Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:114860
Return-Path: <thomas@nunninger.info>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 43253 invoked from network); 14 Jun 2021 13:11:38 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 14 Jun 2021 13:11:38 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 4F21218050A
	for <internals@lists.php.net>; Mon, 14 Jun 2021 06:27:53 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-0.0 required=5.0 tests=BAYES_20,NICE_REPLY_A,
	RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE
	autolearn=no autolearn_force=no version=3.4.2
X-Spam-Virus: No
X-Envelope-From: <thomas@nunninger.info>
Received: from mout.kundenserver.de (mout.kundenserver.de [217.72.192.74])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Mon, 14 Jun 2021 06:27:52 -0700 (PDT)
Received: from [192.168.178.22] ([85.212.131.73]) by mrelayeu.kundenserver.de
 (mreue107 [213.165.67.113]) with ESMTPSA (Nemesis) id
 1Mg6uW-1lOebd3wqs-00herY; Mon, 14 Jun 2021 15:27:48 +0200
To: Dan Ackroyd <Danack@basereality.com>, Joe Watkins <krakjoe@gmail.com>
Cc: Craig Francis <craig@craigfrancis.co.uk>,
 PHP internals <internals@lists.php.net>,
 Matthew Brown <matthewmatthew@gmail.com>
References: <CAFv4g+F-7F7o6va5wCrojKe+Uysx2Ec3H4yV_mUZYEyNm3MkdQ@mail.gmail.com>
 <CAOwTYAt3rztsZ1BTjEbsonqPR_thgG7UqEUO2pKeN=dEg1jqgg@mail.gmail.com>
 <CA+kxMuSJvk2bDM1dQnZHxgiO+YrYhbjS8BziAy+YGSSW8cR1nw@mail.gmail.com>
Message-ID: <f7288bfd-e9e6-f77e-358b-c0d6fe12a9d9@nunninger.info>
Date: Mon, 14 Jun 2021 15:27:47 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
 Thunderbird/78.11.0
MIME-Version: 1.0
In-Reply-To: <CA+kxMuSJvk2bDM1dQnZHxgiO+YrYhbjS8BziAy+YGSSW8cR1nw@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Provags-ID: V03:K1:fToHV9LS0w7ILguT2RR7dam3mvwzfkB4aRIQkP4JsG3nbmYPWnB
 Rc5K9+Y0nLbah7WXi2uT6x/08eLF/0K9GFtQiCG5tVRbT50GNgVCv7Y1Bo1/pofCkzYd1t/
 omnccAPBEpM+xket2TfT3j8RJeNNGRlmCePZQWmrL+ewQFQ0iMvD4EO1WPD/GeRSz23+VKH
 kRCFcop9tbPSA6KsR0CbA==
X-UI-Out-Filterresults: notjunk:1;V03:K0:ulYMdw07Y/A=:75xL3Ayr0KF0zlQKWnLg3V
 9SnBKMTvojJhCLqz/QFeS895wQngvFksMD/lOIsPoZgCvQSD4JjQksovPh0EGQ3P4S1NvVJmG
 j9cklve4qsqpe6PiapjYdKm7JO2xmVg4qm80vM9cdb66MoyC2mOhaz9qiAL8aidTndbMuszzf
 joKPUl0aLpIPh6grWX0NcyLggZVe2Et47XKDff70NzvkssCvZ2GmjFnCAUMD+ruqXAq6hGn6p
 97dQ4Z7gg1rsuEpTkli3Mf6HYnFBmtBKlFDVhyVBY1Xc+PwMdczoCCwhxTBliqiIyNsohMBNJ
 4ev7PFGrsINL6pqDrv81npWyWBFmn8IG/uGv0m437Hd2zozg7T792MoV93+4DtQZJ9IgbZuYb
 84Tw1vbDw1KLdue+tjMtZO5yTLaiolYZ3fxfqvc8wCs9gBJl02Mlf1H9p71M4Qtlis4Vxjs2B
 JnzJdLe20YqJi4mWRViJs3de/pLT3POcSYot+z0u4OaPe0EOU2nayHbvwkc8ktlmEEoDNheOQ
 ZO5gtdX+01IfwBZ8AcLBWA=
Subject: Re: [PHP-DEV] [RFC] is_literal
From: thomas@nunninger.info (Thomas Nunninger)

Hi!

> class UserPreferences {
>      private DB $db;
> 
>      function getColor(): string {
>          $preferredColor = $this->db->getColor();
> 
>          if ($preferredColor === 'light') {
>              return '#fff';
>          }
> 
>          if ($preferredColor === 'dark') {
>              return '#000';
>          }
>          return $preferredColor; // user has set custom color.
>      }
> }
> 
> Assume that both UserPreferences and getInfoPanel code is covered by
> unit tests. The developer who made that change would run the tests,
> see the tests pass and then push their code live. At which point, it
> would cause an error in production, as the string returned would not
> pass the is_literal check.
> 
> This would be a complete pain in the butt to fix.

When you write about testing in this database scenario, I find some 
additional issue: When you try to create pure unit tests you would 
somehow mock/stubb or replace the database with some test double. In 
that situation your tests will still pass even if testing the variant 
that the value comes from the database. Only some (infrastructure or 
end-to-end) test that covers the business logic plus the corresponding 
infrastructure by accident would uncover an error.

I wonder if we would need some method to mark a value/variable as 
non-literal. Or perhaps mark some return value (or input parameters?) in 
an interface/class as non-literal using some annotation?

That still puts the burden on the developer to think about that issue. 
But it's probably better than nothing.

Perhaps someone has a better idea?

Cheers
Thomas