Hi Internals, I'd like to start the discussion on the is_literal() RFC:
https://wiki.php.net/rfc/is_literal is_literal() brings a proven way to identify Injection Vulnerabilities to PHP, already used by Google in their Java and Go projects, and is currently being added to JavaScript. It's a lightweight and simple approach: "Distinguishing strings from a trusted developer from strings that may be attacker controlled", allowing Libraries to identify the mistakes made by the thousands of developers using them incorrectly. When Libraries use is_literal() to protect against these mistakes, we can trust their output, and (as covered in the Future scope section) PHP can then raise warnings with certain native functions like PDO::query, mysqli_query, exec, preg_match, etc. (we would only consider warnings, anything stricter like exceptions would be in many years time, if at all - the intention is to alert and inform people, not break things). The length is due to the FAQ Section, on why it's needed, how it can be used by Libraries, and the important differences of using this flag versus the flawed Taint Checking approach with its false sense of security (error-prone escaping). Thanks, Craig Francis PS: If anyone wants to discuss face-to-face on Zoom, I'll be available (UK Time/BST/UTC+1) at: https://chat.craigfrancis.co.uk/ Saturday 12th June, 6pm to 8pm; Sunday 13th June, 10am to Midday; Monday 14th June, 5pm to 7pm; Tuesday 15th June, 9pm to 11pm; Thursday 16th June, 10am to Midday; (other times on request)
