<?php
//--------------------------------------------------
// Just while the function is re-named
if (!function_exists('is_trusted')) {
function is_trusted($value) {
return is_literal($value);
}
}
//--------------------------------------------------
$limit = trim(' 100 '); // Not trusted
$_GET['ids'] = [trim(' 1 '), 2, 3];
var_dump($_GET['ids'][0], is_trusted($_GET['ids'][0]));
$ids_untrusted = ( $_GET['ids'] ?? [] );
$ids_trusted = array_map( 'intval', $ids_untrusted );
//--------------------------------------------------
$sql = 'SELECT * FROM foo WHERE id IN (' . implode( ',', $ids_untrusted ) . ')'; // Whoops
var_dump($sql, is_trusted($sql));
//--------------------------------------------------
$sql = 'SELECT * FROM foo WHERE id IN (' . implode( ',', $ids_trusted ) . ')';
var_dump($sql, is_trusted($sql));
//--------------------------------------------------
$sql = sprintf( 'SELECT * FROM foo WHERE id IN (%s)', implode( ',', $ids_trusted ) );
var_dump($sql, is_trusted($sql));
//--------------------------------------------------
$sql = sprintf( 'SELECT * FROM foo LIMIT %d', (int)$limit );
var_dump($sql, is_trusted($sql));
?>
preferences:
26.7 ms | 402 KiB | 5 Q