PHP Internals News: Episode 91: is_literal
PHP Internals News: Episode 91: is_literal
In this episode of "PHP Internals News" I chat with Craig Francis (Twitter, GitHub, Website), and Joe Watkins (Twitter, GitHub, Website) about the "is_literal" RFC.
The RSS feed for this podcast is https://derickrethans.nl/feed-phpinternalsnews.xml, you can download this episode's MP3 file, and it's available on Spotify and iTunes. There is a dedicated website: https://phpinternals.news
Transcript
- Derick Rethans 0:14
-
Hi, I'm Derick. Welcome to PHP internals news, a podcast dedicated to explaining the latest developments in the PHP language. This is Episode 91. Today I'm talking with Craig Francis and Joe Watkins, talking about the is_literal RFC that they have been proposing. Craig, would you please introduce yourself?
- Craig Francis 0:34
-
Hi, I'm Craig Francis. I've been a PHP developer for about 20 years, doing code auditing, pentesting, training. And I'm also the co-lead for the Bristol chapter of OWASP, which is the open web application security project.
- Derick Rethans 0:48
-
Very well. And Joe, will you introduce yourself as well, please?
- Joe Watkins 0:51
-
Hi, everyone. I'm Joe, the same Joe from last time.
- Derick Rethans 0:56
-
Well, it's good to have you back, Joe, and welcome to the podcast Craig. Let's dive straight in. What is the problem that this proposal's trying to resolve?
- Craig Francis 1:05
-
So we try to address the problem where injection vulnerabilities are being introduced by developers. When they use libraries incorrectly, we will have people using the libraries, but they still introduce injection vulnerabilities because they use it incorrectly.
- Derick Rethans 1:17
-
What is this RFC proposing?
- Craig Francis 1:19
-
We're providing a function for libraries to easily check that certain strings have been written by the developer. It's an idea developed by Christoph Kern in 2016. There is a link in the video, and the Google using this to prevent injection vulnerabilities in their Java and Go libraries. It works because libraries know how to handle these data safely, typically using parameterised queries, or escaping where appropriate, but they still require certain values to be written by the developer. So for example, when using a query a database, the developer might need to write a complex WHERE clause or maybe they're using functions like datediff, round, if null, although obviously, this function could be used by developers themselves if they want to, but the primary purpose is for the library to check these values.
- Derick Rethans 2:05
-
That is a method of doing it. What is this RFC adding to PHP itself?
- Craig Francis 2:09
-
It just simply provides a function which just returns true or false if the variable is a literal, and that's basically a string that was written by the developer. It's a bit like if you did is_int or is_string, it's just a different way of just sort of saying, has this variable been written by the developer?
- Derick Rethans 2:28
-
Is that basically it?
- Craig Francis 2:30
-
That's it? Yeah.
- Joe Watkins 2:32
-
It would also return true for variables that are the res
Truncated by Planet PHP, read more at the original (another 20645 bytes)