Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:108551 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 94169 invoked from network); 13 Feb 2020 22:17:21 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 13 Feb 2020 22:17:21 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 800721804AB for ; Thu, 13 Feb 2020 12:31:50 -0800 (PST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL, SPF_HELO_NONE,SPF_NONE autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS15169 209.85.128.0/17 X-Spam-Virus: No X-Envelope-From: Received: from mail-yw1-f52.google.com (mail-yw1-f52.google.com [209.85.161.52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Thu, 13 Feb 2020 12:31:49 -0800 (PST) Received: by mail-yw1-f52.google.com with SMTP id 192so3257042ywy.0 for ; Thu, 13 Feb 2020 12:31:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=newclarity-net.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=EDcOtvcd4SoEBYvrstrHBMVwsoyov3Im+edKLJ289OE=; b=nuIRsPkQKmUDed+32MsVnJMN2+has9/lvR9RI75IcPexp4ekxRxQ4cbjDR6kxrSTxo qJCOIGjnUmUwTF3RC2RKdxynUgOgPBHAbxUYr/4u+D7A1iCs3sSNKZ4vaB0K45CUO+9F suOso2rfBgbF07KKPMysbq/2ifOVWQzBV7Y74KMBxhmKjlKNwLdWHRLljs8QhsMlEAtX Rv8+esMMYtVg/oWSkYVtek4YSNdVaK7xqbyW4H36QV/M1b4KKQ3xjobjXPdKJyzIIdPq 28TJcxYk1+YxGKrTnsvuUd3LasPJPPgWRPn8QxvtYS5XxvCGQO6L1or2/Zl3dTJjIi9R WwSA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=EDcOtvcd4SoEBYvrstrHBMVwsoyov3Im+edKLJ289OE=; b=tBPFRlqlxo4LBNG/XTwTv+eahEJGCFSI9jHqwad8X7Y7Mgylyqb0Iqgpzp9oDY5VkY T8Wm+ciGVvqmCN4c8pD3hqGkHDy81njLlo8WChwowtfoYd6Zo2qt4y9MIbZMxlHmYh5b YqM96KN+vgUQ36xmDzOKYzaKqlTXYjzK66jOLHjVhfuHbitkdn4Y3fMKfP5xLcdV8QI/ DE48k6iqb3aaLwVSHG2oBPUpHX+V3n0IDxcdrUBOyZeaiGeT0bnOB6D8gGV7WGswO3Tp Ezdnn29dv3suEnPVB2/zgmVK8kjBHq243ONXiNORf3pJ4wZtiAPxGboagxEQZCBL5Hip jl4A== X-Gm-Message-State: APjAAAUcZg2EpBDQDspgwjULXjMTd/mhr+EMfv2niZwYjPt5CxQC7F3v 4ukWXnk6eP8Z7+dZl/SM8gJZdg== X-Google-Smtp-Source: APXvYqzpuseXOH30qMUqevJUEqpnFUyJGisVCI8IzxYiIqq4PdndmWCQQVDb+uAs81JL/8K+/DW0RA== X-Received: by 2002:a0d:d2c5:: with SMTP id u188mr15888023ywd.296.1581625906162; Thu, 13 Feb 2020 12:31:46 -0800 (PST) Received: from ?IPv6:2601:c0:c680:5cc0:c40d:6267:8a93:b5b9? ([2601:c0:c680:5cc0:c40d:6267:8a93:b5b9]) by smtp.gmail.com with ESMTPSA id e131sm1518412ywb.81.2020.02.13.12.31.44 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 13 Feb 2020 12:31:44 -0800 (PST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\)) In-Reply-To: Date: Thu, 13 Feb 2020 15:31:44 -0500 Cc: internals@lists.php.net Content-Transfer-Encoding: quoted-printable Message-ID: References: <50BD013E-CF72-414C-BBC0-A7A2E45CBDDB@pmjones.io> <5DEE5A6E-2587-432D-9651-320DF42A7732@newclarity.net> To: "Paul M. Jones" X-Mailer: Apple Mail (2.3445.104.11) Subject: Re: [PHP-DEV] RFC: Server-Side Request and Response Objects (v2) From: mike@newclarity.net (Mike Schinkel) > On Feb 13, 2020, at 1:34 PM, Paul M. Jones wrote: >=20 > Hi Mike, >=20 > Thanks for your continued evaluation of the RFC. >=20 >> Take a look at WordPress. It does a lot of "fixup" to $_SERVER` = variables =E2=80=94 to deal with badly implemented web servers =E2=80=94 = to ensure all known variables have a value and that the format of the = value is consistent. =20 >>=20 >> ... >>=20 >> Another option actually would be to allow changes to $_SERVER prior = to instantiating ServerRequest() the first time. >=20 > Believe it or not, this RFC does make allowance for what you're = describing, as a result of requiring a $globals array as the first = parameter. An application-specific builder or factory can modify those = $globals values as desired, before instantiating ServerRequest with the = modified values. >=20 > For example: >=20 > namespace App; >=20 > use ServerRequest; >=20 > class ServerRequestFactory > { > public function new(array $globals, ?string $content =3D null) = : ServerRequest > { > // do fixup to $globals['_SERVER'] ... >=20 > // ... then: > return new ServerRequest($globals, $content); > } > } >=20 > $request =3D (new \App\ServerRequestFactory())->new($GLOBALS); >=20 > I can easily imagine many ways to achieve the same end (i.e., = modification of the constructor arguments before instantiating = ServerRequest). >=20 > Do you get where I'm coming from? Ah, I see now. That does allow for changing. OTOH, what it does not do is ensure that everyone looking at the values = are looking at the fixed-up values, nor does it offer any way to cache = the original value except to do so at the top of every PHP file that is = a URL endpoint. =20 I was hoping that your proposal was having a way to capture the original = values before any PHP code could change them AND also then allow for = fixed-up values to be provided for _every_ instantiation of = ServerRequest(). This in case a library were to use it, I would not want = the library to be getting the non-fixed up values. =20 So in that respect, this is worse than what we have now. >> Why a method is important is to support filters (I guess I assumed = that was obvious but realize now it was not.) For example: >>=20 >> $request->get('redirect', FILTER_SANITIZE_URL); >> $request->get('product_id', FILTER_SANITIZE_NUMBER_INT); >> $request->get('email', FILTER_SANITIZE_EMAIL); >>=20 >> You could potentially even have scoped, easier to remember constants = that can work with autocomplete: >>=20 >> $request->get('redirect', ServerRequest::URL); >> $request->get('product_id', ServerRequest::INT); >> $request->get('email', ServerRequest::EMAIL); >=20 > [snip] >=20 > I do see what you mean. Even so, I think filtering is out-of-scope for = this RFC. I would implore you to reconsider. Without incorporating the = functionality of filter_input() you have effectively neutered much of = the value I envision your RFC having. In the USA we might say "Besides = that Mrs. Lincoln, how was the play?" If I had a vote I would vote I would enthusiastically vote for the RFC = if it includes filter_input() functionality. But I would vote against = this RFC if it omits filter_input() functionality because it would mean = another subsystem in core that does not actually address day-to-day = concerns. > Certainly I want to avoid adding methods to the ServerRequest class, = which as envisioned is a bag of values much the same way $_GET, $_POST, = $_SERVER, etc. are bags of values. Unless I misunderstand avoiding methods in ServerRequest is an arbitrary = constraint which has no real-world requirement. And if your motivation = is to only mirror what exists then filter_input() is a function so an = equivalent in ServerRequest should be a method and thus this in not = inconsistent with your mirroring aspect. -Mike=