> On Jun 18, 2021, at 8:30 AM, Mike Schinkel <m...@newclarity.net> wrote: > > >> On Jun 18, 2021, at 7:22 AM, Craig Francis <cr...@craigfrancis.co.uk >> <mailto:cr...@craigfrancis.co.uk>> wrote: >> >> On Fri, 18 Jun 2021 at 11:45 am, Guilliam Xavier <guilliam.xav...@gmail.com >> <mailto:guilliam.xav...@gmail.com>> >> wrote: >> >>> IIUC, with the addition of integers, the function will return true for e.g. >>> `'SELECT * FROM foo LIMIT ' . (int)$limit` even if $limit doesn't come from >>> a "static" value (e.g. random_int() or even `$_GET['limit']`) >> >> Yes, that’s correct. >> >> Supporting integers from any source helps with adoption, and we cannot find >> any security issues (it’s a fairly small change to the RFC, and that >> prompted the new name, especially as the original is_literal wasn’t >> perfect). > > For the avoidance of doubt can you confirm that this $sql would indeed be > trusted? > > $ids = array_map( 'intval', $_GET['ids'] ?? [] );
Sorry, that should have been: $ids = array_map( 'intval', $_GET['ids'] ?? [0] ); -Mike
