State: AOJu0YzzH9AhCl8KA5HNaNcEhejoxTz67a6KNSNSjZuN5i093fK8EWz1
	JL5oxlIso2Z78Pmx3olx1qGOYehNIqR0r/p2qgwgxMlK5Ch+qJgCCgCtvpbxrJIlcdJHiGJhp+C
	gFEhtQg4NQzQ0g49gclABT/Ci544XOnuIwA==
X-Gm-Gg: AeBDieuKzVSulqJpKTbx7t9ZoRd0NEeCyw9jDC6dXZDX5KLu5OtPdmkIYM5nW417Zk6
	MkTbHSAAy0TE9HI3C3xevpyBFIp6Ftfo8jY12mSgCM5ZjortUvYkVPghRAQWJzrfKgw5s/mEusg
	ZAWGaPNDGdJ+Dz+QMztCVRatFIHya8qHaPHUffSPgWOor9RIQwZqqWdS0R/kl2imlVbp67jt5Kc
	Z5pi5Gj2np9rALlipV921F75aiHp/g8zO/eFwUeIsO5XRmYwBtQ/RJ7vVPQy3xaOA14qxW0WjnH
	bpFjEUAm1yb3op31xdNqPif+p6WHGgPx1gz8xQ==
X-Received: by 2002:a05:6214:5c84:b0:8a1:c536:57de with SMTP id
 6a1803df08f44-8a70548708emr125746246d6.48.1775381708989; Sun, 05 Apr 2026
 02:35:08 -0700 (PDT)
Precedence: list
list-help: <mailto:internals+help@lists.php.net>
list-unsubscribe: <mailto:internals+unsubscribe@lists.php.net>
list-post: <mailto:internals@lists.php.net>
List-Id: <internals.lists.php.net>
x-ms-reactions: disallow
MIME-Version: 1.0
References: <CABVsipicHroAcWJSEpjwM4+y6p-6axV-6tO__MejThESFVCP3A@mail.gmail.com>
 <2c0a3342-aba5-4ca2-969e-350dd4cfcd9d@app.fastmail.com>
In-Reply-To: <2c0a3342-aba5-4ca2-969e-350dd4cfcd9d@app.fastmail.com>
Date: Sun, 5 Apr 2026 11:34:58 +0200
X-Gm-Features: AQROBzB-7hXuZYYtHpm9QjpaD1ZiuY65xNtFuwCz0ZIMM9gEi9pAfIMCavyM090
Message-ID: <CABVsipiDjDGQq9x6kZaxBzmLMhD+BEWb3ddii-8Kvu_K0=T3UA@mail.gmail.com>
Subject: Re: [PHP-DEV] [RFC] [Discussion] array_get and array_has functions
To: Rob Landers <rob@bottled.codes>
Cc: internals@lists.php.net
Content-Type: multipart/alternative; boundary="0000000000001ae756064eb344ac"
From: barel.barelon@gmail.com (Barel)

--0000000000001ae756064eb344ac
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Sun, 5 Apr 2026 at 08:54, Rob Landers <rob@bottled.codes> wrote:

> On Sat, Apr 4, 2026, at 16:06, Barel wrote:
>
> Hi,
>
> I would like to open the discussion on my proposal to add two small,
> focused array functions for retrieving and checking nested array elements
> using dot notation.
>
> This is the link to the RFC:
> https://wiki.php.net/rfc/array_get_and_array_has
>
> This is the link to the proposed implementation:
> https://github.com/php/php-src/pull/21637
>
> Thanks!!
>
> Carlos
>
>
> Hi Barel,
>
> Interesting! As dot-notation isn't used anywhere else, and I don't see it
> discussed as part of the RFC, how are developers to prevent injections of
> dots in user input? With SQL, we have parameters and escaping ... but I
> don't see any of that here.
>
> As an example:
>
> $user =3D [ 'data' =3D> [...], 'password' =3D> 'secret' ];
>
>
> If the path is completely user-controlled (as in the examples given), the=
n
> they can access sensitive information in the array. Even if it is prefixe=
d,
> ie., "data.%s" -- an attacker can simply enumerate all possible keys and
> subkeys.
>
> As it stands, it appears to add a new vulnerability to PHP that will be
> unfamiliar with PHP developers -- unless they're using a framework that
> already does this sort of notation.
>
> =E2=80=94 Rob
>

