Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:86058
Return-Path: <walterp@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 71213 invoked from network); 30 Apr 2015 02:52:58 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 30 Apr 2015 02:52:58 -0000
Authentication-Results: pb1.pair.com header.from=walterp@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=walterp@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.212.175 as permitted sender)
X-PHP-List-Original-Sender: walterp@gmail.com
X-Host-Fingerprint: 209.85.212.175 mail-wi0-f175.google.com  
Received: from [209.85.212.175] ([209.85.212.175:35157] helo=mail-wi0-f175.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 44/00-05379-90991455 for <internals@lists.php.net>; Wed, 29 Apr 2015 22:52:57 -0400
Received: by widdi4 with SMTP id di4so2395020wid.0
        for <internals@lists.php.net>; Wed, 29 Apr 2015 19:52:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=BOxuZOCxnqpEJE5K8Mn9FtirJJgWLyWCVF/IgbLTrVQ=;
        b=kHcJ3pDzZeIrP0GObzh19JNUfzUz+M197w0tyIv5glQHnK3PHwpq+I05SaZaLARM16
         6PjkdNHCcOEzHzAIJW+7kfEa8nUVvsk2hVcUTjstO9Dc3JHUfcc+SaZk/7vlHNT0O5d7
         XktlUkVo7MsU9YoNpvM/8ets/l3h2XwEe+YyP+HTKu4+vfLGDspDaETZFbeANXP4SnVu
         IYeVjrKUOmeT7eFYlJ+/k8evp64XfnfVglmGUuvVlNPniHRls1ZT5CLltTjk64/l7/oM
         GRC4oodg9tQ7rnjQ4a7wY/96v2oxxJ82v9JZDDPEuQzR6hO5w49DXpqA88C4lGjCc795
         kDrQ==
MIME-Version: 1.0
X-Received: by 10.194.238.161 with SMTP id vl1mr3886736wjc.144.1430362374048;
 Wed, 29 Apr 2015 19:52:54 -0700 (PDT)
Received: by 10.27.227.11 with HTTP; Wed, 29 Apr 2015 19:52:53 -0700 (PDT)
In-Reply-To: <CAGa2bXbYDAzsqA2PqqngtNTpjN2Oq9-q4BNRjxtU85LJ+WMExg@mail.gmail.com>
References: <CAGa2bXYzp3XimLXxC+Py2t1DWhCfX8coTdYHzf6zEiKdxA7r8Q@mail.gmail.com>
	<55401F31.9030703@gmail.com>
	<CAObuZduZBM0GyWJMA1Fd7eCgPE4vFFZrrhpREQ50a4QJhG6Nvg@mail.gmail.com>
	<CAGa2bXar_oXrsPAErNx5BUdkFAy-p8-D0tfhc3pAnDTGBGJJ7Q@mail.gmail.com>
	<55416849.9010808@gmail.com>
	<CAGa2bXbkCx2Nqb9YBut3id4N=nhjLBGPN8Ucrx7R6mRnGjB2og@mail.gmail.com>
	<554176D6.2030007@gmx.de>
	<CAGa2bXaPjvkFYtkhRM1JisSvxgR0v8adkD_P_zkUng4xfBWFHg@mail.gmail.com>
	<55418CBE.6050609@gmail.com>
	<CAGa2bXZAY_9qx9D+K11ApJH9DKzTvxze+=E5=rVhQj_OaGfxGQ@mail.gmail.com>
	<CAGa2bXbYDAzsqA2PqqngtNTpjN2Oq9-q4BNRjxtU85LJ+WMExg@mail.gmail.com>
Date: Wed, 29 Apr 2015 19:52:53 -0700
Message-ID: <CAMPTd_DhriS6JdCdVWfd8o+o1Dc_UC+AR=nASSoVu+trzLJn_w@mail.gmail.com>
To: Yasuo Ohgaki <yohgaki@ohgaki.net>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=089e01493d123491ad0514e831b1
Subject: Re: [PHP-DEV] Adding "numeric" type hint
From: walterp@gmail.com (Walter Parker)

--089e01493d123491ad0514e831b1
Content-Type: text/plain; charset=UTF-8

On Wed, Apr 29, 2015 at 7:37 PM, Yasuo Ohgaki <yohgaki@ohgaki.net> wrote:

> Hi Rowan,
>
> On Thu, Apr 30, 2015 at 11:17 AM, Yasuo Ohgaki <yohgaki@ohgaki.net> wrote:
>
> >
> >>  A fatal error wouldn't constitute a DoS vulnerability, would it?
> >>>>
> >>>>  Attacker may inject huge ID value and/or they may simply access
> >>> web sites to reach 2 billion limit, for example.
> >>>
> >>
> >> That's not a DoS vector unless you've also done something else wrong,
> >> it's just an embarassing error like many others. A lot of the time, the
> DB
> >> will overflow first anyway, because an SQL "int" is signed 32-bit. Hell,
> >> YouTube had a 32-bit int for number of views until Gangnam Style
> overflowed
> >> it!
> >>
> >
> > Not really. Primary key is out of user control almost always. However,
> > suppose code allows to specify foreign key and code assumes that non
> > existing foreign key results in search query failure.
> >
> > Current PHP: Search query failure.
> > New PHP type hint: Fatal error because foreign key is out of PHP int
> range.
> >
> > If user are using type hints everywhere, it may be limited to attackers
> > seeing fatal errors. If not, attacker can succeed system wide DoS attack
> by
> > simple operation.
> >
>
> I should have mentioned that I'm supposing DBMS like SQLite here.
> As we know, SQLite column accepts any value including value beyond 64 bit
> int.
>
> https://www.sqlite.org/datatype3.html
> (Those who don't now "Type Affinity", please read the section)
>
> SQLite is the most used RDBMS in the world.
>
> MySQL supports unsigned 64 bit integer also, BTW.
>
> Regards,
>
> --
> Yasuo Ohgaki
> yohgaki@ohgaki.net
>

Are you asking to have both the 32 and 64 bit versions of PHP fully map to
the type system in SQLite? The type system in SQLite appears to have been
setup to map to programming language that lots of types (modern C, C++,
maybe Java) rather than PHP.

I think you might have an easier time fixing the SQLite adaptor for PHP
than making both 32 and 64 bit PHP map to the type structure for SQLite
completely transparently with full type defs.


-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis

--089e01493d123491ad0514e831b1--