Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:117808
Return-Path: <craig@craigfrancis.co.uk>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 17456 invoked from network); 28 May 2022 00:52:42 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 28 May 2022 00:52:42 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 939D4180384
	for <internals@lists.php.net>; Fri, 27 May 2022 19:35:49 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,
	RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE
	autolearn=no autolearn_force=no version=3.4.2
X-Spam-ASN: AS15169 209.85.128.0/17
X-Spam-Virus: No
X-Envelope-From: <craig@craigfrancis.co.uk>
Received: from mail-wr1-f51.google.com (mail-wr1-f51.google.com [209.85.221.51])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Fri, 27 May 2022 19:35:48 -0700 (PDT)
Received: by mail-wr1-f51.google.com with SMTP id i6so238187wrw.5
        for <internals@lists.php.net>; Fri, 27 May 2022 19:35:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=craigfrancis.co.uk; s=default;
        h=mime-version:subject:from:in-reply-to:date:cc
         :content-transfer-encoding:message-id:references:to;
        bh=/53h/+obN4mQp2n4FILLUWkWZzJFVsxxjUE93kv7skE=;
        b=aJIGe6gyKSiOf5wE8kaBj/m1O4kal1lFk8xK5Oh3IcbWQzBUEQ+TZ7catj1XNwafnf
         LwWFWvReCb7VRGTRHpkIGMP9jkxdziC4b6kF57yYU9YcDYJe9WIi/hqoRwvz1p6TjJ5o
         VCqVmuFDVaVvvMQoSjthugdgHTfTTrRaO0Fao=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc
         :content-transfer-encoding:message-id:references:to;
        bh=/53h/+obN4mQp2n4FILLUWkWZzJFVsxxjUE93kv7skE=;
        b=qdo77+X3BkCgMZYAHi5ZRT6ZxGZgU6peWnd97z8l0XvU105QDhOhXiJoT4zGUCYUgQ
         7fMiARxiy8rdOt31r5bEr77psn8tYfoXE7ZgRVTXeYjH/BfsEumiRs7yiPgFB0Vlx/EA
         CSlsK+UCrSKBkJVO5nj/DE6nEweMwgb8Fl3v5l1DpucMLRCuUOG2fZlMIYR3MmF/M0rZ
         wp7x0Gt5MJ17DRi71ZD0w4tKzEJP9cy1PkStGML+0X7WnlSk+3AjnjnTMcX7aBxPDq0t
         09RIHYBMv7qzrRKRFQXggQySXyTgePengwYirP4j9Xj3EvAAhoZyJ4PPhiY89yoJQKD5
         AGew==
X-Gm-Message-State: AOAM533VvcElkgQI9iohGY+9Zvkh3zp2gzBzFGntKRAySDczstKlNLGD
	eIjyr2eOy8B85eF1SP9IKldkgg==
X-Google-Smtp-Source: ABdhPJxinrMAa8MYQTiUpNTGN0cY/rhLkb/BSVwQutVCn7t8im8G0EkEt88u0nH031VaYNjW5rrRnw==
X-Received: by 2002:a05:6000:178d:b0:20f:e7da:6a21 with SMTP id e13-20020a056000178d00b0020fe7da6a21mr20015579wrg.689.1653705347537;
        Fri, 27 May 2022 19:35:47 -0700 (PDT)
Received: from smtpclient.apple ([94.173.138.98])
        by smtp.gmail.com with ESMTPSA id bw30-20020a0560001f9e00b0020ffa2799f4sm2860694wrb.73.2022.05.27.19.35.46
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 27 May 2022 19:35:46 -0700 (PDT)
Content-Type: text/plain;
	charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.100.31\))
In-Reply-To: <8f212d08-81f3-4e7b-ae68-82b04d74929b@Canary>
Date: Sat, 28 May 2022 03:35:45 +0100
Cc: Internals <internals@lists.php.net>
Content-Transfer-Encoding: quoted-printable
Message-ID: <0AE752E6-312B-4639-AC1C-1ED201DAF627@craigfrancis.co.uk>
References: <CAFv4g+Ej4JbM9SzQ0iU-d8C4T+2XNo=8jnJ1uwfQ=skZZXx9Tg@mail.gmail.com>
 <1755E8B5-229B-47B2-BBAF-B5E014F5473D@craigfrancis.co.uk>
 <1180af01-080f-ee0a-3159-74bf7e0a8aea@gmail.com>
 <73F563E2-7C31-4B5E-A6B9-AE1BD05ADD1C@craigfrancis.co.uk>
 <CANvqVdrmVOwKaMxsO6Awbr0KSpc=QjqNFwFivKphdT_KAZRcSg@mail.gmail.com>
 <2DC21BE3-558E-4530-B5D8-C5EE6F6CFEF3@craigfrancis.co.uk>
 <8f212d08-81f3-4e7b-ae68-82b04d74929b@Canary>
To: Michael Babker <michael.babker@gmail.com>
X-Mailer: Apple Mail (2.3696.100.31)
Subject: Re: [PHP-DEV] NULL Coercion Consistency
From: craig@craigfrancis.co.uk (Craig Francis)

