Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:115312 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 32510 invoked from network); 6 Jul 2021 09:11:06 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 6 Jul 2021 09:11:06 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id AE9A71804AA for ; Tue, 6 Jul 2021 02:32:49 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.2 X-Spam-Virus: No X-Envelope-From: Received: from mail-lj1-f170.google.com (mail-lj1-f170.google.com [209.85.208.170]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Tue, 6 Jul 2021 02:32:49 -0700 (PDT) Received: by mail-lj1-f170.google.com with SMTP id a6so28288151ljq.3 for ; Tue, 06 Jul 2021 02:32:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=craigfrancis.co.uk; s=default; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=w14d6Kab3tnuFYzkmZaCod/56cGJQ0Uhs3gdD+6oHIU=; b=HfxHjhvKp5Iw5Ie+kYhoBnH167QTVrkR0vPiUxdaFAqhY211Zkfpct0MofrUZ+NBjN GyIaYmoJBPmOrGVRGsdU5qLuRryK6jLGhBIELGgGWuBrg9kAmwrQTqAumDdoQ+f0jZQz MZwvHOgV9BwaFMUNUyLLW+u1uQ9gxs52Ch0o4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=w14d6Kab3tnuFYzkmZaCod/56cGJQ0Uhs3gdD+6oHIU=; b=VRbHReacP5G647QEIh9vyqRN6W2QPKpI6lEbHlie504i3Zs6O0uGvC3QAvjzjgqDvn uDdnnGDtXW5tk0uxGYNrG49ja3ts1frTT8vBY49R+ibe7erQkYkq3QNBA0dSFgjvzSdm luxoVxHgCcm8DwMMb3QzPEiDdQvGVnIAV7M2A8/oL6aC2UmfWtr84pXLhhGPQo7slfiI HHqCZi/E6q+xgI5IHRoxB2U+zD/ACHY8Mmxyjb2KZro6yNLPmVsWD3DyNOzy07DWOofA dcTQ+/q6ukdmpLz+P7zWdCiBtgJEN3y67yhpjWdy7m101T+Bvz3hM4P6p6dNAhmMvqWG Bd3w== X-Gm-Message-State: AOAM533bmUgrbzMbGTdlcxw6ZFVMdjjGw/XhJAmNIYuX9DI9nrYIQSG8 NX+mZloYnRK8IewWXKqAq3ryP+I+XEPDH86AVbBwKA== X-Google-Smtp-Source: ABdhPJz1yG8aFWKT57UWxBI/zjFAEcRSo4uC3bhFfUjdxLyYJ/uFABDH9fZGiNaIeZ8I5lb755olucSS5/upHbVagsw= X-Received: by 2002:a2e:a4ad:: with SMTP id g13mr14871805ljm.279.1625563966574; Tue, 06 Jul 2021 02:32:46 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: Date: Tue, 6 Jul 2021 10:32:35 +0100 Message-ID: To: "G. P. B." Cc: PHP internals Content-Type: multipart/alternative; boundary="000000000000c9a60e05c6711a5d" Subject: Re: [PHP-DEV] [RFC] [VOTE] is_literal From: craig@craigfrancis.co.uk (Craig Francis) --000000000000c9a60e05c6711a5d Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Tue, 6 Jul 2021 at 7:38 am, G. P. B. wrote: > Although I think the idea of the feature is useful, > I'm not so sure about the implementation. > [...] > Whereas using a function like concat_literal() which checks that the > inputs are indeed literals provides immediate feedback that the type > constraint is not being violated. Hi George, Thank you for your message. We have provided a userland `literal_concat()` function in the RFC to do exactly what you=E2=80=99re suggesting, while allowing developers to choose= to do things like raise exceptions during development/testing, and ignore/log issues when running in production. So you absolutely can use it like that if you want. https://wiki.php.net/rfc/is_literal#support_functions We also agree that a dedicated type would be useful, but as noted by Joe and someniatko, that should come in 8.2 once the function is established (allowing us to potentially build on Intersection Types, and will involve a separate discussion). This is noted under "Future Scope". https://externals.io/message/114835#114847 The only difference is that we decided to allow string concatenation of literals, as we want to provide something that=E2=80=99s usable for everyon= e immediately, provides the same level of security, and doesn=E2=80=99t requi= re a mass rewriting of existing code. (Which is basically a death sentence for most security-based improvements, as a lot of people won=E2=80=99t have the time/energy to do that. The more automatic security can be, the better, which is why something libraries can implement is ideal). https://wiki.php.net/rfc/is_literal#string_concatenation Excluding concatenation would almost certainly prevent libraries from using this check, simply because developers do use concatenation, which will result in too many invalid errors, requiring them to make substantial/unnecessary changes (i.e. replacing every string concat with `literal_concat()`, or using a special Query Builder for their SQL/HTML/CLI/etc). It=E2=80=99s also worth noting that developers who want to use `strict_type= s` are probably using static analysis already, where Psalm has just added support for this (thank you Matthew): https://github.com/vimeo/psalm/releases/tag/4.8.0 Thanks, Craig --000000000000c9a60e05c6711a5d--