Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:118737
Return-Path: <vasilii.b.shpilchin@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 24328 invoked from network); 4 Oct 2022 01:30:08 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 4 Oct 2022 01:30:08 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id AE8B11804C4
	for <internals@lists.php.net>; Mon,  3 Oct 2022 18:30:06 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE,
	RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,
	SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no
	version=3.4.2
X-Spam-ASN: AS15169 209.85.128.0/17
X-Spam-Virus: No
X-Envelope-From: <vasilii.b.shpilchin@gmail.com>
Received: from mail-pj1-f47.google.com (mail-pj1-f47.google.com [209.85.216.47])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Mon,  3 Oct 2022 18:30:06 -0700 (PDT)
Received: by mail-pj1-f47.google.com with SMTP id q99-20020a17090a1b6c00b0020ac0368d64so2376659pjq.3
        for <internals@lists.php.net>; Mon, 03 Oct 2022 18:30:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc:subject:date;
        bh=B9LH8aD8VIEjVkQ4zUTJX/XNqySByHed90yNqmhLCKE=;
        b=hgeS4fKT4gOew52Dk9P4N00YBon9cWHO5dviiV9+GEJ5DsKheTlcmcE7fVn7kRTZEN
         HPeXIa1Z9ur7xs36XVIzRGwti1jgPXK8vuGEq1YN4nNRsjez5dKNtd//XL/ELlr4O1+A
         ckiRWV9ms6/fBRATZNRF6BxdkQOdwublfICsg1Fc7oyq+82qAXjHAThgIsOmNeyi9ZFk
         liTbZlC8o+dZDQmVvBYnB24HZiPSiZkKt3bGI1gs3NmE4o9XO/+hT2ER4pM5mnFiEBVw
         l7pOwUR6YPLF4nRFvk4E9DV67IeWXxMTgQ2XmG13DFOz6lpGnLS6qis49PYL8BpMdUqK
         gEtw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-message-state:from:to:cc:subject:date;
        bh=B9LH8aD8VIEjVkQ4zUTJX/XNqySByHed90yNqmhLCKE=;
        b=oZWSui8b1nKj60G/xbLtZUyxLUdmutgEs/rzd0a54+RVyNUGE7KSM55Q+TlhEbRHVX
         eaVWhse7DICjT02Xc7mzLRFjPqQHwbRMXTD5kU38qBZIPDh5Rnr+7HQnQ353OPnbrqEl
         ligKdKYdz7KtI0Qag+4AjXjRyeXGWoQKG9CP0SGC5k9gNDnPJhPgdJGT31mRrw+AoiLi
         /OAKQrILcVKRzVxft+jYIXWOs1elGv4ixAS+BKZEyRPZMoRnxiWN9GmyDJ21EeqCv0tV
         zhuGcNb5KJyxTCYxDOuKYeuRd3Nl6zJUlkz5Aw8ULtuOpFzkSd65bBWYyAYiuud6ZksD
         0NcQ==
X-Gm-Message-State: ACrzQf0aHMLVq/dKQh3ILefbfusLNCLhbozW1/bzlDoOC5aoUMtsV9am
	gXaV6t3efS2zWbF9cJuk+eoplKoNRNxzZ8n39Ym5p+BCCPU=
X-Google-Smtp-Source: AMsMyM67Ol3z82ejAzT1Y4J+rIm6ldVXAobX+kwDDBRpSK6fNppqWEve/vg4uJwx8fZbkrRTrYgfsc+ImjrCD+SAAeU=
X-Received: by 2002:a17:903:2445:b0:178:38ee:70f with SMTP id
 l5-20020a170903244500b0017838ee070fmr24243587pls.164.1664847004951; Mon, 03
 Oct 2022 18:30:04 -0700 (PDT)
MIME-Version: 1.0
References: <CAGBsUrdri=hXQHy5JnVhpiz51FbnqVBHjrBg9-tj8m=vzfZtzA@mail.gmail.com>
 <0cfb9a7b-1168-42ef-ae1a-bdc72210de43@app.fastmail.com> <CA+p1FaaDimmXXxfmGYogENvTpKp2qvyYNt4MyJT9HrehiTbXGg@mail.gmail.com>
 <CAGgaK7LMx+hd_V_EPNnmRb8pggAmP62vVtLjh=xgCFCkCQ0dgw@mail.gmail.com> <CA+p1FaapMaiWzz438Jr7N6B5qg0FecUuzzoe5oce-PyggaSzXw@mail.gmail.com>
In-Reply-To: <CA+p1FaapMaiWzz438Jr7N6B5qg0FecUuzzoe5oce-PyggaSzXw@mail.gmail.com>
Date: Mon, 3 Oct 2022 21:29:53 -0400
Message-ID: <CANYPt=WE+iTbECh3Kzh+jqkkqz2+6ezG6PGpSKypJm0yGQhMCw@mail.gmail.com>
To: David Gebler <davidgebler@gmail.com>
Cc: Max Semenik <maxsem.wiki@gmail.com>, Larry Garfield <larry@garfieldtech.com>, 
	php internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="00000000000055ebe105ea2b6664"
Subject: Re: [PHP-DEV] Sanitize filters
From: vasilii.b.shpilchin@gmail.com (Vasilii Shpilchin)

