On Sat, 12 Jun 2021 at 13:00, Craig Francis <cr...@craigfrancis.co.uk> wrote:
> Hi Internals, > > I'd like to start the discussion on the is_literal() RFC: > > https://wiki.php.net/rfc/is_literal > > is_literal() brings a proven way to identify Injection Vulnerabilities to > PHP, already used by Google in their Java and Go projects, and is currently > being added to JavaScript. It's a lightweight and simple approach: > "Distinguishing strings from a trusted developer from strings that may be > attacker controlled", allowing Libraries to identify the mistakes made by > the thousands of developers using them incorrectly. > > When Libraries use is_literal() to protect against these mistakes, we can > trust their output, and (as covered in the Future scope section) PHP can > then raise warnings with certain native functions like PDO::query, > mysqli_query, exec, preg_match, etc. (we would only consider warnings, > anything stricter like exceptions would be in many years time, if at all - > the intention is to alert and inform people, not break things). > > The length is due to the FAQ Section, on why it's needed, how it can be > used by Libraries, and the important differences of using this flag versus > the flawed Taint Checking approach with its false sense of security > (error-prone escaping). > > Thanks, > Craig Francis > > > PS: If anyone wants to discuss face-to-face on Zoom, I'll be available (UK > Time/BST/UTC+1) at: > > https://chat.craigfrancis.co.uk/ > > Saturday 12th June, 6pm to 8pm; > Sunday 13th June, 10am to Midday; > Monday 14th June, 5pm to 7pm; > Tuesday 15th June, 9pm to 11pm; > Thursday 16th June, 10am to Midday; > (other times on request) > Hi Craig and Dan, I was skeptical about the first draft of this RFC when I saw it last month, but now I see the light (especially with the concat changes). This looks like a very solid solution for any library authors wanting to add a layer of protection against SQL injection attacks. Sorry for any unnecessary grief I caused. The only remaining issue I have is performance — Psalm and other static analysis tools perform quite a lot of concatenation (and never have to worry about user input). What sorts of slowdowns do you see when running those tools? Best wishes, Matt
