Re: [PHP-DEV] [RFC] is_literal()

This is only part of a thread. view whole thread
  109187
March 21, 2020 20:09 craig@craigfrancis.co.uk (Craig Francis)
On Sat, 21 Mar 2020 at 19:51, Larry Garfield <larry@garfieldtech.com> wrote:

> Eg, there's plenty of very good reasons to put a template string into the > database rather than a file literal. Or to build an SQL query dynamically > in ways that an is_literal check would not allow, at least not without an > absurdly complex query builder.
Thanks Larry, I think the examples I've provided should cover the issues that typically get raised. The main ones tend to be "WHERE x IN (?,?,?)" and "ORDER BY variable", where the current work arounds get a bit risky (such as string escaping), but please let me know if I've missed any. Craig On Sat, 21 Mar 2020 at 19:51, Larry Garfield <larry@garfieldtech.com> wrote:
> On Sat, Mar 21, 2020, at 2:13 PM, Craig Francis wrote: > > Hi, > > > > I've written up my suggestion for a is_literal() function: > > > > https://wiki.php.net/rfc/is_literal > > > > Any feedback would be appreciated. > > > > Craig > > While I appreciate the intent, without an untaint() or equivalent I fear > its usefulness will be limited, or else it will get overused and thus cut > off numerous entirely valid situations. > > Eg, there's plenty of very good reasons to put a template string into the > database rather than a file literal. Or to build an SQL query dynamically > in ways that an is_literal check would not allow, at least not without an > absurdly complex query builder. > > Without a way to flag "yes, I know this was built dynamically but I've > vetted it, it's OK" on a value, I fear such a check will either be unuseful > or counter-productive. > > --Larry Garfield > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > >