Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:130576
X-Original-To: internals@lists.php.net
Delivered-To: internals@lists.php.net
Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5])
	by lists.php.net (Postfix) with ESMTPS id B00A51A00BC
	for <internals@lists.php.net>; Sun,  5 Apr 2026 11:24:34 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail;
	t=1775388279; bh=hb0umiADWtsxbhw7lgeQ99RZnh/gNagS+ny1nQb5a3o=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=gJZsPx4y16aWDq/PHgGtw3kDdodFHf2PW/rLrDwCkWFKdXJ1B7ohBvQDp4r1R55u2
	 aafJlbHTW3jHWOezg2icudLXbyS0NRl9jMPsoIgYAje8bwWrhw2OjQI1f7gNSd42Dm
	 jAMzPso95YzFh/Thsbq0OP9P62XQxQCp/g1nvIZCXv75MNq6cfLFkDD0iQ9LwqIKmO
	 laEZKcl87DHNZloVa7zA86VD+SKdPoNj6nmxSlfwGhFuIBxY0tiCnPHLu2D7kOOCMW
	 aMgpYLaTKxmIcF3YSd46SeRCEwDggQtbwOWF8Yx9+/N2EZ640gR3SI0+p1yXHec1/a
	 vGyoryqS96LrA==
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 71F59180062
	for <internals@lists.php.net>; Sun,  5 Apr 2026 11:24:38 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-25) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=0.6 required=5.0 tests=BAYES_50,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,FREEMAIL_FROM,
	SPF_HELO_PASS,SPF_PASS autolearn=no autolearn_force=no version=4.0.1
X-Spam-Virus: No
X-Envelope-From: <hanskrentel@yahoo.de>
Received: from sonic.asd.mail.yahoo.com (sonic-euwe4-0022.asd.mail.yahoo.com [34.2.86.21])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Sun,  5 Apr 2026 11:24:37 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.de; s=s2048; t=1775388271; bh=hb0umiADWtsxbhw7lgeQ99RZnh/gNagS+ny1nQb5a3o=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=VPbLPX8cjgm8wIILiHpJHaYOF4nHIPz/Q+PWCrdRAqJsrDSJ5bjo8Zk6TAYx6q7sCaZq2WLlymDVJ//nDDxbLcoztsc8514wNVq6h1pFrboAC0x0df9cU72VPGyafSroU28fJWqwLB2ZJMnKLiDwa4beijdtjzQzL1YMH/XCiMnaXE1ky6C5UH9Tf89eOwO0bw5XonSN205Kd7/gYWshiTMfO6fl1G39GO735lsmJQt9xiqqlHWRV7HtHUVuA1OwyRapzKmc2wwQZ1L9MoKlmjCX1ohFBXV/0wWwGzEd5KrEgRFoROupBa+GAf0RtRPWrjdaCQi4mM+7K9+IXYAlXA==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1775388271; bh=Z5Sp4w9np/o5XAgxnv+/A++42RArkTA/navCYgm9MaU=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=JbMEVoDArwcEbkvYw4VHcX2wJ251ult/vPIxsetoslTPtCrHk1q0rbTmfABWfqdTDkPCRfezitJ1jjmaRJnb0P3KooqHLGyTX6xfp2kW0NBnnlGPBkjMg6RH1/2JqyHK91q8aOlB7YnoUVYLua/DGTqJHCVPWQLTKiGHDaAYVOATa0NqjmsVVMFtu8zoHwxk1VNPIfxrwtNj7Xdw3yXqFpBIMzY58qqiwTm57aqH9g1SShxFN61Q2j63vHQxFlusojeG4gy3IPqh4DD1JL2Li/uuov1Kgpi39HAVtqq9hTrNl75yGEpXfYfsF6Qx3qN/5M9efVtJlgbod6yPu//Yvw==
X-YMail-OSG: m7H2kQ8VM1k6ClIAv14X0VvzUjRbgF5p9nM7EGHAgdAJxcU9v58XSEcTyuj6hjU
 ixMNTpb7vq6aD2zA.IZe800Dcas5jbK77XYpZp5hcB2KrUMtovZfTbW1J4qARraxdu4j19GjoKuO
 9ynGQHFS4ZruaqG9NrOpaVzOVKHUEf8dV5baXGgvmsyBvzxbq2S7Hpy7Do_QBAtR7hXLudEBLIe6
 .Y2FlSetbG19tHwoExqyunVkYrlIAK5zVyqCaRM2YV0EKa5Btoyrn1dGLNEdgpsaqeZ9TqhOOB39
 56uUL4PSIv5p1fhvCJ.EGd76_dXTrCWrwjzL6SLIlu26MXo1Z1MQ.Hc.1EIk8wp5O6n_9leWtrgz