On 26 May 2022, at 20:06, Michael Babker <michael.babker@gmail.com> =
wrote:
> On Thursday, May 26, 2022 at 11:41 AM, Craig Francis =
<craig@craigfrancis.co.uk (mailto:craig@craigfrancis.co.uk)> wrote:
>> [...] If there is a good reason for throwing an exception when NULL =
is passed to `htmlspecialchars()`, then that reason would also apply to =
Laravel Blade for it's HTML encoding.
>=20
> Laravel=E2=80=99s `e()` helper function is more than a wrapper around =
`htmlspecialchars()` which supports values beyond a string, and has =
elected to support a null value being passed into that function with =
explicit handling for it. I=E2=80=99ve seen similar patches land in =
other packages as well. Whether it is to prevent that package from =
triggering the deprecation regarding null values itself or the package =
owners choosing to explicitly handle the null case so users don=E2=80=99t =
need to deal with it doesn=E2=80=99t really matter, the point is folks =
have made that decision and it is not problematic in any way IMO. =
You=E2=80=99re basically saying that a framework choosing to apply the =
same `htmlspecialchars($string ?? =E2=80=98=E2=80=99)` patch that =
applications are suggested to use (for those who don=E2=80=99t care to =
differentiate between null and empty string before something reaches an =
escaping function) is in the wrong by arguing for Laravel to revert that =
patch.


Sorry, I've read this a few times, and I just don't understand what you =
mean... but let's leave it, I cannot think how else to re-write my =
question to get an answer.



On 26 May 2022, at 20:06, Michael Babker <michael.babker@gmail.com> =
wrote:
> On Thursday, May 26, 2022 at 11:41 AM, Craig Francis =
<craig@craigfrancis.co.uk (mailto:craig@craigfrancis.co.uk)> wrote:
>>=20
>> `htmlspecialchars()` can and always has safely worked with NULL, the =
same with the other 335 parameters I've listed. But when I suggested =
changing these parameters to be nullable, it was not well received.
>=20
> The arginfo for the `htmlspecialchars()` function, and if I=E2=80=99m =
reading correctly (I=E2=80=99m no C developer so I could very well be =
misinterpreting things) the internal `php_html_entities()` function =
which `htmlspecialchars()` calls, does not declare null as a supported =
value for the `$string` parameter. Meaning that depending on whether =
your code uses strict_types or not, either calling the function with a =
null value triggers a type error or requires implicit type coercision to =
convert the value to a type that the function does support. This means =
to me that the `htmlspecialchars()` function does NOT support null =
values and that passing null through only works because of the reliance =
on implicit type coercision. That, to me, is a valid reason for a type =
error to be raised; the code very explicitly requires a string and is =
not written to process a null value.
>=20
> A blanket suggestion to make every string parameter which implicitly =
supports a null value nullable because they previously supported null =
through type coercion IMO should be shot down. Instead, parameters which =
are emitting a deprecation notice because they are receiving an =
unsupported null value should be reviewed, and if that function can by =
design support null values, those parameters should be updated to =
reflect nullability. IMO, `htmlspecialchars()` is not a function which =
should expliciitly support a null value and the present deprecation is =
correct.


