Re: [PHP-DEV] [RFC] is_trusted - was is_literal

On 23.06.2021 16:40, Sara Golemon wrote: > Seriously. What about this looks spammy, I ask you? I don't know the other, but this one has X-Spam-Status: No, score=1.147 tagged_above=-999 required=4.5 tests=[BAYES_00=-1.9, GUARANTEED_100_PERCENT=2.699, MAILING_LIST_MULTI=-1,

Re: [PHP-DEV] [RFC] is_trusted - was is_literal

Resending this, because the mail daemon sent it back as spam, and we shouldn't be running our own mail server any more than we should have been running our own git server. Seriously. What about this looks spammy, I ask you? On Wed, Jun 23, 2021 at 9:36 AM Sara Golemon wrote: > On Mon, Jun 21,

Re: [PHP-DEV] [RFC] is_trusted - was is_literal

On 22 June 2021 10:09:50 BST, Mike Schinkel wrote: >For my inspiration take a look at Trusted Types API in Javascript: > >https://developer.mozilla.org/en-US/docs/Web/API/Trusted_Types_API > There is an extremely important

Re: [PHP-DEV] [RFC] is_trusted - was is_literal

Hello Craig, Very well written RFC, good job! Others have said it already, but here are my thoughts. Many moons ago, I was on this way as well and the filter extension came out. As it fits for some projects, the actual gains were very far, to say the least, from what I would have expected.

Re: [PHP-DEV] [RFC] is_trusted - was is_literal

> Am 22.06.2021 um 20:38 schrieb Stephen Reay : > > It took me about a minute to think of this: > > "select * from customer_purchases where {$column} = :value”. > > The developer inadvertently passes the same “trusted value” in as the > `$column` substitute and the value parameter. It must be

Re: [PHP-DEV] [RFC] is_trusted - was is_literal

Sent from my iPhone > On 23 Jun 2021, at 03:08, Lauri Kenttä wrote: > > On 2021-06-22 21:38, Stephen Reay wrote: On 22 Jun 2021, at 21:38, Craig Francis wrote: >>> If you can point me to an example where including integers in this has >>> introduced a security vulnerability then please

Re: [PHP-DEV] [RFC] is_trusted - was is_literal

On 2021-06-22 21:38, Stephen Reay wrote: On 22 Jun 2021, at 21:38, Craig Francis wrote: If you can point me to an example where including integers in this has introduced a security vulnerability then please do, and I mean it, that’s what this process is for, I genuinely want people to come

Re: [PHP-DEV] [RFC] is_trusted - was is_literal

> On 22 Jun 2021, at 21:38, Craig Francis wrote: > > If you can point me to an example where including integers in this has > introduced a security vulnerability then please do, and I mean it, that’s > what this process is for, I genuinely want people to come forward with them > so we can

Re: [PHP-DEV] [RFC] is_trusted - was is_literal

On Tue, 22 Jun 2021 at 3:05 pm, Stephen Reay wrote: > > On 22 Jun 2021, at 20:13, Craig Francis wrote: > > On Tue, 22 Jun 2021 at 09:59, Stephen Reay > wrote: > >> So I just want to make sure I understand the progression on this so far. >> It started out with people wanting a way to check that

Re: [PHP-DEV] [RFC] is_trusted - was is_literal

> On 22 Jun 2021, at 20:13, Craig Francis wrote: > > On Tue, 22 Jun 2021 at 09:59, Stephen Reay > wrote: > So I just want to make sure I understand the progression on this so far. It > started out with people wanting a way to check that a string was a literal

Re: [PHP-DEV] [RFC] is_trusted - was is_literal

On Tue, 22 Jun 2021 at 09:59, Stephen Reay wrote: > So I just want to make sure I understand the progression on this so far. > It started out with people wanting a way to check that a string was a > literal string, in code somewhere, and does not come from user input. Ok > makes sense. The name

Re: [PHP-DEV] [RFC] is_trusted - was is_literal

On Tue, 22 Jun 2021 at 11:31 am, Hans Henrik Bergan wrote: > How is one supposed to use this? like > > if(!is_trusted($val)){ > $val = htmlentities($str, ENT_QUOTES | ENT_HTML401 | ENT_SUBSTITUTE | > ENT_DISALLOWED, 'UTF-8', true); > } > echo "$val"; No, if anything that’s the opposite,

Re: [PHP-DEV] [RFC] is_trusted - was is_literal

How is one supposed to use this? like if(!is_trusted($val)){ $val = htmlentities($str, ENT_QUOTES | ENT_HTML401 | ENT_SUBSTITUTE | ENT_DISALLOWED, 'UTF-8', true); } echo "$val"; (...) if(!is_trusted($val)){ $val = $mysqli->real_escape_string($val); } $mysqli->query("INSERT INTO tbl

