dereuromark
commented
3 years ago Closed craigfrancis closed 3 years ago
dereuromark
commented
3 years ago 
craigfrancis
commented
3 years ago Yep, sorry, being lazy and didn't re-run phpcs locally.
craigfrancis
commented
3 years ago Thanks @dereuromark ... I'll try to keep an eye out for any issues that are reported, and if everything's ok in a few months time, I'll make a new PR that covers a few more methods.
Both Psalm 4.8 and PHPStan 0.12.97 have introduced the
literal-stringtype.This checks that a string has been created by the developer (defined in the source code), so mistakes that lead to Injection Vulnerabilities can be identified, e.g.
By setting the
$clauseparameter toliteral-string|array, while thearrayversion won't be checked, at least the string can be (ensuring it does not contain unsafe user data).And
literal-stringis quite forgiving, in that it works with variables, and allows string concatenation (assuming both areliteral-stringvalues), so things like conditional where clauses are fine, e.g.That said, I still want to be cautious (I don't want to create issues for the users of Propel). Which is why I'd like to start with
->where(), see what feedback we get (I'm happy to help with that), and if we get a positive response, we can update other methods. The last one will probably be$statementin$con->prepare(), as I appreciate that its input is a bit more complicated.@dereuromark, we briefly talked about this concept in April, in regards to the is_literal RFC. While it didn't pass (I'll try again next year, once I've addressed the concerns people had), Psalm/PHPStan have now added support, so we can introduce this check for developers that use Psalm (level 3 or stricter) or PHPStan (level 7 or stricter)... where it will help them identify mistakes often created by junior developers making a "quick edit".