Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:118841 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 39818 invoked from network); 18 Oct 2022 12:04:48 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 18 Oct 2022 12:04:48 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 382061804B3 for ; Tue, 18 Oct 2022 05:04:47 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE, T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS15169 209.85.128.0/17 X-Spam-Virus: No X-Envelope-From: Received: from mail-ua1-f41.google.com (mail-ua1-f41.google.com [209.85.222.41]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Tue, 18 Oct 2022 05:04:46 -0700 (PDT) Received: by mail-ua1-f41.google.com with SMTP id i20so5437207ual.4 for ; Tue, 18 Oct 2022 05:04:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=basereality-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=nsvT6FEb5RCZYf1GSIRSEHIRP2Ytpyv4xGovITlFodc=; b=ej8zSnqIvrr1PGQm+NjX8JInziKFYXwFV+eI+OcQ3/UER9lv5D6DzoO6Y35bdPFIqX 5YaOhAbGLUvWXcAwr/vxxRRg/z0Rjg23+HsCQTsuMGhNxYj6684KeEPqNE2L9Gb8QPDE 94ZQUslXK/8QMHneM+zzy5363OZnwx8Y7rx98630aL/Bjo2TYCwNnQ53IvZAreI94V/c 0pUaqB3SKr7/FA33YwPieuYvPinbRIwcEuPlkas8bjBEYeHAuRhzeJTg8u5zyhVmUtr+ e+Dgx6zLxSZtP/8jQy7BdjE7QX7TLjx9fxyfp2l+SswhlR1oRi1fnWcfp1HwVcc/xR7y R6tQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=nsvT6FEb5RCZYf1GSIRSEHIRP2Ytpyv4xGovITlFodc=; b=AaQwqqlHXtRXxAyK4B1wr1VgIiu7Oo5av8dtzEPGSE9CX6F8MSUhQd+IZbIN+oKjtt cHq6718jef6ie1CL6R5Lrcvozcb9OPjogj4dtnoS72wK4GKwPPRSnaWjnEA6TZeWN7fF awzEtk44/N0ZK+RwzHVDQFIuEcWVN7XpyP/R3YMrkHsc5MOsLRVZirI8J78pRJYIQIjT G8SLQCFsXUcgOWC2y1/k4a/bJ+56Zy6wnJbk4jG64EXsL+A6f6HqExbgBqv8U/38G/nP 0WbojViYoqd8lCD/Omd1QlnopNW6g0gXsYdjEmMn4ldPQBUh7qj/F8tZHvcjIdjAw7qt 1sJw== X-Gm-Message-State: ACrzQf3EgYnaXXlK2F0GQIFQy1T8SsMeeXhMDUlyufzE4hlVvSAVzF15 JSS5GIbKSJfWpGW4qW1Dj6tW/ZVcl+kWQdjgrfj1nw== X-Google-Smtp-Source: AMsMyM5ylsz87utf6hQfAdCYzb6mgWPx/DCMOD2u7MPG3uVS5nFugphhsfZERLFSS2V4tnR+Gj5QjSdjRDvyxjwEEnw= X-Received: by 2002:ab0:5a98:0:b0:3e6:5e47:3702 with SMTP id w24-20020ab05a98000000b003e65e473702mr1313586uae.104.1666094685646; Tue, 18 Oct 2022 05:04:45 -0700 (PDT) MIME-Version: 1.0 References: <22177032-fe72-c39b-63fe-fa4368a70852@bastelstu.be> In-Reply-To: <22177032-fe72-c39b-63fe-fa4368a70852@bastelstu.be> Date: Tue, 18 Oct 2022 14:04:34 +0200 Message-ID: To: =?UTF-8?Q?Tim_D=C3=BCsterhus?= Cc: PHP internals Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Subject: Re: [PHP-DEV] [VOTE] Improve unserialize() error handling From: Danack@basereality.com (Dan Ackroyd) Hi Tim, On Fri, 14 Oct 2022 at 15:44, Tim D=C3=BCsterhus wrote: > > Hi > > as announced on Wednesday [1] I've now opened the vote for: > > "Improve unserialize() error handling" [2] I'm going to have to vote no for changing to throwing an exception. The BC break is too big imo, and too hard for people to be aware of. IMO There needs to be a clear path of deprecating the current behaviour that people are alerted to (rather than having to read upgrade notes), so that they know they need to change their code from: function getUserPreferences($data) { $user_preferences =3D @unserialize($data); if ($user_preferences =3D=3D=3D false) { $user_preferences =3D get_default_preferences(); } return $user_preferences; } to something like: function getUserPreferences($data) { try { return unserialize($data); } catch (UnserializationFailedException $ufe) { return get_default_preferences(); } } but I'm not having great ideas of how that could be done 'nicely'. Similar for the exception hierarchy change (example is below). Changing the type of exception thrown would break valid (if not super great) code in a way that would be hard to detect, and I'm not sure we have a good way of performing this type of change. IMO these isn't just a BC break that needs to wait for a major version release; it's something that needs to have a clear upgrade path no matter which version they are proposed for. btw I think there are underlying interlinked problems with PHP that causes proposed changes like these to be more difficult than anyone would want: 1. The PHP core library is 'ungood' in quite a few aspects, and many people would like to improve it, but some of those changes are hard to do in a BC way. 2. Because of the way PHP works, it's not possible for one library/module to use different versions of the same function. This is different from JavaScript where with their (ridiculously convoluted*) tools, each module is able to specify exactly which versions of which libraries it wants to use. 3. Although PECL was good for the time it was created in (where it was uncommon for individuals to have places to share files online) it really isn't a tool fit for purpose any more. It's not really fit for purpose any more, as even when there are (allegedly) great libraries like ds (https://www.php.net/manual/en/book.ds.php) relatively few people using PHP use them. I think trying to improve the situation, so that changes to individual functions avoid even requiring a discussion in internals in the first place, is a worthy goal. But it's one that would require many multiple years of effort, so is far too difficult to be done by individual people volunteering their time. Addressing problems that are far too large for individual contributors to fix, is possibly a discussion to be taken up by the PHP Foundation. If anyone who works for a for-profit company has read this far and their company isn't already sponsoring something like 1% of their engineers salaries to the foundation, then I encourage you to do so at https://opencollective.com/phpfoundation . For the "Increase the severity of emitted E_NOTICE to E_WARNING" part... I offer no opinion on the change. I personally think any project that doesn't convert any unsilenced warning to an exception is just asking for trouble. cheers Dan Ack * I wouldn't want to see a 'standard' library for PHP split across 80,000 repositories, but I think that the one (1) standard library that PHP has is too few. Which possibly gives somes bounds to the desirable number of libraries for a programming language. // Example for __unserialize exception class UserNotFoundException extends \Exception {} function check_user_exists($user_id) { // check user account hasn't been deleted, otherwise throw: throw new UserNotFoundException("exceptions for flow control are great.= \n"); } class User { private $id =3D 5; function __unserialize(array $data) { check_user_exists($data["\x00User\x00id"]); } } $user =3D new User(); $data =3D serialize($user); echo "$data \n"; try { $result =3D unserialize($data); } catch (UserNotFoundException $unfe) { // This exception would no longer be caught if the exception type was changed. echo "redirect user to login page\n"; exit(0); } echo "User is valid.\n";