Nobody has demonstrated that "string" . int can lead to anything but
mistakes.
It CANNOT lead to injection, and that's what we're talking about, we're not
talking about a function that protects you from all possible security
concerns or bugs.
The actual definition of injection matters, when we are talking about
injection, obviously.
You can't have your own definition.
Cheers
Joe
On Thu, 24 Jun 2021 at 18:59, Mike Schinkel <m...@newclarity.net> wrote:
>
> > On Jun 24, 2021, at 6:33 AM, Stephen Reay <php-li...@koalephant.com>
> wrote:
> >
> >> On 24 Jun 2021, at 17:07, Kamil Tekiela <tekiela...@gmail.com> wrote:
> >>
> >> Hi Stephen,
> >>
> >> I believe the idea was for dynamically generate table names, or
> numbered tables/columns. E.g.
> >>
> >> function getTable(string $table){
> >> // is_literal check here
> >> }
> >>
> >> $number = (int) $_GET['tableno'];
> >> if($number < 0 || $number > 10) {
> >> throw new Exception("Invalid number");
> >> }
> >>
> >> $tablename = 'table_'.$number;
> >> getTable($tablename);
> >>
> >> The number is concatenated to the table name.
> >>
> >> —Kamil
> >
> > Hi Kamil,
> >
> > Thanks for at least trying to answer this question.
> >
> > I’m sure someone somewhere does that and thinks its a good idea. I
> respectfully (to you; probably less respectfully to someone if they tell me
> they do this) disagree. I don’t think PHP should necessarily shy away from
> features because they’re potentially dangerous, but I also don’t think it
> should be adding new features/functions that are more dangerous, just to
> make some weird (IMO bad-practice) edge cases easier.
>
> WordPress Multisite does exactly that.
>
> Whether or not them doing so is a "good idea" is irrelevant as there are a
> large number of website that use that mode of WordPress currently active on
> the web.
>
>
> > I’d suggest if they insist on that bizarre naming pattern, _and_ want to
> use a literal string check, they could define an array of string numbers
> that represent their table names.
> >
> > $tbls = [‘0’, ‘1’, ‘2’, ‘3’, ‘4’, ‘5’, ...];
> >
> > getTable(’table_’ . $tbls[$number]);
>
> Some WP MS installations support millions of thousands sites. See
> WordPress.com <http://wordpress.com/>.
>
> But yes, I guess it could be possible for them to hack hack together
> 'table_983761' out of literals via a Rube Goldbergian-function, if forced
> to.
>
>
> > On Jun 24, 2021, at 6:35 AM, Stephen Reay <php-li...@koalephant.com>
> wrote:
> >
> >> On 24 Jun 2021, at 17:16, Craig Francis <cr...@craigfrancis.co.uk>
> wrote:
> >>
> >> On Thu, 24 Jun 2021 at 10:55, Stephen Reay <php-li...@koalephant.com>
> wrote:
> >>
> >>> but still I have to keep asking: Why integers at all?
> >>>
> >>
> >> While I'm not a fan of this approach, there is a lot of existing code
> and
> >> tutorials that use:
> >>
> >> $sql = 'WHERE id IN (' . implode(',', array_map('intval', $ids)) . ')';
> >>
> >> $sql = sprintf('SELECT * FROM table WHERE id = %d;', intval($id));
> >>
>
> And WordPress (and I am sure a lot of other legacy code) does not support
> parameterized queries in the DB object, at least not without jumping
> through tons of hoops. Not to mention the 60k existing open-source plugins
> and the likely million custom plugins in the wild.
>
> -Mike
> P.S. Of course we could ignore the entirety of WordPress, but that just
> does not strike me as a prudent course of action.
