On Fri, Jun 18, 2021 at 4:53 PM Craig Francis <[email protected]> wrote:
> While philosophically more pure, there is actually no extra security
> benefit for excluding integers.
One would be potential denial of service prevention (e.g. with enormous `LIMIT`
value where only a limited set of ints was intended, like
"Items per page: 10, 20, 50, 100"). Another would be preventing abuse if you
used some integers like role IDs for access control. Using slightly
modified Matt's example:
```php
function f(array $allowed_ids) {
//....
$query .= 'WHERE `foo` IN (' . implode(', ', $allowed_ids) . ')';
//....
}
```
Here you really *don't* want $allowed_ids to include user input.
Overall I think allowing ints in literal concatenation without
tainting the result as non-literal
is a mistake. It would either prevent implementing proper literal int
type in future, or will make
it inconsistent (where non-literal int would be considered literal by
`is_literal()` for BC reasons).
Personally I would prefer limited applicability today that would not
prevent future consistent
implementation.
BTW, Psalm already distinguishes `literal-int` from `int` and
considers the result of
literal-string + int concatenation a non-literal string:
https://psalm.dev/r/59ad602688
This may mean that Matthew's point has been misinterpreted.
--
Best regards,
Bruce Weirdan mailto:[email protected]
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: https://www.php.net/unsub.php
