> On Jun 18, 2021, at 7:22 AM, Craig Francis <[email protected]> wrote:
>
> On Fri, 18 Jun 2021 at 11:45 am, Guilliam Xavier <[email protected]>
> wrote:
>
>> IIUC, with the addition of integers, the function will return true for e.g.
>> `'SELECT * FROM foo LIMIT ' . (int)$limit` even if $limit doesn't come from
>> a "static" value (e.g. random_int() or even `$_GET['limit']`)
>
> Yes, that’s correct.
>
> Supporting integers from any source helps with adoption, and we cannot find
> any security issues (it’s a fairly small change to the RFC, and that
> prompted the new name, especially as the original is_literal wasn’t
> perfect).
For the avoidance of doubt can you confirm that this $sql would indeed be
trusted?
$ids = array_map( 'intval', $_GET['ids'] ?? [] );
$where = implode( ',', $ids );
$sql = 'SELECT * FROM foo WHERE id IN (' . $where . ')';
Also, as it is painful to have to use string concatenation, can we please
consider supporting only the '%s' and '%d' format specifiers when used with
trusted strings and integers for sprintf(), respectfully:
$sql = sprintf( 'SELECT * FROM foo WHERE id IN (%s)', $where );
And
$sql = sprintf( 'SELECT * FROM foo LIMIT %d', (int)$limit );
-Mike
