Re: [RFC] is_literal()

From:	Larry Garfield	Date:	Sat, 21 Mar 2020 19:50:44 +0000
Subject:	Re: [RFC] is_literal()
References:	1	Groups:	php.internals
Request:	Send a blank email to [email protected] to get a copy of this message

On Sat, Mar 21, 2020, at 2:13 PM, Craig Francis wrote:
> Hi,
> 
> I've written up my suggestion for a is_literal() function:
> 
> https://wiki.php.net/rfc/is_literal
> 
> Any feedback would be appreciated.
> 
> Craig

While I appreciate the intent, without an untaint() or equivalent I fear its usefulness will be
limited, or else it will get overused and thus cut off numerous entirely valid situations.

Eg, there's plenty of very good reasons to put a template string into the database rather than
a file literal.  Or to build an SQL query dynamically in ways that an is_literal check would not
allow, at least not without an absurdly complex query builder.

Without a way to flag "yes, I know this was built dynamically but I've vetted it,
it's OK" on a value, I fear such a check will either be unuseful or counter-productive.

--Larry Garfield


   

Thread (13 messages)

• Craig FrancisSat, 21 Mar 2020 19:13:43 +0000
  • Larry GarfieldSat, 21 Mar 2020 19:50:44 +0000
    • Craig FrancisSat, 21 Mar 2020 20:09:34 +0000
  • Dan AckroydSat, 21 Mar 2020 19:54:38 +0000
    • Craig FrancisSat, 21 Mar 2020 20:21:26 +0000
  • Ben RamseySat, 21 Mar 2020 20:06:13 +0000
    • Craig FrancisSat, 21 Mar 2020 20:26:37 +0000
      • Jakob GivoniSat, 21 Mar 2020 21:23:35 +0000
        • Craig FrancisSat, 21 Mar 2020 21:58:31 +0000
          • Jakob GivoniSat, 21 Mar 2020 23:22:45 +0000
            • Craig FrancisSun, 22 Mar 2020 01:48:08 +0000
  • tyson andreSat, 21 Mar 2020 21:59:29 +0000
    • Craig FrancisSat, 21 Mar 2020 22:55:33 +0000