Thanks Rob. Probably user input is not the best use case for these
functions, I just used it in the examples because it is simple. In any
case, if your program allows unrestricted array access using a user defined
path, the vulnerability already exists, these functions just make it easier
to implement the access. If you did not have them and wanted the same
functionality you would use a custom implementation (like the one provided
by Laravel) and you would have the same vulnerability

Cheers

Carlos

--0000000000001ae756064eb344ac
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr">On Sun, 5 Apr 2026 at 08:54, Rob Landers =
&lt;rob@bottled.codes&gt; wrote:</div><div class=3D"gmail_quote gmail_quote=
_container"><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0=
.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><u></u><div><=
div>On Sat, Apr 4, 2026, at 16:06, Barel wrote:</div><blockquote type=3D"ci=
te" id=3D"m_4106812630498853755qt"><div dir=3D"ltr"><div>Hi,</div><div><br>=
</div><div><div>I would like to open the discussion on my proposal to add t=
wo small, focused array functions for retrieving and checking nested array =
elements using dot notation.</div><div><br></div><div>This is the link to t=
he RFC:=C2=A0<a href=3D"https://wiki.php.net/rfc/array_get_and_array_has" t=
arget=3D"_blank">https://wiki.php.net/rfc/array_get_and_array_has</a></div>=
<div><br></div><div>This is the link to the proposed implementation:=C2=A0<=
a href=3D"https://github.com/php/php-src/pull/21637" target=3D"_blank">http=
s://github.com/php/php-src/pull/21637</a></div></div><div><br></div><div>Th=
anks!!</div><div><br></div><div>Carlos</div></div></blockquote><div><br></d=
iv><div>Hi Barel,</div><div><br></div><div>Interesting! As dot-notation isn=
&#39;t used anywhere else, and I don&#39;t see it discussed as part of the =
RFC, how are developers to prevent injections of dots in user input? With S=
QL, we have parameters and escaping ... but I don&#39;t see any of that her=
e.</div><div><br></div><div>As an example:</div><div><br></div><pre style=
=3D"border-width:1px;border-style:solid;border-color:rgb(204,204,204);borde=
r-radius:3px;background-image:initial;background-size:initial;background-re=
peat:initial;background-origin:initial;background-clip:initial;background-c=
olor:rgb(246,246,246);font-family:menlo,consolas,monospace;font-size:90%;ma=
rgin:7px 0px;padding:7px 10px">$user =3D [ &#39;data&#39; =3D&gt; [...], &#=
39;password&#39; =3D&gt; &#39;secret&#39; ];</pre><div><br></div><div>If th=
e path is completely user-controlled (as in the examples given), then they =
can access sensitive information in the array. Even if it is prefixed, ie.,=
 &quot;data.%s&quot; -- an attacker can simply enumerate all possible keys =
and subkeys.</div><div><br></div><div>As it stands, it appears to add a new=
 vulnerability to PHP that will be unfamiliar with PHP developers -- unless=
 they&#39;re using a framework that already does this sort of notation.</di=
v><div><br></div><div id=3D"m_4106812630498853755sig121229152">=E2=80=94 Ro=
b</div></div></blockquote><div><br></div><div>Thanks Rob. Probably user inp=
ut is not the best use case for these functions, I just used it in the exam=
ples because it is simple. In any case, if your program allows unrestricted=
 array access using a user defined path, the vulnerability already exists, =
these functions just make it easier to implement the access. If you did not=
 have them and wanted the same functionality you would use a custom impleme=
ntation (like the one provided by Laravel) and you would have the same vuln=
erability=C2=A0</div><div><br></div><div>Cheers<br><br>Carlos</div></div></=
div>

--0000000000001ae756064eb344ac--