Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:108628 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 69779 invoked from network); 17 Feb 2020 02:30:17 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 17 Feb 2020 02:30:17 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id B0F7B1804D9 for ; Sun, 16 Feb 2020 16:45:33 -0800 (PST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL, SPF_HELO_NONE,SPF_NONE autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS15169 209.85.128.0/17 X-Spam-Virus: No X-Envelope-From: Received: from mail-yw1-f52.google.com (mail-yw1-f52.google.com [209.85.161.52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Sun, 16 Feb 2020 16:45:33 -0800 (PST) Received: by mail-yw1-f52.google.com with SMTP id f204so7146869ywc.10 for ; Sun, 16 Feb 2020 16:45:33 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=newclarity-net.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=7V6yyTYQ8B0LCxmMgkXiF+DqNTx1B7qILi2X9meFsJY=; b=kYBze8dn8E2UELu5oIHlTZ4foquYIRkOLpSRkUUh6S9BefKOdSoC5hJK2GgQDTw7X9 Fx2YKIrB5UR3nP9PttF/+UsU/7DaCdvsqervBlkceoBd/+3ASNmhHBZvXH/SkttBMXn3 YP8X5i9KbhhQpFyixhM3JLnesx3aPDv5Eqt9YIxHPrFwhko5ZKJSFg78BtOwNV6Yg2io E9kiSnENzr8suzMBVKhs4p4x5KNlNSDvfSVgzgyxbZ+VP6rSZEmvEJHwymzMvC0PV4js k1PNjSbKm61n6qXOm6Eq2dVvr6V1CVhpGfseM23hl/KGCNnFIwlChVKu6GjtU7blqhuc iZZA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=7V6yyTYQ8B0LCxmMgkXiF+DqNTx1B7qILi2X9meFsJY=; b=iZfQgzrTtTOG9xp5WnzC39JQZNGewMZu2a8fHVNNd0tTm/V2AORm2KadXL6jarOGPb K2z4L5fQgL/Md7f1VUeG/zidql4+Hc8LNbkcgwE0h8ff2fPWBBHFCxuLVpxiB+vBtero ZXGW1z5t298YOVyRw6M+WYuIfhmpzYk3jYYWvc4pJYc8mD3GBRiDRql4Ll50MAbNzLVv OHjL32ZeVlb6Eh6UnKiVsAaUDlgkMclKu657DqBeato+MQubbajkr4hQ7/u/iIv0AsSJ 6vsv8EKwk1x/Sy1jmbLbraz/1gLxncwP89M8MDDd5bFCbFEnkzmmrTBEm2M7u1G3H8ib y/EQ== X-Gm-Message-State: APjAAAWeKd5qaHcVqpUrP228SSADTVnqP+76Y0EXSSgGDU416QSmVur6 PzI92cWn1GMkUVGSILNCdzZq18Lln00VRQ== X-Google-Smtp-Source: APXvYqwejjZHbTGRMWG/xuCDxVGYYvHFrIAr4VDm0Ro8JJWVlYy1bryO8TSwS7PCUALM1QH6iEnPhg== X-Received: by 2002:a81:9912:: with SMTP id q18mr10482474ywg.383.1581900328364; Sun, 16 Feb 2020 16:45:28 -0800 (PST) Received: from ?IPv6:2601:c0:c680:5cc0:10bb:4bd6:7ac1:f816? ([2601:c0:c680:5cc0:10bb:4bd6:7ac1:f816]) by smtp.gmail.com with ESMTPSA id r66sm5675634ywh.57.2020.02.16.16.45.26 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 16 Feb 2020 16:45:27 -0800 (PST) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\)) In-Reply-To: <52c24f76-570a-8541-1d62-555f2a0582f5@gmail.com> Date: Sun, 16 Feb 2020 19:45:26 -0500 Cc: internals@lists.php.net Content-Transfer-Encoding: quoted-printable Message-ID: References: <50BD013E-CF72-414C-BBC0-A7A2E45CBDDB@pmjones.io> <5DEE5A6E-2587-432D-9651-320DF42A7732@newclarity.net> <52c24f76-570a-8541-1d62-555f2a0582f5@gmail.com> To: Rowan Tommins X-Mailer: Apple Mail (2.3445.104.11) Subject: Re: [PHP-DEV] RFC: Server-Side Request and Response Objects (v2) From: mike@newclarity.net (Mike Schinkel) > On Feb 16, 2020, at 6:34 PM, Rowan Tommins = wrote: >=20 > On 13/02/2020 20:31, Mike Schinkel wrote: >> If I had a vote I would vote I would enthusiastically vote for the = RFC if it includes filter_input() functionality. But I would vote = against this RFC if it omits filter_input() functionality because it = would mean another subsystem in core that does not actually address = day-to-day concerns. >=20 > I think you are over-estimating how central the filter API is to most = people's workflow with requests. I think that's partly because designing = a good validation API is hard, but also because filter_input in = particular is a combination of three different concerns: I think your latter points are orthogonal to this. And that you are = taking my advocacy for adding filtering to apply too literally to only = the specific implementations in filter_input(). I can see addressing your comments below *and* having a filtering method = built into these objects. Possibly even with applicable method names as = opposed to a 2nd type parameter, like: $request->getInt('db_id'); $request->getJson('package'); $request->getUrl('return_url'); > 1) Fetching the raw information about the incoming HTTP request from = the web server (the "SAPI") > 2) Parsing that raw information into individual fields > 3) Validating those fields against expected type constraints >=20 > The superglobals already combine concerns 1 and 2, and the filter API = adds concern 3; but to do so they all assume that the user is basically = writing a CGI wrapper for some HTML forms. >=20 > The modern reality is rather different, and step 2 in particular is = much more variable: >=20 > - Rather than query string parameters, it might involve extracting = parameters from an SEO URL like "/products/123-acme-thingummy" or a = RESTish URL like "/products/123/description/en-GB" > - Rather than submitted form data, it might involve parsing JSON from = an AJAX request or API call >=20 >=20 > I would love to see new APIs that take a step back from the legacy, = and tackle each of these concerns separately, based on modern = requirements. >=20 > For concern 1, getting data out of the web server, I'd love to see: >=20 > - A more intuitive way to get the raw request body than = file_get_contents('php://input') > - A more reliable way to get the URL the user requested than checking = 5 different variables in $_SERVER to handle different deployment methods = (see e.g. [1] and [2] for the lengths libraries go to for this) > - A proper distinction between HTTP headers, server status variables, = and environment variables, because CGI name-mangling is legacy cruft = that users shouldn't need to learn >=20 > For concern 2, parsing that data, I'd love to see: >=20 > - A better API than parse_str for parsing arbitrary strings in = application/x-www-form-urlencoded format > - A way to parse data in multipart/form-data format decoupled from the = current HTTP request > - Tools for working with Content-Type strings, such as a function for = correctly parsing things like "text/html;charset=3DUTF-8", and constants = for common MIME types >=20 > Concern 3, filtering / sanitising / validating, I think is a really = hard problem space, and I don't think there will ever be one = implementation that suits all cases. >=20 > A similar "shopping list" could probably be made for responses, but if = we decoupled the pieces, we wouldn't have to perfect them all at once; = instead, we could provide building blocks that make userland = implementations easier. Decoupling is a valid approach. But given how much work it is get to an RFC over the line, it feels like = decoupling would end up with a lot more work, lengthen the timeline to = achieve base level functionality, and add uncertainty to whether it will = even happen whereas handling the 20% now that we need 80% of the time = would mean the API would be mostly fully usable out of the gate. -Mike=