On Thu, Jun 24, 2021 at 4:34 AM Guilliam Xavier
<guilliam.xav...@gmail.com> wrote:
>
>
> On Thu, Jun 24, 2021 at 9:14 AM Scott Arciszewski <sc...@paragonie.com> wrote:
>>
>> On Thu, Jun 24, 2021 at 2:10 AM Stephen Reay <php-li...@koalephant.com>
>> wrote:
>>
>> > I would absolutely make use of a function that tells me if the string
>> > given is in fact from something controlled by the developer. But once that
>> > same string can also include input from the request or the environment or
>> > whatever by nature of integers, the function becomes useless for the
>> > stated purpose.
>>
>> Why not two functions then?
>>
>> - is_noble_string() -- more restrictive
>> - is_noble() -- YOLO
>
>
> I was going to ask basically the same [with different names] a few days ago
> ("why can't we have both?"), but then remembered
> https://externals.io/message/114835#114951 , esp. the end:
>
> """
> And to support having 2 functions, we would need 2 flags on strings. These
> flags are limited, and managing 2 flags would affect performance.
> """
>
> Regards,
>
> --
> Guilliam Xavier
Thanks for the reference to that part of the discussion that I missed.
Aside:
I encourage everyone to look at EasyDB (especially EasyStatement) for
handling `WHERE x IN (a, b, c, ...)` statements in SQL.
https://github.com/paragonie/easydb
Additionally, Ionizer is useful for input filtering and asserting type
safety: https://github.com/paragonie/ionizer
If you're doing dynamic, on-the-fly SQL query generation (based, in
part, on user input), these are two framework-agnostic tools that can
help make your code safer against code injection and other attacks.
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: https://www.php.net/unsub.php
