On Fri, 18 Jun 2021 at 1:30 pm, Mike Schinkel <m...@newclarity.net> wrote:
> For the avoidance of doubt can you confirm that this $sql would indeed be
> trusted?
>
> $ids = array_map( 'intval', $_GET['ids'] ?? [] );
>
> $where = implode( ',', $ids );
> $sql = 'SELECT * FROM foo WHERE id IN (' . $where . ')';
>
>
> Also, as it is painful to have to use string concatenation, can we please
> consider supporting only the '%s' and '%d' format specifiers when used with
> trusted strings and integers for sprintf(), respectfully:
>
> $sql = sprintf( 'SELECT * FROM foo WHERE id IN (%s)', $where );
>
>
> And
>
> $sql = sprintf( 'SELECT * FROM foo LIMIT %d', (int)$limit );
>
>
On Fri, 18 Jun 2021 at 1:32 pm, Mike Schinkel <m...@newclarity.net> wrote:
> Sorry, that should have been:
>
$ids = array_map( 'intval', $_GET['ids'] ?? [0] );
>
Yes, I can confirm that that $sql would be trusted.
Yes, sprintf() does support ‘%s’ and ‘%d’; the function has been updated so
it will return a trusted string if all the inputs are trusted (including
other specifiers).
Both your examples work, as we support integers now (so developers do not
need to change their existing code that use these valid approaches), and if
you want to try it I’ve put your examples on 3v4l.org so you can see it
working here:
https://3v4l.org/FvtpW/rfc#focus=rfc.literals
While using parameterised queries is preferred for integers too, it is a
common pattern, and doesn't introduce any Injection Vulnerabilities.
Craig
