On 18-06-2021 13:25, Pierre wrote: > Le 18/06/2021 à 12:45, Guilliam Xavier a écrit : >> IIUC, with the addition of integers, the function will return true for >> e.g. >> `'SELECT * FROM foo LIMIT ' . (int)$limit` even if $limit doesn't come >> from >> a "static" value (e.g. random_int() or even `$_GET['limit']`) > > OK I get it. > > I followed the initial discussions but I didn't read everything for a > while. > > Doesn't it mean that is_literal() which doesn't test anymore if > something is literal does a bit more than that ? > > The original intent of being able to tell if a string is literal or not > seems to be a very good idea, but now it forked to something that is > more SQL-OtherDatabase business related: this means that PHP own std > will, in my opinion, take a role it isn't supposed to have, by > arbitrarily (don't take wrongly, all discussions I had read until now > are smart and make sense) telling people what is safe, and what is not ?
This is my feeling as well. The original proposal was pure with solid security guarantees, independent of the context (SQL, HTML, ...) in which it is used. Elevating some user input to the same level of security as literals is not ideal. On the other hand, as Craig pointed out to me (thanks!), a feature that is too much of a hassle to use may not be widely adopted and the goal of the proposal (improving security) may not be met. Regards, Dik Takken -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: https://www.php.net/unsub.php
