Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:104539
Return-Path: <johannes@schlueters.de>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 92933 invoked from network); 1 Mar 2019 19:37:17 -0000
Received: from unknown (HELO mail.experimentalworks.net) (84.19.169.162)
  by pb1.pair.com with SMTP; 1 Mar 2019 19:37:17 -0000
Received: from kuechenschabe.fritz.box (ppp-188-174-114-78.dynamic.mnet-online.de [188.174.114.78])
	by mail.experimentalworks.net (Postfix) with ESMTPSA id B8DEF46491;
	Fri,  1 Mar 2019 17:24:26 +0100 (CET)
Message-ID: <1551457459.2096.19.camel@schlueters.de>
To: Nikita Popov <nikita.ppv@gmail.com>, PHP internals
 <internals@lists.php.net>
Date: Fri, 01 Mar 2019 17:24:19 +0100
In-Reply-To: <CAF+90c9XDkT2k4jGy+z++5Z67ga=Z-DjR3wjMdLp7zPaFcX5AQ@mail.gmail.com>
References: 
	<CAF+90c9XDkT2k4jGy+z++5Z67ga=Z-DjR3wjMdLp7zPaFcX5AQ@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.18.5.2-0ubuntu3.2 
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
Subject: Re: [PHP-DEV] Allow throwing from __toString()
From: johannes@schlueters.de (Johannes =?ISO-8859-1?Q?Schl=FCter?=)

On Fr, 2019-03-01 at 12:25 +0100, Nikita Popov wrote:

> For extension authors, the guideline is:

Will zend_parse_paramters and related detect if an exception is thrown
and fail?

I believe things like database (or other network) extensions have to be
really carefully checked, not that we store corrupted data (empty
string) in the database (or otherwise send via network) while returning
an error to the user.


Simple 5 minute example based on your branch:

<?php

class throws {
  function __toString() {
    throw new Exception("Sorry");
  }
}

$db = new sqlite3(':memory:');
$db->exec('CREATE TABLE t(id int, v varchar(255))');

$stmt = $db->prepare('INSERT INTO t VALUES(:i, :v)');
$stmt->bindValue('i', 1234);
$stmt->bindValue('v', new throws);

try {
  $stmt->execute();
} catch (Exception $e) {
  echo "Exception thrown ...\n";
}

$stmt->execute();

$query = $db->query("SELECT * FROM t");
while ($row = $query->fetchArray(SQLITE3_ASSOC)) {
	print_r($row);
}
?>

This prints

    Exception thrown ...
    Array
    (
        [id] => 1234
        [v] => 
    )

So during the first execution it notices that the conversion went wrong
and aborts the operation, but it keeps th emtpy string as bound value.
On second execute it re-uses the values and doesn't notice the error.

I fear we have many such cases which are subtle ad hard to find without
deep review of any string conversion. And in future we will introduce
bugs due to this in places where new conversions are added ...

johannes