On Fri, 18 Jun 2021 at 15:47, Bruce Weirdan wrote:
> One would be potential denial of service prevention (e.g. with enormous
> `LIMIT` value where only a limited set of ints was intended.
> [...]
Here you really *don't* want $allowed_ids to include user input.
The developer is writing this q
On Fri, Jun 18, 2021 at 4:53 PM Craig Francis wrote:
> While philosophically more pure, there is actually no extra security
> benefit for excluding integers.
One would be potential denial of service prevention (e.g. with enormous `LIMIT`
value where only a limited set of ints was intended, like
On 18-06-2021 13:25, Pierre wrote:
> Le 18/06/2021 à 12:45, Guilliam Xavier a écrit :
>> IIUC, with the addition of integers, the function will return true for
>> e.g.
>> `'SELECT * FROM foo LIMIT ' . (int)$limit` even if $limit doesn't come
>> from
>> a "static" value (e.g. random_int() or even `$
On Fri, 18 Jun 2021 at 12:25 pm, Pierre wrote:
> Le 18/06/2021 à 12:45, Guilliam Xavier a écrit :
> > IIUC, with the addition of integers, the function will return true for
> e.g.
> > `'SELECT * FROM foo LIMIT ' . (int)$limit` even if $limit doesn't come
> from
> > a "static" value (e.g. random_i
Le 18/06/2021 à 12:45, Guilliam Xavier a écrit :
IIUC, with the addition of integers, the function will return true for e.g.
`'SELECT * FROM foo LIMIT ' . (int)$limit` even if $limit doesn't come from
a "static" value (e.g. random_int() or even `$_GET['limit']`)
OK I get it.
I followed the ini
On Fri, 18 Jun 2021 at 11:45 am, Guilliam Xavier
wrote:
> IIUC, with the addition of integers, the function will return true for e.g.
> `'SELECT * FROM foo LIMIT ' . (int)$limit` even if $limit doesn't come from
> a "static" value (e.g. random_int() or even `$_GET['limit']`)
Yes, that’s correc
On 18.06.21 08:00, Craig Francis wrote:
As there’s been no issues raised with supporting integers, and doing so
will help adoption, the implementation will be updated to allow them.
Now to choose the name, with the options is_known() from Joe and
is_trusted() from Moritz:
https://strawpoll.com/
On Fri, Jun 18, 2021 at 12:10 PM Pierre wrote:
> Le 18/06/2021 à 08:00, Craig Francis a écrit :
> > As there’s been no issues raised with supporting integers, and doing so
> > will help adoption, the implementation will be updated to allow them.
> >
> > Now to choose the name, with the options is
On Fri, 18 Jun 2021 at 9:48 am, Marc Bennewitz wrote:
> Not sure but what happens if you have like a DB connection in big5,
> sjis, ... and add an integer as ASCII char into it? But that's the only
> edge case I can think of.
The integer character code points are the same in all three. PHP re
Le 18/06/2021 à 08:00, Craig Francis a écrit :
As there’s been no issues raised with supporting integers, and doing so
will help adoption, the implementation will be updated to allow them.
Now to choose the name, with the options is_known() from Joe and
is_trusted() from Moritz:
https://strawpo
Le 18/06/2021 à 11:41, Craig Francis a écrit :
Hi Pierre,
On Monday we had the discussion about types:
https://externals.io/message/114835#114846
The RFCs Future Scope was updated to note the suggestion from someniatko
and Matthew about how this could be a type in the future (Joe has also
show
On Fri, 18 Jun 2021 at 8:48 am, Pierre wrote:
> Le 18/06/2021 à 08:00, Craig Francis a écrit :
> > Keep in mind it might also become a dedicated type in the future.