 5r96MsbQks0OBslZySsP5unXQ.I6OLUfd9YYL_WoesBJUcDmZoHF793pQAByK8E_.CxcyXKkSLhE
 GtfnrIzM8Nw_2Ldxo4nCGy_zAgGBDElvGvCF5lJvXS.C6oM8lS8xMHZ4HzrHu6GwX7nBf2YtKOBB
 BKkqce9NGDaI_CvpqPBdAY2jmyWN_jcHx1QJpyYaQH0SGg7qVcUUp2KAq2vvhktiCvZdHphlVMEs
 jjZFR6fmMLCGmZpXnqZuDGSAJWTq70x7vCWrQwwND1uovuld_EYZXtzTuAql_vLJFCyLQr94lWwR
 cAf.6Rb1nELu3CjVVwL59Unwzx8obcTLkuwmPvNWKqCATOmLH6TBJDXB68V7RT1_1Id.h2GZN3NN
 S06l45277e_QWJMFv0QN7mq27EaXodMVahq.ou53UW9McMs1DQHdH9g6JC9N9dU.8SKuBcKHLXD7
 Wo2TTMKIE5zCIdZB92w80Iq0oAEO1xhuFXCxPT7M00DvnIWA9_Qvm0wt3S25_9iSA1oeTeL4yReE
 CqQCLkBIupqC.186N5gpL7S1K4QlNzs.KSi_f29mY_ARIWBJPbvTBN77sXPJOJQQdr8PeEmGDxEw
 sq71ZHRKgn0NVnz5v6lj3fZ0hH.QGJVxr16qasxW8Y8XKqtVNVdQIgNFxH9JEBx3loiKQjl6lrK8
 w7V2onr3pq_AN1WedCzgyGYfYqJvZJE2FIpxsyNutHGXX62OQjCcPe1KYUUERwaQ5LWq2gMSCo.L
 RXSUewkYelQu8NjLmGpdGnPG9YQG1UPeQHSL7zfSC2G5Vg7diCR92iYL.NqvhGPvmKpj1K7Q3YCV
 WvI2hnE9yB6CdJnFOGApvezJIa1TlL8JCmyFnoLk6.k3JHk0hfFHVKbFQoZlOGP3MPlKLibfZGIl
 rSF60Rv9Ejbq3yDna3Sy82xuOMw8HnESlFYx7pdFdXFsSlWyo3M4ilQmVtzjOpU.TInGbEdnsHAN
 z5JnqxRD3Ee4b8fb.Hi2VeYJbkQS2mvfGldMiPQw78JuMFPp_4Y9hRe8OOvWZZ_HvnDiGtP9IKgu
 ZPGGqQYLaxb1fS0c7k9uWwjbE1EJgFvuX7t3N3_UPwCv13uLOrfIBMyj7xzPINKKLJWEGMGIgVcr
 gSVTJOwOzX4qnejXwk5_94flPPrCcORimpOW53exiFIevCWaz2hTDmF0_ITAqnbN0TJhd_0OVhty
 4tQHscIfHDo9ATsXTiHRin2PEJIgYdgxRgVak_Z266Q7ke3FruwelRJnTE01bdY2mq52_iegyMa8
 tgHoZ4IQBn0zzgAwB8._2lH.xRBjz2imFZbHITZwC9ySIMeVNypz9USsHVAwfemXO899gd4ebQDV
 7HRx7iwUEhpqGl4FBHm4AMhp8C1ObEuLIqaQSR4YYtbovsxEiqngD_u_4chUQ_wOgk921vkv21Yp
 LlbkyT3PCpCJKe6UspsA24T7NGvPoXTC9Zr6B9Wv7vAHva0831u7neQC9UXWBh9Aoh0A_kseUhRF
 4ebBukY2pG6mtMKJfu62HZz250Ii7A86wgsEHn6gRxBK8qna2uviJJBjvFHA0SzhfcaQzxy1YeW7
 lN.JpcYB5dwO_BKxP
X-Sonic-MF: <hanskrentel@yahoo.de>
X-Sonic-ID: 8fd9fad7-185a-4b8e-ab8b-78a8fa0c0a50
Received: from sonic.gate.mail.ne1.yahoo.com by mail-asdoutdeli-p-cin-euwe4-prod-sonicconsumer-svc-102 with HTTP; Sun, 5 Apr 2026 11:24:31 +0000
Received: from dip30.lsn.ir2.yahoo.com ([87.248.99.39])
          by hello (SMTP) with SMTP ID 1ea4386d382b66967b389dbfcfbf3032;
          Sun, 05 Apr 2026 11:24:27 +0000 (UTC)
Content-Type: text/plain; charset=utf-8
Message-ID: <1775386552370.2592038250.1050472667@yahoo.de>
To: rob@bottled.codes
Cc: internals@lists.php.net, Barel <barel.barelon@gmail.com>
Subject: Re: [PHP-DEV] [RFC] [Discussion] array_get and array_has functions
Date: Sun, 05 Apr 2026 11:24:26 +0000
In-Reply-To: <e1027599-93c1-4a73-b55f-497523ab0aa1@app.fastmail.com>
References: <e1027599-93c1-4a73-b55f-497523ab0aa1@app.fastmail.com>
X-Mailer: Vivaldi Mail
User-Agent: Vivaldi Mail/7.9.3970.47
Content-Transfer-Encoding: quoted-printable
Precedence: list
list-help: <mailto:internals+help@lists.php.net>
list-unsubscribe: <mailto:internals+unsubscribe@lists.php.net>
list-post: <mailto:internals@lists.php.net>
List-Id: <internals.lists.php.net>
x-ms-reactions: disallow
MIME-Version: 1.0
From: hanskrentel@yahoo.de (Hans Krentel)





