Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:104522
Return-Path: <nikita.ppv@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 57306 invoked from network); 26 Feb 2019 16:40:19 -0000
Received: from unknown (HELO mail-it1-f194.google.com) (209.85.166.194)
  by pb1.pair.com with SMTP; 26 Feb 2019 16:40:19 -0000
Received: by mail-it1-f194.google.com with SMTP id l139so1867791ita.5
        for <internals@lists.php.net>; Tue, 26 Feb 2019 05:26:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=XR0byVCbt1GhRD8jssBvrICXBZUA4BDuOZ/Syj9CKog=;
        b=DzeEEoprsaEvrQC3i22jjtLjGFMYOOPDCJpLPUK/iN53b57Tousnih4gfc54rcITD+
         OKyPg3K+mGj5k8tN1E+S2v322fm0Lys6cOJbReNuq5Tl2OIL3SFrywk/haWwTG6/lD6w
         tyYb6fRhRpGLC/todmiiXsLG/jtrGsH2zU75r2sYiMChPWfqwU2xtUzjSZezGkgW1KFR
         NSCSYZTyxv8C0u9VYci1WkbkC0MKKslcbK0FaaH5QFWsxR5jE5jDcswL2Dyh0c8RFCwb
         C+w3wt06CrwQ5Zp1qipmwCZph9vqBj5qJul1kl8sWJtQ+uVrB+77nNshjRdz5Me0LlyP
         TDWw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=XR0byVCbt1GhRD8jssBvrICXBZUA4BDuOZ/Syj9CKog=;
        b=E0e71zq5A8mMojmMWezcIjOz/1yVs/fs37txX1y5UyK9Sxy+8x83sX6qlUuw0I5CxF
         SiEclOClkP6TnDDXaTzIoKe2kMc+5od24Juk+54uvsL07CRvvjN2D1rSPYhAAFNEaciK
         Wfl9HOtyUNUeJQS7iXn/BzBK4AP1Qul0ys54QomAfo98v3k19jesPawjJmqp6kWTpo5Z
         PYMJM+uNn64W2HTQ7ri3FwDWkiYuS1dcOSC80ffLeSdQWLQpXevx3u86CRESo4IlxaDI
         9zaJ7Tph8hUsrWV80MOMXT4fcb0p7yi/+q8Ajon67rMmYBvFp202ayvCJiM0dnjFTZC0
         5opg==
X-Gm-Message-State: AHQUAubGhRb1CadCLhr4yz5be5PeNTr10YWPY+ygqTtj/ugSNDio/2oI
	d68obsKUoPUmiLWcnbF+EAtoXeXQTgXbhO9Mw24=
X-Google-Smtp-Source: AHgI3IY0ZwSXeYNShSPywXPIdS0P3P4cQ2rAUbJRue46ID4kaIfKC4QlY7gOJxaD8RG27lddtnclq1iRmpyuSSNnz4w=
X-Received: by 2002:a02:9d07:: with SMTP id n7mr12247817jak.36.1551187602170;
 Tue, 26 Feb 2019 05:26:42 -0800 (PST)
MIME-Version: 1.0
References: <CAF+90c821boRO6YsO0SH0JbDb8E8eTHfEK=e4Y5_z9P7+OOnUg@mail.gmail.com>
 <CALKiJKoSbrq=GYDY1Rsch2pbDft7piw1xkKXs97xYaA8DrytQw@mail.gmail.com>
In-Reply-To: <CALKiJKoSbrq=GYDY1Rsch2pbDft7piw1xkKXs97xYaA8DrytQw@mail.gmail.com>
Date: Tue, 26 Feb 2019 14:26:24 +0100
Message-ID: <CAF+90c8A320QQo-LmsjATDM-uqcyNY5CzXtZRnY7crdwOzRUkQ@mail.gmail.com>
To: Rowan Collins <rowan.collins@gmail.com>
Cc: PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="00000000000001e7360582cc023b"
Subject: Re: [PHP-DEV] [RFC] Saner string to number comparisons
From: nikita.ppv@gmail.com (Nikita Popov)

--00000000000001e7360582cc023b
Content-Type: text/plain; charset="UTF-8"

On Tue, Feb 26, 2019 at 2:06 PM Rowan Collins <rowan.collins@gmail.com>
wrote:

> On Tue, 26 Feb 2019 at 12:27, Nikita Popov <nikita.ppv@gmail.com> wrote:
>
> > I'd like to bring forward an RFC for PHP 8 to change the semantics of ==
> > and other non-strict comparisons, when used between a number and a
> string:
> >
> > https://wiki.php.net/rfc/string_to_number_comparison
> >
>
>
> Hi Nikita,
>
> Thanks for tackling this; I think if we can improve this, we'll be
> answering a lot of language critics (I'm sure they'll find something else
> to complain about, but that's life!).
>
> However, I'm concerned that it doesn't go far enough, when you say that the
> following will still return true:
>
> 0 == "0e214987142012"
> "0" == "0e214987142012"
>
> I think the cases where this is useful are vastly outweighed by the cases
> where it's completely unexpected, and potentially dangerous (e.g. in a hash
> comparison). If this is not fixed, the "dogma to always avoid non-strict
> comparisons" you refer to will remain.
>
> If I understand it right, this arises from the fact that "0e214987142012"
> is considered a "well-formed numeric string", which is cast to int(0) or
> float(0). Is it feasible to also narrow this definition as part of the same
> change?
>

Yes, that's right. However, it's probably worth mentioning that string to
string comparisons are subject to additional constraints beyond the
well-formedness requirement. Since PHP 5.4.4 there are additional overflow
protections in place, which prevent numeric comparison from applying when
both sides are integers that overflow to double and become equal as a
result of that. This means that "100000000000000000000" ==
"100000000000000000001" returns false rather than true since PHP 5.4.4.

I'm mentioning this, because it is a precedent for tweaking the string to
string numeric comparison rules to prevent unexpected and possibly security
critical equalities. I think we could add similar special handling for the
"0eNNNN" == "0eMMMM" case, as this is another "catastrophic" case when it
comes to comparisons of hashes that happen to start with 0e, for example.

It might be better to discuss such a change separately from this proposal
though (it's much more minor, and something that can also conceivable go
into a minor version, given that the previous change was applied in a patch
release).

Regards,
Nikita

--00000000000001e7360582cc023b--