Erm, I really don't wish to be rude, but have you read my RFC, and the =
problem I'm trying to solve... in short, the backwards compatibility =
issue for PHP 9.0.

Developers will need to spend a lot of time updating their code, which =
is important to avoid the fatal type errors, but I simply do not =
understand what the benefit for them will be.



On 26 May 2022, at 20:06, Michael Babker <michael.babker@gmail.com> =
wrote:
> On Thursday, May 26, 2022 at 11:41 AM, Craig Francis =
<craig@craigfrancis.co.uk (mailto:craig@craigfrancis.co.uk)> wrote:
>> On 26 May 2022, at 15:01, Michael Babker <michael.babker@gmail.com> =
wrote:
>>> Yes, that means that there is a lot of work involved for folks =
between now and the release of PHP 9.0 to either refactor code to avoid =
type errors or to get the language to expand the supported types in =
appropriate functions, but IMO that effort from all parties is worth it =
in the long run to ensure language consistency (I really don=E2=80=99t =
think userland PHP and internal/extension PHP should have vastly =
different behaviors, and type coercion support based on where a function =
is designed is one of those holes that needs filled) and to ensure all =
APIs explicitly declare what types of data they support.
>>=20
>>=20
>>=20
>> I don't think userland and internal functions should have different =
behaviours either (my RFC does say "keep user-defined and internal =
functions consistent").
>>=20
>> To achieve that, for those not using `strict_types=3D1`, I'm simply =
suggesting that NULL coercion continues to work for internal functions, =
and we update user-defined functions to allow NULL coercion.
>=20
> On the record, I personally disagree with the strict_types =
declaration=E2=80=99s existence purely because it makes the runtime =
inconsistent based solely on what file something was called from, plus =
there are way to bypass a developer=E2=80=99s explicit opt-in to =
strict_types being enabled which makes it a =E2=80=9Cmostly strict but =
there=E2=80=99s still a gotcha=E2=80=9D declaration at best. I don=E2=80=99=
t think this type of deep rooted behavioral difference improves PHP in =
any way, but that ship has long sailed.


I believe George Peter Banyard is trying to work on this.



> With that said though, I disagree with exposing the internal type =
coercion behavior to userland code. I think the userland behavior as it =
is today is the correct behavior, even if I look at implicit type =
coercision as a bug which will cause hard-to-identify production issues =
for somebody at some point down the road. Let=E2=80=99s also be real =
here, a not-so-insignificant number of PHP builds are powered by =
platforms which have minimal if any automated testing and even less =
static analysis, meaning a static analyzer is not going to be of much =
help to those builds to begin with because they=E2=80=99re using =
non-analyzed code as a foundation. Changing the language in a way that =
makes these already fragile platforms even more suseptable to hidden =
type-related bugs is a bad idea. Personally speaking, I=E2=80=99ve been =
bitten by enough type-coercion related bugs in my career (and continue =
to address new issues arise thanks to a combination of poorly formed =
legacy data in the database plus open source packages becoming stricter =
in the types they support) that I would rather advocate for the language =
moving in a direction that makes type-related issues harder to hit and =
it to be noisy when it does encounter such issues; the changes in PHP =
8.1 IMO are a step in the right direction.


Sorry, but I'm finding this hard to follow, it sounds like you don't =
want any type coercion... e.g. the string "5" to int 5 should just not =
happen without the developer explicitly converting the type (e.g. =
intval)... I disagree, but we can leave it at that.

Craig