Re: [PHP-DEV] [RFC] is_trusted - was is_literal

On 2021-06-21 23:25, Craig Francis wrote: - Integers are now included, which will help adoption: https://wiki.php.net/rfc/is_literal Thanks for the great improvements! sprintf seems to have some issues, though. Currently you're checking the parameter types, not the formats. The parameter

Re: [PHP-DEV] [RFC] is_trusted - was is_literal

> On Jun 21, 2021, at 7:18 PM, Benjamin Morel wrote: > > On Tue, 22 Jun 2021 at 01:06, Derick Rethans wrote: > >> On 21 June 2021 23:37:56 BST, Yasuo Ohgaki wrote: >>> >>> The name "is_trusted" is misleading. >>> Literal is nothing but literal. >> >> I agree with this. The name is_trusted

Re: [PHP-DEV] [RFC] is_trusted - was is_literal

> On 22 Jun 2021, at 15:58, Stephen Reay wrote: > > > >> On 22 Jun 2021, at 06:28, Craig Francis > > wrote: >> >> On Tue, 22 Jun 2021 at 12:18 am, Benjamin Morel > >

Re: [PHP-DEV] [RFC] is_trusted - was is_literal

> On 22 Jun 2021, at 06:28, Craig Francis wrote: > > On Tue, 22 Jun 2021 at 12:18 am, Benjamin Morel > > wrote: > >> On Tue, 22 Jun 2021 at 01:06, Derick Rethans wrote: >> >>> On 21 June 2021 23:37:56 BST, Yasuo Ohgaki wrote: The name

Re: [PHP-DEV] [RFC] is_trusted - was is_literal

On Mon, Jun 21, 2021 at 2:25 PM Craig Francis wrote: > > On Sat, 12 Jun 2021 at 18:00, Craig Francis > wrote: > > > I'd like to start the discussion on the is_literal() RFC: > > https://wiki.php.net/rfc/is_literal > > > > > To recap, > > - We have chosen the name is_trusted(), based 18 votes

Re: [PHP-DEV] [RFC] is_trusted - was is_literal

On Tue, 22 Jun 2021 at 12:18 am, Benjamin Morel wrote: > On Tue, 22 Jun 2021 at 01:06, Derick Rethans wrote: > >> On 21 June 2021 23:37:56 BST, Yasuo Ohgaki wrote: >> > >> >The name "is_trusted" is misleading. >> >Literal is nothing but literal. >> >> I agree with this. The name is_trusted is

Re: [PHP-DEV] [RFC] is_trusted - was is_literal

On Tue, 22 Jun 2021 at 01:06, Derick Rethans wrote: > On 21 June 2021 23:37:56 BST, Yasuo Ohgaki wrote: > > > >The name "is_trusted" is misleading. > >Literal is nothing but literal. > > I agree with this. The name is_trusted is going to be the same naming > mistake as "safe mode" was.

Re: [PHP-DEV] [RFC] is_trusted - was is_literal

On 21 June 2021 23:37:56 BST, Yasuo Ohgaki wrote: > >The name "is_trusted" is misleading. >Literal is nothing but literal. I agree with this. The name is_trusted is going to be the same naming mistake as "safe mode" was. Developers will put their trust in it that it is 100% guaranteed safe.

Re: [PHP-DEV] [RFC] is_trusted - was is_literal

On Mon, 21 Jun 2021 at 11:38 pm, Yasuo Ohgaki wrote: > Hi, > > The name "is_trusted" is misleading. > Literal is nothing but literal. > > > eval('$var= '. $_GET['a'] ); > > if (is_trusted($var)) echo $var; > ?> > > > Literals cannot always be trusted. > That’s explained in the RFC, under

Re: [PHP-DEV] [RFC] is_trusted - was is_literal

Hi, The name "is_trusted" is misleading. Literal is nothing but literal. Literals cannot always be trusted. -- Yasuo Ohgaki yohg...@ohgaki.net On Tue, Jun 22, 2021 at 5:25 AM Craig Francis wrote: > On Sat, 12 Jun 2021 at 18:00, Craig Francis > wrote: > > > I'd like to start the

Re: [PHP-DEV] [RFC] is_trusted - was is_literal

On Sat, 12 Jun 2021 at 18:00, Craig Francis wrote: > I'd like to start the discussion on the is_literal() RFC: > https://wiki.php.net/rfc/is_literal > To recap, - We have chosen the name is_trusted(), based 18 votes for, vs 3 against. - Integers are now included, which will help adoption: