Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:112976
Return-Path: <tysonandre775@hotmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 74676 invoked from network); 24 Jan 2021 23:10:01 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 24 Jan 2021 23:10:01 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 8D14A1804A7
	for <internals@lists.php.net>; Sun, 24 Jan 2021 14:51:03 -0800 (PST)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=0.0 required=5.0 tests=BAYES_40,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT,
	FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,
	SPF_PASS autolearn=no autolearn_force=no version=3.4.2
X-Spam-Virus: No
X-Envelope-From: <tysonandre775@hotmail.com>
Received: from NAM02-CY1-obe.outbound.protection.outlook.com (mail-oln040092004023.outbound.protection.outlook.com [40.92.4.23])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Sun, 24 Jan 2021 14:51:02 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=i6EMXN40y+eiIO+uZCyzlRCQfaehoBMeq5s3uXWTqGD3oy4SbmlmHK6BWDR4B8qwDjrEgC6Zmf462/us/QX6R1geWjvh6TOvUwUVuBVUbuai4v5Kgfh7i/V4oAynIvXoLRaklok6rMSbzqRJoYZs57Jm3O9LUUt6pR4HyVCft7gTfWqa8AZhbTeLaJF4LX10rc5yNTeXVwlWchlAaA/MCw18JGkPi0RLS4f0B8UnYzoI3dT/PtPCrkWHJ3FSvtQv9vvFoWP1XwhqxsNJGTlAKnMJju4DkHK1EmLfhpqcIkce1hk0bcLIJZbO6CvhCDZa2AKVpEQdGlsqnqQmem6f/w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=GP3nysRXLI1qjKJw/0Y6YD0QO0qyaUVG4yfRX3CHfBs=;
 b=JIb3llAk/ZNd3c0lN0dClIe31G2oYgsTmB5SEyqDiCOaZ+MprFQBQmxW87QLNA1dfQQC1pMY62GiPuSytCz8GUE/c33SjvJUgFEsymJerGAqzpE1Cn9fHs7lhywPflyhaecJBZcv3YpzJDYHsbBlVmSm0okxBXAOXALnHmMoQnkWYX6qtG2e+ljP+i2m+qpqat9Ew8Bu5gBoyEgqFieMypV4kyZDy4RjHckCZDvqlMXvnCDL0gzUKGsrGkshZxNe+wrevrAEZS7cpGyGN1LqW1I7FyOGYpi+2kNyj+yWxvKiDb9Hp/Pni+whYKIwR3k+hBZRm703IZOpEiyumAHGkw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none;
 dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com;
 s=selector1;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=GP3nysRXLI1qjKJw/0Y6YD0QO0qyaUVG4yfRX3CHfBs=;
 b=fl8JGtDqsNEu9qajxlaeTr2VNkgtV/nXPJpT/9utHbZFDFdRS3hIHbsB6cMD80AWEb+M8RbJiXQzvXwhk2GcV533FbYvXykCjZs3GX84cwtQ9zZ8q4o0ex9lxDYqP2N6WPIDxeWZzZP0dn0BEYP3Bst5qi0ueH3VBgreEz9A3Yu1/02Yxxjhk4CzfnW10Af/kFPTaxKx8ZQBvVwOWJ20Fl8o1dqSaQtI6TdkEFAUyIMPP7V5EeMxvTouzBvtyAx63GKltZyAZEzF3DDLFFGGErBadh4UjAczRRSFegwbm+HVJdb51ejVuZqnMxF88FL6KLSxfKjFWYfZxhzjQvRkTw==
Received: from BL2NAM02FT018.eop-nam02.prod.protection.outlook.com
 (10.152.76.58) by BL2NAM02HT091.eop-nam02.prod.protection.outlook.com
 (10.152.76.171) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3784.12; Sun, 24 Jan
 2021 22:51:01 +0000
Received: from DM6PR07MB6618.namprd07.prod.outlook.com
 (2a01:111:e400:7e46::48) by BL2NAM02FT018.mail.protection.outlook.com
 (2a01:111:e400:7e46::426) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3784.12 via Frontend
 Transport; Sun, 24 Jan 2021 22:51:01 +0000
Received: from DM6PR07MB6618.namprd07.prod.outlook.com
 ([fe80::b4c4:dc11:5337:821d]) by DM6PR07MB6618.namprd07.prod.outlook.com
 ([fe80::b4c4:dc11:5337:821d%4]) with mapi id 15.20.3784.017; Sun, 24 Jan 2021
 22:51:01 +0000
To: "internals@lists.php.net" <internals@lists.php.net>
Thread-Topic: Proposal: Move filter_var() to core, leaving filter_input*() in
 the 'filter' module
Thread-Index: AQHW8psmnj9EPU+Tckio3ckznCYwVg==
Date: Sun, 24 Jan 2021 22:51:00 +0000
Message-ID:
 <DM6PR07MB6618F7D3A3F8DBEDE3A76C7BF9BE9@DM6PR07MB6618.namprd07.prod.outlook.com>
Accept-Language: en-CA, en-US
Content-Language: en-CA
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-incomingtopheadermarker:
 OriginalChecksum:2FFB57DA6DC7DF2A07F487940EB4529E12E6F1CE345DA0C988F14ED894E1BA79;UpperCasedChecksum:BEE9AF882C86BD1049A25715431169B1B0E488BEA9D4C14AD395159B79112AD7;SizeAsReceived:6885;Count:41
x-tmn: [vXsJQmKEabA3Ad1GdzeZSkv41SMIJWTu5uYabCziBVLc/X/DIl8Ajri7AXqGoTAS]
x-ms-publictraffictype: Email
x-incomingheadercount: 41
x-eopattributedmessage: 0
x-ms-office365-filtering-correlation-id: 834f59f8-71a6-434a-e6c4-08d8c0ba8595
x-ms-traffictypediagnostic: BL2NAM02HT091:
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info:
 OEJkUdCOiHNq7OiEaq3IQ8rbUAebrDbQwrKr5rdKL0w+PBm9NL+LDbqb5KJ2tTokDE5EJU8wCrQlt9CDWqzaP5e3hEGsJCS/qovthIVWOKqR+e1JODwfUCC6uwQt4H2/FTmhcxQ9RUD5YXDAYU15o39xHbDIY8UbJ7JdN/jVlGbTtzqJJ35RsqmeZI10ZOCz9r63jeI/bDjaFMSkKQJDtGsvm1dnQEIbwbDrTMjzKCt8UmANUI3JhDf9fRqYSSIHwlvZESwpzN5DtpdL5tcEjs14+o4uJWb0FuTjPBNLoXI=
x-ms-exchange-antispam-messagedata:
 D7uVDdzAAl1dSZvAijNIjbDQTilmCFlG2czbAlMtLPExDmtiXxb97JdOw/4jIkMFwARRRRosVsbFHD0f2odQ7KsnJZXB0NSZLJJmjfhgf0MNw7MFxqwsPUnxCOj/YSzDqPE/pKFvjxZbZSKv9RBPF8Hdl0D7rf3tYSD4Hy5ui7ie+RRPm/TN89a75Pixy+DnTQpIhz89vOz8/6bCenghEg==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: hotmail.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-AuthSource: BL2NAM02FT018.eop-nam02.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-Network-Message-Id: 834f59f8-71a6-434a-e6c4-08d8c0ba8595
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Jan 2021 22:51:00.9769
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Internet
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL2NAM02HT091
Subject: Proposal: Move filter_var() to core, leaving filter_input*() in the
 'filter' module
From: tysonandre775@hotmail.com (tyson andre)

Hi internals,=0A=
=0A=
The filter_var functionality is one of the most efficient and well-known wa=
ys in PHP to validate and sanitize inputs for many use cases=0A=
(e.g. FILTER_VALIDATE_INT for checking if a string is well-formed decimal i=
nput (or other bases),=0A=
FILTER_VALIDATE_BOOL for user input/configs (cli/server api), FILTER_VALIDA=
TE_URL, FILTER_VALIDATE_EMAIL).=0A=
=0A=
The filter_var functionality is something that you can disable with --disab=
le-filter, and I've often encountered code with=0A=
a few dependencies or source files that assume that filter_var is always av=
ailable when building php from source.=0A=
=0A=
```=0A=
# Composer version 2.0.4 2020-10-30 22:39:11=0A=
sapi/cli/php ~/bin/composer.phar=0A=
Fatal error: Uncaught Error: Call to undefined function JsonSchema\Uri\filt=
er_var() in phar:///path/to/bin/composer.phar/vendor/justinrainbow/json-sch=
ema/src/JsonSchema/Uri/UriResolver.php=0A=
# public function resolve($uri, $baseUri =3D null)=0A=
# {=0A=
#     if (!is_null($baseUri) && !filter_var($baseUri, \FILTER_VALIDATE_URL)=
 && ....=0A=
```=0A=
=0A=
For me, the main reason why a developer/admin/hosting provider may want to =
disable the 'filter' module is=0A=
=0A=
1. The filter_input() functionalities that allow direct access to the origi=
nal POST/GET/COOKIE/ENV data.=0A=
    e.g. this makes code harder to test if the code or third party librarie=
s it=0A=
    uses harder to unit test because $_GET/$_POST/$_COOKIE/$_ENV can't be r=
eplaced in filter_input.=0A=
2. The php build steps may have been carried over from PHP 5.2 when 'filter=
' was brand new and much less code used filter.=0A=
3. Desire for slightly smaller installations=0A=
4. Unaware of it since phpxyz-core and phpxyz-filter are different modules =
in an OS's package manager=0A=
=0A=
The filters themselves(https://www.php.net/manual/en/filter.constants.php) =
seem to be free of side effects=0A=
glancing at the descriptions and implementation.=0A=
=0A=
The fact that filter_var isn't enabled by default may lead to=0A=
=0A=
1. Application/library authors unconditionally using intval()/floatval() or=
 other functions in core that don't check for unexpected suffixes (e.g. '10=
MB')=0A=
   Many languages have a function like atoi() that detects invalid integers=
=0A=
2. Applications skipping filtering steps if the function filter_var doesn't=
 exist, e.g. allowing any string to be used as a url/email=0A=
3. Dependencies failing to run due to throwing Errors on rare configuration=
s where filter_var is unavailable.=0A=
=0A=
It seems like filter is useful enough to already be statically compiled int=
o the Windows builds published on windows.php.net=0A=
=0A=
-----=0A=
=0A=
What are your thoughts on the following:=0A=
=0A=
Move the following functions into core and statically build them:=0A=
(and all global `FILTER_*` constants but not `INPUT_*` from https://www.php=
.net/manual/en/filter.constants.php)=0A=
=0A=
- filter_has_var =97 Checks if variable of specified type exists=0A=
- filter_id =97 Returns the filter ID belonging to a named filter=0A=
- filter_list =97 Returns a list of all supported filters=0A=
- filter_var_array =97 Gets multiple variables and optionally filters them=
=0A=
- filter_var =97 Filters a variable with a specified filter=0A=
=0A=
Keep the following remaining functions in the 'filter' extension, continue =
enabling them by default and allowing --disable-filter to disable them:=0A=
=0A=
- filter_input_array =97 Gets external variables and optionally filters the=
m=0A=
- filter_input =97 Gets a specific external variable by name and optionally=
 filters it=0A=
=0A=
Thanks,=0A=
- Tyson=