Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:117168
Return-Path: <craig@craigfrancis.co.uk>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 19886 invoked from network); 28 Feb 2022 19:30:58 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 28 Feb 2022 19:30:58 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 257831804AB
	for <internals@lists.php.net>; Mon, 28 Feb 2022 12:52:02 -0800 (PST)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-0.2 required=5.0 tests=BAYES_20,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,
	RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no
	autolearn_force=no version=3.4.2
X-Spam-ASN: AS15169 209.85.128.0/17
X-Spam-Virus: Error (Cannot connect to unix socket
	'/var/run/clamav/clamd.ctl': connect: Connection refused)
X-Envelope-From: <craig@craigfrancis.co.uk>
Received: from mail-lj1-f174.google.com (mail-lj1-f174.google.com [209.85.208.174])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Mon, 28 Feb 2022 12:52:01 -0800 (PST)
Received: by mail-lj1-f174.google.com with SMTP id s25so19132215lji.5
        for <internals@lists.php.net>; Mon, 28 Feb 2022 12:52:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=craigfrancis.co.uk; s=default;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=QYMh1hg+mpjEmkPfcHP900k69kFcGcnVjY8iMtDDgBw=;
        b=jEooW7ZdsF7wk/A6EP4m8TnLR3fIIfagkuxGUT4TKf1VHwO8hwoqrxx+fTumhBx3p9
         oWYynpeNnYUmpXgZ5ftXIHNYq5/FbrO4lELh9om1jwyb9Z3GWkzDnzDcc2+wPFD3xU1a
         Wwt54/KkJbysAaPwLBIllJTei1V6I6bqmsF74=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=QYMh1hg+mpjEmkPfcHP900k69kFcGcnVjY8iMtDDgBw=;
        b=6/MNwPJlJK7qG5+GBAtdK6Fd86z1o9ak6F4iXNyo/1+sDvVrjCZm0uQI/dThEVf6Pp
         NfZiozJmpKGGN3Fo6tD3DpFdMp7fEL+RrgKtCUL+dw0XBJORFvaFoBgnrOgdrAAe4QGi
         fGhnyGQQk/Y+djLtAbHXUo7BFma25YS7jEXK8/wKdcY46yOniurAsLW7zXspokjdfoWA
         FioZTw6izyWvLGDiTepqsFcTmR7dn4p3t2zt+C1pe9xRpMzqyHFRs1vD6kN4x6rF/kVG
         eQ2doeZNe9WuvMJmyzUAuin5fyiLjawc7IQAhCx8jmH3hurPktdcV89vjAAF3+tnli3v
         wXIQ==
X-Gm-Message-State: AOAM531H1yWy10le5FczOEIAcWUoMMPrG+ZCPB/BPTQ3V44xumv57ZHu
	SkilwHBGqaFnkEG4ghi3mEhrqRD5FfGAXuKkDV4fvN83Hnr6sg==
X-Google-Smtp-Source: ABdhPJypvNzG9yX8VHTeeDLDaLdIJAEh3KsTOVrxHgXLmDEWsV/lC/YGfe2VSLWRWlPZZ+WRwolAkXOfph6M3qcOTQE=
X-Received: by 2002:a05:651c:90b:b0:244:c4a4:d5d8 with SMTP id
 e11-20020a05651c090b00b00244c4a4d5d8mr14809901ljq.97.1646081520001; Mon, 28
 Feb 2022 12:52:00 -0800 (PST)
MIME-Version: 1.0
References: <CAFv4g+Efz-V5V1uUedXpusNw6z-on=TT3kdWgC66SptSd8kB4g@mail.gmail.com>
 <CAFv4g+GDsq=w7qtSOVptEBiTTDZk2aeFCVGThVBR=0-xk=0oAA@mail.gmail.com>
 <983552d8-11f1-b5bc-fb82-148347982fda@gmx.de> <5494eaa7-2fa6-8364-9683-a2c8c9789d81@gmail.com>
 <CAC5V6gjianVuPo654_-mETYxsu0-eSo++Ez1yy81MNEcfwFq1Q@mail.gmail.com> <69642616-72b7-44fe-97a7-27ae03bc8fce@www.fastmail.com>
In-Reply-To: <69642616-72b7-44fe-97a7-27ae03bc8fce@www.fastmail.com>
Date: Mon, 28 Feb 2022 20:51:48 +0000
Message-ID: <CAFv4g+F0HOgCgeUyiG06qhxQnWbVCN2aaP=a2CJT9tkbMP7kLg@mail.gmail.com>
To: Larry Garfield <larry@garfieldtech.com>
Cc: php internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="00000000000045756505d91a3895"
Subject: Re: [PHP-DEV] Allowing NULL for some internal functions
From: craig@craigfrancis.co.uk (Craig Francis)

--00000000000045756505d91a3895
Content-Type: text/plain; charset="UTF-8"

On Mon, 28 Feb 2022 at 17:42, Larry Garfield <larry@garfieldtech.com> wrote:

> Bringing internal functions into line with user-space was the correct
> move.  There may be internals functions that make sense to be nullable on
> their own right, on a case by case basis.  We can evaluate that case by
> case.
>


Thanks Larry,

I agree about bringing them into line, but I think our understanding of
NULL may be different... these are PHP scripts which have used NULL as a
distinct value for, well, forever? and many developers expect it to be
coerced like the other values.

And while some developers use strict_types=1 (like myself) because we like
the type to match up without values being coerced (I should be the one that
manually chooses to convert)... I don't think I should force that strict
coding style onto everyone, because there is nothing technically wrong with
passing NULL into functions like urlencode(), it just implies, iff you use
strict_types=1, that something may have gone wrong earlier.

As an aside, I often note that many developers who talk about how strict
their code is... obv not you, but many still use 'unsafe-inline' JavaScript
on their websites (mixing content), and don't use Trusted Types to disable
unsafe JS APIs, which I consider a much bigger security concern :-)

And after all of this, no-one has come up with a way to find or address
this problem, e.g.

<?php
  $nullable = ($_GET['a'] ?? NULL);
  echo htmlentities($nullable);
?>

./vendor/bin/psalm --init ./public/ 4
./vendor/bin/psalm
  No errors found!

./vendor/bin/phpstan analyse -l 9 ./public/
  [OK] No errors

./vendor/bin/phpcs -p public/ --standard=PHPCompatibility
  . 1 / 1 (100%)

./vendor/bin/rector process ./public/
  [OK] Rector is done!

Craig

--00000000000045756505d91a3895--