>
> Hello,
>
> If so, why the question should not be about the type name instead ? It
> might raises different concerns and new argu
On 18.06.21 08:00, Craig Francis wrote:
On Wed, 16 Jun 2021 at 18:24, Craig Francis
wrote:
On Sat, 12 Jun 2021 at 18:00, Craig Francis
wrote:
I'd like to start the discussion on the is_literal() RFC:
https://wiki.php.net/rfc/is_literal
Following up on the is_literal() RFC, thanks for th
Le 18/06/2021 à 08:00, Craig Francis a écrit :
Keep in mind it might also become a dedicated type in the future.
Hello,
If so, why the question should not be about the type name instead ? It
might raises different concerns and new arguments to this discussion ?
What is this type ? What does
On Thu, Jun 17, 2021 at 11:01 PM Craig Francis wrote:
>
> As there’s been no issues raised with supporting integers, and doing so
> will help adoption, the implementation will be updated to allow them.
>
> Now to choose the name, with the options is_known() from Joe and
> is_trusted() from Moritz:
On Wed, 16 Jun 2021 at 18:24, Craig Francis
wrote:
> On Sat, 12 Jun 2021 at 18:00, Craig Francis
> wrote:
>
>> I'd like to start the discussion on the is_literal() RFC:
>> https://wiki.php.net/rfc/is_literal
>>
>
> Following up on the is_literal() RFC, thanks for the feedback. It looks
> like th
On 16-06-2021 23:01, Craig Francis wrote:
>> Which leads us to the name, because "is_literal" may be, uh, too literal.
>>> So can we come up with something better?
>>
>> Throwing in another idea: is_hard_coded().
>>
>
>
> I’d be a little hesitant on the name ‘is_hard_coded’, if we allow integers,
> Am 16.06.2021 um 23:01 schrieb Craig Francis :
>> Throwing in another idea: is_hard_coded()
> I’d be a little hesitant on the name ‘is_hard_coded’, if we allow integers,
> that means that it’s no longer strictly hard coded, and might get confusing.
Has `is_trusted` been considered yet? That wor
On Wed, 16 Jun 2021 at 10:19 pm, Bruce Weirdan wrote:
> On Thu, Jun 17, 2021 at 12:01 AM Craig Francis
> wrote:
> > is_literal can be used for strings because we can flag what’s
> > user and what’s developer defined, and with Matthew’s request, it could
> do
> > integers (because an integer valu
On Thu, Jun 17, 2021 at 12:01 AM Craig Francis wrote:
> is_literal can be used for strings because we can flag what’s
> user and what’s developer defined, and with Matthew’s request, it could do
> integers (because an integer value alone is not inherently risky, and it’s
> already used a lot).
To
On Wed, 16 Jun 2021 at 9:13 pm, Dik Takken wrote:
> On 16-06-2021 19:24, Craig Francis wrote:
> > Matthew Brown wants to support integer values, simply because so much
> code
> > already includes them, and I cannot find a single way that integers alone
> > can cause issues from an Injection Vulne
On 16-06-2021 19:24, Craig Francis wrote:
> On Sat, 12 Jun 2021 at 18:00, Craig Francis
> wrote:
>
>> I'd like to start the discussion on the is_literal() RFC:
>> https://wiki.php.net/rfc/is_literal
>>
>
>
>
> Hi Internals,
>
> Following up on the is_literal() RFC, thanks for the feedback. It
On Sat, 12 Jun 2021 at 18:00, Craig Francis
wrote:
> I'd like to start the discussion on the is_literal() RFC:
> https://wiki.php.net/rfc/is_literal
>
Hi Internals,
Following up on the is_literal() RFC, thanks for the feedback. It looks
like there are only 2 minor open issues - updating the i
> On Mar 22, 2020, at 7:14 PM, Craig Francis wrote:
>
> On Sun, 22 Mar 2020 at 19:11, Mike Schinkel wrote:
>> [...] hash out potential solutions on the list rather than propose a
>> specific one in advance.
>
> As to your idea of a "safe" MySQL class, fortunately mysqli already stops
> multip
24 matches
Mail list logo