On Sunday 05 April 2026 11:12:02 (+02:00), Rob Landers wrote:

>=20
>=20
> On Sun, Apr 5, 2026, at 10:22, Hans Krentel wrote:
> >=20
> >=20
> >=20
> >=20
> > On Sunday 05 April 2026 08:51:30 (+02:00), Rob Landers wrote:
> >=20
> > > On Sat, Apr 4, 2026, at 16:06, Barel wrote:
> > > > Hi,
> > > >=20
> > > > I would like to open the discussion on my proposal to add two small=
, focused array functions for retrieving and checking nested array elements=
 using dot notation.
> > > >=20
> > > > This is the link to the RFC: https://wiki.php.=
net/rfc/array_get_and_array_has
> > > >=20
> > > > This is the link to the proposed implementation: https://github.=
com/php/php-src/pull/21637
> > > >=20
> > > > Thanks!!
> > > >=20
> > > > Carlos
> > >=20
> > > Hi Barel,
> > >=20
> > > Interesting! As dot-notation isn't used anywhere else, and I don't =
see it discussed as part of the RFC, how are developers to prevent =
injections of dots in user input? With SQL, we have parameters and escaping=
 ... but I don't see any of that here.
> > >=20
> > > As an example:
> > >=20
> > > $user =3D [ 'data' =3D> [...], 'password' =3D> 'secret' ];
> > >=20
> > > If the path is completely user-controlled (as in the examples given),=
 then they can access sensitive information in the array. Even if it is =
prefixed, ie., "data.%s" -- an attacker can simply enumerate all possible =
keys and subkeys.
> > >=20
> > > As it stands, it appears to add a new vulnerability to PHP that will =
be unfamiliar with PHP developers -- unless they're using a framework that =
already does this sort of notation.
> >=20
> > I wouldn=E2=80=99t go that far, but I=E2=80=99d like to start by =
emphasizing that the dot notation described here clearly does not provide a=
 mechanism for escaping the dot. That=E2=80=99s probably a shortcoming, but=
 if any user-supplied string key poses a security risk, then PHP arrays are=
 also affected, and this vulnerability would be nothing new! (Rather, it =
would be to be expected.)
> >=20
> > -- hakre
> >=20
>=20
> My point is that this is different and distinct from regular array =
vulnerabilities and injections.
>=20
> $user['data'][$key] !=3D=3D array_get($user['data'], $key, null);
>=20
> In the former 'some.key' is a full key; in the latter, it would access =
['some']['key'].

For the sake of this discussion, it would probably make sense to use =
$dot_path or $dot_pointer instead of $key in this function; this would make=
 the distinction clearer. If I recall correctly, this was already suggested=
 earlier in the discussion=E2=80=94though in the function name, not the =
parameter name=E2=80=94but I=E2=80=99d have to look it up to find out the =
exact details.

However, I don=E2=80=99t see any difference from accessing a standard array=
, apart from the fact that the first parameter contains a container object =
in the domain and the standard variable on the left-hand side; I =
wouldn=E2=80=99t expect that !=3D=3D must be equal to =3D=3D=3D.

>=20
> Further, the former could be a valid key, but there is no way to access =
it using the proposed RFC

If I'm not mistaken, this is due to the lack of an escape mechanism, which =
could very well be intentional=E2=80=94I don't know for sure, but in =
another thread, Carlos wrote that they want to reconsider this.

And even if it were intentional, without an escape mechanism, it would fall=
 back to the value of the default parameter. Technically speaking, I =
don=E2=80=99t see a problem here, unless this is unintended or would, in =
good faith, violate expectations regarding key-value pairs.

Neither of these is a new security issue that you=E2=80=99ve =
raised=E2=80=94even though, in my opinion, you=E2=80=99ve made good points =
with your distinctions.

-- hakre