--00000000000055ebe105ea2b6664
Content-Type: text/plain; charset="UTF-8"

I believe we are still dIscussing about the sanitizing filters only. No
doubt the filter API in general should be kept in the core as it provides
functional access to input variables with the filter_input() function. The
filter_input() is the only alternative to accessing superglobal arrays
directly. I prefer to use them rather than userland helpers and facades
which may work differently to each other. If you wanted to get back to
superglobal arrays when coding without a framework in PHP 8.3 I won't
believe in that. The set of the sanitizing filters is not perfect, however;
some filters are great and userful:

FILTER_SANITIZE_EMAIL - helps to clean up typical mess caused by
copy-pasting an email.
FILTER_SANITIZE_URI - similar thing but to URIs.
FILTER_SANITIZE_NUMBER_FLOAT - nice since it provides a flag to control
scientific notation (did you know is_float("1e1") is false,
but is_float(1e1), however, you always get a string from input variables,
and there is no other way to handle this case without weird manipulations
on a string).

The purpose of some filters like FILTER_SANITIZE_STRING is difficult to
get, I agree, but the idea to solve common edge-cases with built-in
high-quality functionality is  great, PHP is a language for Web and should
consider web context.



On Mon, Oct 3, 2022 at 8:38 PM David Gebler <davidgebler@gmail.com> wrote:

> On Mon, Oct 3, 2022 at 11:29 AM Max Semenik <maxsem.wiki@gmail.com> wrote:
>
> >
> > Is there a compelling need to have this in the core, as opposed to
> > Composer packages? The ecosystem has changed a lot since the original
> > function was introduced.
> >
>
> I don't know that there is, I suspect the answer is probably not and
> sanitization and validation is probably better left to userland code. The
> only argument I can offer as devil's advocate is that certain validations
> or transformations will be faster in core than in library scripts. I would
> wager the most common implementation of such userland libraries today are
> heavily reliant on preg_* functions so having some fast, low level baseline
> in core for common tasks in this category might still make sense.
>
> While we're on the topic, can I bring up FILTER_SANITIZE_NUMBER_FLOAT? Why
> is the default behaviour of FILTER_SANITIZE_NUMBER_FLOAT the same as
> FILTER_SANITIZE_NUMBER_INT unless you add extra flags to permit fractions?
> Why is the constant name FILTER_SANITIZE_NUMBER_FLOAT but its counterpart
> for validation is FILTER_VALIDATE_FLOAT (no NUMBER_)? Why does validating a
> float return a float but sanitizing a float return a string?
>
> What about FILTER_VALIDATE_EMAIL which is notorious for being next to
> useless?
>
> Seems to me like there could at the very least be a plausible case for some
> better to_float(), to_int(), is_valid_email() etc. type functions in core
> to replace some of the filter API.
>

--00000000000055ebe105ea2b6664--