Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:115133 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 43018 invoked from network); 24 Jun 2021 23:38:24 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 24 Jun 2021 23:38:24 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 87D5C1804DA for ; Thu, 24 Jun 2021 16:57:16 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.2 X-Spam-Virus: No X-Envelope-From: Received: from mail-lj1-f172.google.com (mail-lj1-f172.google.com [209.85.208.172]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Thu, 24 Jun 2021 16:57:15 -0700 (PDT) Received: by mail-lj1-f172.google.com with SMTP id d2so10086508ljj.11 for ; Thu, 24 Jun 2021 16:57:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=craigfrancis.co.uk; s=default; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=wBHUd1tmGyS7L8upBqgFBcN9dTYx4oqIFUJX5QvZNV8=; b=gQZwTUxxQ7JOrkFnvhSqQaQAs+/BevYqxCYxUhc1EuE9/oRq55Td32Hxq/aBSrjju6 UBnBAZBtUv6tWaRI9/FEu9X4BUQy253M6NUMRGdbrQhfEOUxejYWdChdUKBxs62vylsr DXSDK1UbaSmiPx6IGJ8hTt2neMKcbKy26XKcY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=wBHUd1tmGyS7L8upBqgFBcN9dTYx4oqIFUJX5QvZNV8=; b=evC4KjHZ7Qaj4jhVyIBYWzdeup8AIhebjOncmsHPloBxMszNdN76Z8sXjWZ+fvfde3 nkoL8NVl90T27hotngW8lCMImfF4lHvncC4RQaDl4E1yv/Qtu6jfQOcPgnzNViknyvtR okGAIlDyyE+1cyLe82ovZwB8jRY+Rzwf25MbbANtbWP7ZR7eRa70umEL3BHPqmWHHy5o zyLM4ftY6+vRLYrVJhTvB7HLUU2MNzlw24DkGS7qwDXJsipVhWkoNicHXzvlDTG9ItV/ ErL6voJImtSm6Rp9yzhF34thzsTe2cEJ6Qk9HiitLYc49wpV9mqNMvst+94Qip0w0ndY Ejfw== X-Gm-Message-State: AOAM532cOWfE9oZfeAn/2Ch7wTbjGx2CJo1UerUJnbZOXKYzmOpHmu2e jnBTAxERiCeCbEpkFprzI7lmNkAuBzrLJeMv/41F1764sokLcw== X-Google-Smtp-Source: ABdhPJxinjqnOlETS+IJX18bVyfHjJVnv3tYJqMeAJ6dnyeeCORm2twUycVjhuEgensnEQ+/LJ6YS9IvRwTxgKDluJU= X-Received: by 2002:a2e:b60d:: with SMTP id r13mr6081884ljn.314.1624579033874; Thu, 24 Jun 2021 16:57:13 -0700 (PDT) MIME-Version: 1.0 References: <03f7955c-69a8-4841-9245-449d7851e207@www.fastmail.com> <95D16F2E-E9DD-4964-A0E2-62E1FB0D976B@koalephant.com> <4DE5E2EC-26D6-4D2C-95A9-B843B440EE87@koalephant.com> <26037CB4-4723-4DC5-BD92-BBDC4F548E17@koalephant.com> <24E12B58-7613-4E67-852C-3312F4AE769C@newclarity.net> In-Reply-To: Date: Fri, 25 Jun 2021 00:57:02 +0100 Message-ID: To: php internals Content-Type: multipart/alternative; boundary="0000000000003954db05c58bc800" Subject: Re: [PHP-DEV] [RFC] Name issue - is_literal/is_trusted From: craig@craigfrancis.co.uk (Craig Francis) --0000000000003954db05c58bc800 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Thu, 24 Jun 2021 at 21:25, Dan Ackroyd wrote: > > Please can you go into some detail about what you think people are > > meant to do when they detect a non-literal used where a literal is > > expected? > > There is a whole load of hand waving going on of "you can protect > yourself!" but then no detail of what this RFC proposes people > actually do, which means people can't evaluate whether it's worth > adding or not. > As noted by Lauri Kentt=C3=A4, "I'd imagine people use custom error handler= s which report errors (warnings, notices) to ticket system or email or some other convenient place, so they don't need to read through logs." By using a simple function, it allows the library to handle the situation however it likes. In the RFC there is a "How it can be used by libraries" link, which shows how a library can easily provide options for a basic warning, exception, or just ignoring. But a library could also only run these checks in development mode (off in production), or do additional checks to see if the value is likely to be an issue (value matches a field name), etc. https://github.com/craigfrancis/php-is-literal-rfc/blob/main/justification/= example.php > > Why are you prioritising speed of adoption, over reducing the cost of > > using this feature for projects over say the next 5 or 10 years? > > I think this feature should be of most value to teams with large > code-bases, where maintaining the code (and figuring out security > problems) has a much higher cost than for small code-bases, where this > feature might not deliver much value. But by carrying the literal flag > through on string concat, that results in it being annoying to use for > teams with large code-bases....which seems self-defeating. > As noted by Rowan Tommins, "It would also not solve the problem of the assertion only triggering in production without a careful integration test. That can only be solved with a static analyser, which would also have enough information to isolate the cause." Static Analysis via `literal-string` is now supported in Psalm (thanks Matthew Brown): https://psalm.dev/r/9440908f39 And with a dedicated type (a future RFC, as it needs to cover different questions that build on this implementation), that would make Static Analysis even better for debugging, rather than a solution that triggers exceptions for everyone. Craig --0000000000003954db05c58bc800--