How likely would it be for PHP to do Literal tracking of variables?

This is something that's being discussed JavaScript TC39 at the moment [1],
and I think it would be even more useful in PHP.

We already know we should use parameterized/prepared SQL, but there is no
way to prove the SQL string hasn't been tainted by external data in large
projects, or even in an ORM.

This could also work for templating systems (blocking HTML injection) and

Internally it would need to introduce a flag on every variable, and a
single function to check if a given variable has only been created by

Unlike the taint extension, there should be no way to override this (e.g.
no taint/untaint functions); and if it was part of the core language, it
will continue to work after every update.

One day certain functions (e.g. mysqli_query) might use this information to
generate a error/warning/notice; but for now, having it available for
checking would be more than enough.


    public function exec($sql, $parameters = []) {
        if (!*is_literal*($sql)) {
            throw new Exception('SQL must be a literal.');
        $statement = $this->pdo->prepare($sql);
        return $statement->fetchAll();


    $sql = 'SELECT * FROM table WHERE id = ?';

    $result = $db->exec($sql, [$id]);

[1] https://github.com/tc39/proposal-array-is-template-object

Reply via email to