> Le 7 sept. 2021 à 11:49, Craig Francis <cr...@craigfrancis.co.uk> a écrit : > > > Obviously I'd still like libraries to be able to protect everyone from > introducing Injection Vulnerabilities (as the majority of programmers don't > use static analysis), but that's for another day. >
Hi, We all want to protect from injection vulnerability, but I think there are better way than is_literal. One way is to use templates, an area where PHP is ironically lagging behind. I suggest looking at JS tagged templates: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Template_literals <https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Template_literals> For example: $qb->select('u') ->from('User', 'u') ->where('u.id = ' . $_GET['id']); // INSECURE could be written as <?php $qb->exec ` SELECT u FROM User u WHERE u.id = %{ $_GET['id'] } ` ?> where the part between %{ ... } is transformed into an SQL literal string (with delimiters "...", not just “escaping”) when it is a string; into the SQL expression NULL when it is null; into an SQL subexpression if it is an object (provided by the library) that represents a well-formed SQL subexpression, etc. —Claude
