Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:117779 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 55856 invoked from network); 24 May 2022 07:05:22 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 24 May 2022 07:05:22 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 8CF881804C4 for ; Tue, 24 May 2022 01:47:34 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: * X-Spam-Status: No, score=1.3 required=5.0 tests=BAYES_20,BODY_8BITS, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, NICE_REPLY_A,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS15169 209.85.128.0/17 X-Spam-Virus: No X-Envelope-From: Received: from mail-wr1-f50.google.com (mail-wr1-f50.google.com [209.85.221.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Tue, 24 May 2022 01:47:34 -0700 (PDT) Received: by mail-wr1-f50.google.com with SMTP id p10so6039583wrg.12 for ; Tue, 24 May 2022 01:47:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=message-id:date:mime-version:user-agent:subject:content-language:to :references:from:in-reply-to:content-transfer-encoding; bh=UWjtrEkRNwkUbljoCKqqY1ceGxwe4reyXekbo4VpEmc=; b=RKsB382FTz3AHDZj29n1MhMQjGGPxUzVh954lV1V+KNGNGAg/2Cl7YTMzpAM9a7tKb Qb6I3iztPsIJgEz6o3P408KquNSbUkZKKMfBeZVEOeojny2wTM3uZIeoK1AxOEcaPQcE 2aj9JmF2GPPKnd2sgZKiC0wyNlGa1CSCx4iolKcb+i16MKy4voxZcJtwjmfDwfDS3S0o TD6XSQ5f/XjQAo3aCdo0IIOrSLutifMv7ekINr3ghrL+d/dHxMYG2+lAfQ9T7R3Kt1YR F8pvOjaq5GfnTjSCHa0J1DXSc3hA1DkFnD+DaVhGCz08gRf92vpoRmZIxXE0zREjHyk2 Tfrg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:to:references:from:in-reply-to :content-transfer-encoding; bh=UWjtrEkRNwkUbljoCKqqY1ceGxwe4reyXekbo4VpEmc=; b=67gj5vaasl5E5IzrvRSjO5E8YD5jGgCI3nptU22cHYObppaTQyBPAG8cSnnyOvTqJ5 s/vxsecwVFM1oqNL6MxVHOoekTqNTrjc9Io8WFR3rB++tg12isDfrGhfb4AoB9FnBJfw 7wrOMq3F+e9VBOocIMx0Vsc9AIQFdLOtCXJZA99N8wGDUr+mnmXNjJLPzxC/UQjLhObW RwcNjQ0e7y9LRmaMsTV8xahF2TI88X2pk3/B8FAUUuGimNoaNRR0Zc2n2uJpnAim4nLX dDeCnUh5jvh5Nhck8ziIYRAA0D/0Yz6vkIXmjR5kaDdbey2fssr9F8XRKiofUPdz648S sEtw== X-Gm-Message-State: AOAM531fb00P0AQpNVyvmSvSxMgsn71Gd+OaHWRnBG5x2NBWMtsZ/Zj5 U1wziB02tEf4DC4BOa3M0rTXhWS2COU= X-Google-Smtp-Source: ABdhPJwo679PrCuinAxzoDZD7ZOMBoMkFzlvXRvPIJjRxQDGhYPM7nKd40iUw93NU7XZP6h2a5D6Yg== X-Received: by 2002:a5d:4e0d:0:b0:20d:88e:c8b1 with SMTP id p13-20020a5d4e0d000000b0020d088ec8b1mr21579336wrt.18.1653382052958; Tue, 24 May 2022 01:47:32 -0700 (PDT) Received: from [192.168.0.22] (cpc104104-brig22-2-0-cust548.3-3.cable.virginm.net. [82.10.58.37]) by smtp.googlemail.com with ESMTPSA id e16-20020a05600c4e5000b00397473ae25esm1494011wmq.34.2022.05.24.01.47.31 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 24 May 2022 01:47:31 -0700 (PDT) Message-ID: <1180af01-080f-ee0a-3159-74bf7e0a8aea@gmail.com> Date: Tue, 24 May 2022 09:47:30 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.9.0 Content-Language: en-GB To: internals@lists.php.net References: <1755E8B5-229B-47B2-BBAF-B5E014F5473D@craigfrancis.co.uk> In-Reply-To: <1755E8B5-229B-47B2-BBAF-B5E014F5473D@craigfrancis.co.uk> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Subject: Re: [PHP-DEV] Re: NULL Coercion Consistency From: rowan.collins@gmail.com (Rowan Tommins) On 23/05/2022 19:45, Craig Francis wrote: > For those against my RFC, can you take a quick look at this patch for Laravel: > > https://github.com/laravel/framework/pull/36262/files#diff-15b0a3e2eb2d683222d19dfacc04c616a3db4e3d3b3517e96e196ccbf838f59eR118 > > If passing NULL to `htmlspecialchars()` represents a problem, as used in templates like `

Hi {{ $name }}

`, presumably this patch should be reverted? I notice that the docblock didn't previously list null as valid input, so this was only working by mistake, as the commit message admits. If you copied the documented union to the native type declaration on the parameter, it would immediately reject nulls, because that has always been the behaviour of user-defined functions. Static analysis tools will also have complained that null was not a valid input according to the documentation. I also note that the commit message says "On PHP >= 8.1, an error is thrown if `null` is passed to `htmlspecialchars`." which is of course not true for native PHP, only if you make the highly dubious decision to promote deprecations to errors. As an anecdote, I was recently working on a bug involving nulls causing unintended behaviour in an API. As part of the clean-up, I changed a function signature from getByIdentifer($identifier) to getByIdentifer(string $identifier), and during testing, got an error because I'd missed a scenario where null was passed. This was a good result - it prevented the broken behaviour and alerted me to the case that needed fixing. If the parameter had instead been silently coerced to an empty string, I would have got neither an error nor the original null behaviour, causing a new bug that might have taken much longer to track down. If your RFC as drafted was implemented, I could only have achieved the desired check by turning on strict_types=1 for whole sections of the application, which would probably require dozens of other fixes, or writing an ugly manual check: function getByIdentifier(?string $identifier) {     if ( $identifier === null ) {          throw new TypeError("Function doesn't actually accept nulls");     }     // ... } As I have said previously, I share your concern about the impact of the currently planned change, but I don't think loosening the existing type rules on user-defined functions is a good solution. Regards, -- Rowan Tommins [IMSoP]