On Sun, 5 Apr 2026 at 08:54, Rob Landers <[email protected]> wrote: > On Sat, Apr 4, 2026, at 16:06, Barel wrote: > > Hi, > > I would like to open the discussion on my proposal to add two small, > focused array functions for retrieving and checking nested array elements > using dot notation. > > This is the link to the RFC: > https://wiki.php.net/rfc/array_get_and_array_has > > This is the link to the proposed implementation: > https://github.com/php/php-src/pull/21637 > > Thanks!! > > Carlos > > > Hi Barel, > > Interesting! As dot-notation isn't used anywhere else, and I don't see it > discussed as part of the RFC, how are developers to prevent injections of > dots in user input? With SQL, we have parameters and escaping ... but I > don't see any of that here. > > As an example: > > $user = [ 'data' => [...], 'password' => 'secret' ]; > > > If the path is completely user-controlled (as in the examples given), then > they can access sensitive information in the array. Even if it is prefixed, > ie., "data.%s" -- an attacker can simply enumerate all possible keys and > subkeys. > > As it stands, it appears to add a new vulnerability to PHP that will be > unfamiliar with PHP developers -- unless they're using a framework that > already does this sort of notation. > > — Rob >
Thanks Rob. Probably user input is not the best use case for these functions, I just used it in the examples because it is simple. In any case, if your program allows unrestricted array access using a user defined path, the vulnerability already exists, these functions just make it easier to implement the access. If you did not have them and wanted the same functionality you would use a custom implementation (like the one provided by Laravel) and you would have the same vulnerability Cheers Carlos
