How is one supposed to use this? like if(!is_trusted($val)){ $val = htmlentities($str, ENT_QUOTES | ENT_HTML401 | ENT_SUBSTITUTE | ENT_DISALLOWED, 'UTF-8', true); } echo "<div>$val</div>"; (...) if(!is_trusted($val)){ $val = $mysqli->real_escape_string($val); } $mysqli->query("INSERT INTO tbl VALUES('$val');");
like that? (my first impression is that this sounds stupid, but i haven't given it enough thought to be sure) On Tue, 22 Jun 2021 at 11:48, Lauri Kenttä <lauri.ken...@gmail.com> wrote: > On 2021-06-21 23:25, Craig Francis wrote: > > > > - Integers are now included, which will help adoption: > > > > https://wiki.php.net/rfc/is_literal > > > > Thanks for the great improvements! > > sprintf seems to have some issues, though. > > Currently you're checking the parameter types, not the formats. > The parameter type matters only when coercing to a string (%s). > Otherwise sprintf should consider the format, not the parameter. > > Example: > <?php > function test($s) { var_dump($s, is_trusted($s)); } > setlocale(LC_ALL, "de_DE.UTF-8"); > test(sprintf("SET c = %c, f = %f, e = %e", 0x27, 1234, 1234)); > test(sprintf("SET d = %d, x = %x, b = %b", 1e2, 1e2, 1e2)); > test(sprintf("SET weird_d = %''*d", 4, 1)); > test(sprintf("SET s = '%s', int to string should be ok", 123)); > ?> > > Currently: > string(43) "SET c = ', f = 1234,000000, e = 1.234000e+3" > bool(true) > string(32) "SET d = 100, x = 64, b = 1100100" > bool(false) > string(18) "SET weird_d = '''1" > bool(true) > string(41) "SET s = '123', int to string should be ok" > bool(true) > > Obviously the results with ints and floats should be the opposite. > > If you really want to allow %c, so be it, but I'd disallow it on the > grounds that (1) it's probably not used in secure strings (usage data, > anyone?), and thus (2) it could easily be a misspelled %d (for example, > '%c' instead of '%d' could silently produce an empty result in a query), > and (3) you're allowing a simple workaround with %s and chr() which > makes the intent more obvious. > > In general, as this is supposed to be a security feature, allowing > multiple ways for uninformed people to produce "trusted" but actually > very unsafe values doesn't look like a good idea. I'm not sure if > allowing trusted single characters to be created through chr or %c > serves any useful purpose, but I can imagine people using either one > without realizing that they can create any character, including \0 or ' > or " or non-UTF-8. Better to leave only chr(), one less thing to worry > about. > > Custom padding is a weird edge case, maybe just disallow that too? > > As you said yourself, it's not easy to prove anything safe. ;) > > -- > Lauri Kenttä > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: https://www.php.net/unsub.php > >