Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:85831 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 60638 invoked from network); 16 Apr 2015 12:20:16 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 16 Apr 2015 12:20:16 -0000 Authentication-Results: pb1.pair.com header.from=johannes.schlueter@oracle.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=johannes.schlueter@oracle.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain oracle.com designates 156.151.31.81 as permitted sender) X-PHP-List-Original-Sender: johannes.schlueter@oracle.com X-Host-Fingerprint: 156.151.31.81 userp1040.oracle.com Received: from [156.151.31.81] ([156.151.31.81:35060] helo=userp1040.oracle.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 2F/A2-39957-EF8AF255 for ; Thu, 16 Apr 2015 08:20:15 -0400 Received: from userv0021.oracle.com (userv0021.oracle.com [156.151.31.71]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id t3GCKBf7028531 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 16 Apr 2015 12:20:11 GMT Received: from userv0122.oracle.com (userv0122.oracle.com [156.151.31.75]) by userv0021.oracle.com (8.13.8/8.13.8) with ESMTP id t3GCK9WT001746 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Thu, 16 Apr 2015 12:20:11 GMT Received: from abhmp0009.oracle.com (abhmp0009.oracle.com [141.146.116.15]) by userv0122.oracle.com (8.13.8/8.13.8) with ESMTP id t3GCK8dp016269; Thu, 16 Apr 2015 12:20:08 GMT Received: from [192.168.2.34] (/93.104.4.146) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 16 Apr 2015 05:20:08 -0700 Message-ID: <1429186803.18620.18.camel@kuechenschabe> To: Marc Bennewitz Cc: internals@lists.php.net Date: Thu, 16 Apr 2015 14:20:03 +0200 In-Reply-To: <551C3876.5000004@mabe.berlin> References: <551C3876.5000004@mabe.berlin> Organization: Oracle Corporation - MySQL Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.10.4-0ubuntu2 Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Source-IP: userv0021.oracle.com [156.151.31.71] Subject: Re: [PHP-DEV] Deprecate setlocale? From: johannes.schlueter@oracle.com (Johannes =?ISO-8859-1?Q?Schl=FCter?=) On Wed, 2015-04-01 at 20:27 +0200, Marc Bennewitz wrote: > > https://bugs.php.net/bug.php?id=3D69348 - breaks MySQL > -> It's a bug and should be fixed (non locale based functionality) > -> Couldn't this one be a security issue No this is not a bug in this function and no not a security issue. The user asks to escape a string and provides a double. The double is therefore converted to a string according to PHP's rules and then correctly escaped. Now PHP's rules are a bit unfortunate and might lead to wrong data being stored. =46rom MySQL perspective the correct usage is not to escape numeric types. Those can be put in the query directly. (Code like $d =3D (double)$foo; $sql =3D "SELECT * FROM t WHERE d=3D$d"; is safe.) or maybe better use prepared statements. Also mind: Locale not only has impact on number->string conversion but also different string operations like uppercase/lowercase conversion: (see Turkish i->I->y) Revising locale might be a good idea, however not by removing a function but by finding a way to make the behavior more explicit to the user. Removing the function will cause trouble when interacting with external libraries and programs which are locale dependent. johannes --=20 ORACLE Deutschland B.V. & Co. KG | Riesstra=C3=9Fe 25 | 80992 M=C3=BCnchen Registergericht: Amtsgericht M=C3=BCnchen, HRA 95603 Komplement=C3=A4rin: ORACLE Deutschland Verwaltung B.V. Hertogswetering 163/167, 3543 AS Utrecht, Niederlande Handelsregister der Handelskammer Midden-Niederlande, Nr. 30143697 Gesch=C3=A4ftsf=C3=BChrer: Alexander van der Ven, Astrid Kepper, Val Maher