> Am 22.06.2021 um 20:38 schrieb Stephen Reay <php-li...@koalephant.com>:
>
> It took me about a minute to think of this:
>
> "select * from customer_purchases where {$column} = :value”.
>
> The developer inadvertently passes the same “trusted value” in as the
> `$column` substitute and the value parameter. It must be safe because we ran
> it through `is_trusted`!
>
> The query now executes as:
>
> "select * from customer_purchases where 12345 = 12345”
>
>
> You cannot magically make all dynamically generated queries safe - they tried
> that about a quarter of a century ago. Hint: it did not end well - and
> explicitly allowing some user input is just mind boggling given the stated
> goals.
There is a difference between “safe”, as in “safe to insert anywhere in a
query”, and “trusted”, as in “trusted to not originate from user input”.
Untrusted input is well understood and documented as a concept. PHP provides
enough foot guns to choose from if you like taking function names too
literally.
This discussion focuses way too much on possible abuse by application
developers, while it is actually a low-level feature for library authors which
I trust very well to use it appropriately, and with opt-in configuration.
Regards
Moritz
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: https://www.php.net/unsub.php
