On Wed, 23 Jun 2021 at 14:37, Larry Garfield <la...@garfieldtech.com> wrote:
> I'm still very torn on is_literal; I fear that the people who would > benefit from it are the very people that don't use the tools that would > leverage it (DBALs et al), and so the net benefit will be small. > This RFC will not help those who aren’t using libraries (DBALs), that’s something we could look at in the future (I have a suggestion in the Future Scope section, but whatever that involves, it will need to use this flag, so it would need to be in place first). But - and why I’m here - my experience is that it’s still a big issue for those who *do* use libraries. It frequently comes up at software agencies/companies that maintain their code (built with free libraries/frameworks), and employ junior developers (i.e. the cheapest), who make many "quick edits" (time is money), and in doing so introduce the issues the RFC covers (and not to say we more experienced coders don’t occasionally make mistakes too!). While non-library users are the main cause, the library users are still a big part of why Injection Vulnerabilities remain at the top of the OWASP Top 10. Craig
