Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:118736 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 19968 invoked from network); 4 Oct 2022 00:38:41 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 4 Oct 2022 00:38:41 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 0CCF1180505 for ; Mon, 3 Oct 2022 17:38:40 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS15169 209.85.128.0/17 X-Spam-Virus: No X-Envelope-From: Received: from mail-wr1-f52.google.com (mail-wr1-f52.google.com [209.85.221.52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Mon, 3 Oct 2022 17:38:39 -0700 (PDT) Received: by mail-wr1-f52.google.com with SMTP id j16so7055690wrh.5 for ; Mon, 03 Oct 2022 17:38:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date; bh=iW/ZZV+JWwblnyV2mGs3H8nh1GHi7J0AC4sdYWhi1Q0=; b=FKVpU6h4ETQq1ri8G00ZH0ZUXe+GsR1UVAwG0IxwGDrtCk3yW3iRgS/lvAHpvkQgU7 CZMzg7WsWkwtg4YxyPpGyAuwQkBg7/BQlhnucN04OZ8WPReSTySAIbDjBmA8JPFhJffx HGtpbDooaze3L6igf8Tx7d7AXwuNng+dz894o+ntR54dnp2r+nZ+SOeAMA36UR11Ue6Q WE4sv8n44jN3KTX7h4HSL1Hr5ddDnXjKK58XcY2kHctIzje0pMoohIUJoPYvHOEIOVlg HB1Ifvdc1H4YL+uQrOVUFoBdVfXd/mXUQRneBx91wn1QWH4iVP2leugcqODoqwoC6YIA i/HQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date; bh=iW/ZZV+JWwblnyV2mGs3H8nh1GHi7J0AC4sdYWhi1Q0=; b=ZbFlZbVb7yCN2RS6Q+j81xirTFiZt0GweF0mKBo6Fhl4DiIbB/zg26NOnYhCC5DAZa VT89G52iuNz/GCu+aV12monzvYkK+BX1y8XWTlfVncBfcuah1PadNpA/C82nLRkwvvrS Pw1A3QsYqfUBXVb2tmILHo1euQ/MWanFnLqTeyA3bBykm+PcO5mlyuaN9yn4ZDrpy5qd it/2hfJyUvDYlu86sZZ/9yK7Ec8z8VIzZ1TMH/jhju4ZMEe322CnU7C2QtvZ18YZbL5f 1d9PC9ozr7XHDf/VOuzT35ms2j22UVcoHi8RUNxnOrL7jKhDG/ytdEBxIHc4HArmya0O nMvg== X-Gm-Message-State: ACrzQf0bErrmp5j/v4j671AR9OxrOUt7bXQqoHeyhUD225Vy/Fb4PMuQ UveuEou/nfhxQ5g1I1mEbICJUVhG6zjuKFLtdrE= X-Google-Smtp-Source: AMsMyM5dp22ms95y3FjV/ySOZkpes8oGGjih6v+e9xPeVFKjAte80NcdJePpa0UvtA62AZItrm5ycMluzqzc4fWqldg= X-Received: by 2002:a5d:6d07:0:b0:22a:3f21:3b56 with SMTP id e7-20020a5d6d07000000b0022a3f213b56mr14288295wrq.679.1664843913180; Mon, 03 Oct 2022 17:38:33 -0700 (PDT) MIME-Version: 1.0 References: <0cfb9a7b-1168-42ef-ae1a-bdc72210de43@app.fastmail.com> In-Reply-To: Date: Tue, 4 Oct 2022 01:38:22 +0100 Message-ID: To: Max Semenik Cc: Larry Garfield , php internals Content-Type: multipart/alternative; boundary="0000000000000d3b3605ea2aaef7" Subject: Re: [PHP-DEV] Sanitize filters From: davidgebler@gmail.com (David Gebler) --0000000000000d3b3605ea2aaef7 Content-Type: text/plain; charset="UTF-8" On Mon, Oct 3, 2022 at 11:29 AM Max Semenik wrote: > > Is there a compelling need to have this in the core, as opposed to > Composer packages? The ecosystem has changed a lot since the original > function was introduced. > I don't know that there is, I suspect the answer is probably not and sanitization and validation is probably better left to userland code. The only argument I can offer as devil's advocate is that certain validations or transformations will be faster in core than in library scripts. I would wager the most common implementation of such userland libraries today are heavily reliant on preg_* functions so having some fast, low level baseline in core for common tasks in this category might still make sense. While we're on the topic, can I bring up FILTER_SANITIZE_NUMBER_FLOAT? Why is the default behaviour of FILTER_SANITIZE_NUMBER_FLOAT the same as FILTER_SANITIZE_NUMBER_INT unless you add extra flags to permit fractions? Why is the constant name FILTER_SANITIZE_NUMBER_FLOAT but its counterpart for validation is FILTER_VALIDATE_FLOAT (no NUMBER_)? Why does validating a float return a float but sanitizing a float return a string? What about FILTER_VALIDATE_EMAIL which is notorious for being next to useless? Seems to me like there could at the very least be a plausible case for some better to_float(), to_int(), is_valid_email() etc. type functions in core to replace some of the filter API. --0000000000000d3b3605ea2aaef7--