Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:121854 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 95429 invoked from network); 29 Nov 2023 08:56:28 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 29 Nov 2023 08:56:28 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 0039E18003E for ; Wed, 29 Nov 2023 00:56:35 -0800 (PST) X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,FREEMAIL_FROM, HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL, SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=4.0.0 X-Spam-Virus: No X-Envelope-From: Received: from mail-ej1-f46.google.com (mail-ej1-f46.google.com [209.85.218.46]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Wed, 29 Nov 2023 00:56:34 -0800 (PST) Received: by mail-ej1-f46.google.com with SMTP id a640c23a62f3a-a02d91ab199so880017166b.0 for ; Wed, 29 Nov 2023 00:56:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1701248185; x=1701852985; darn=lists.php.net; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=hjfebnDMTQDam0+FC8NcrU+8cp3o25688SXE8rbL/Ew=; b=Rl3k7QZtgS5FSUY0RDgiUZGjHJRqiJ+CeteKD6kncde7TmE0nCMIFgqKufG5b2C7kX RDAfb8/2A/lqCgu50RhdZqNdIG89XASQHZgu1X5QgPDqppmzzUCRJ4GDNs1v8Z/UnRfg /b5Bau/S4D8usVaUKoz4u/UvcAjCw9HEZDBijv9MJxATWMlIZVKI9bd8zUUmloXKPuq2 peAwm1Hsgl+cEIDsiFhL4vQh2FAHPcyrR0kScn0H2xISoiVj7H9SvICVIrzzp4Ifr4LB A7im+sfqntZIoQZaf0YJSiNXanK4xMDvv7pi/bUHv4iGaqIKm7rJHkeXEbl9tH0U/qvV FfAA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1701248185; x=1701852985; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=hjfebnDMTQDam0+FC8NcrU+8cp3o25688SXE8rbL/Ew=; b=tdpjlpFZ4xh4IB7YDUP4zMQ1g1KTgBKeCXWFpPYdk1yu99ObDK8ZdK7gT7QG4Cq2Dk 0RX3QKWiChW0t0zlS9FqnaIq3dV5kgLvJnutEMvqVDdbXre0WO//VjhbUSQiOUAiC5Yf AiaJUp7C0ZkUH5DGBv2hoVUc4gR2K2J+koHprpvFrhUDeQrtP4ckezESap7ZQnRAe5B6 Wt0VLYmeXqWTDj4fgm46zqpRgb47QUfmishBZQTQME8zEa38ajowKqax6+L3pF/YMrQK IsJT0sr6wLhZ1gFv2fNuEGwFcwDyBK6nVm4i5IAMfcyGnOGetEUGwUMtwiY4MXBO6wJw crxg== X-Gm-Message-State: AOJu0YxkJpL6u637XCGz8L4bN+cyADYZqLtgAzP6fW/P82ur8urvAun7 ppTuuGeBcaIVLYGEswzQ9hUcyLnlFTs1KOdYL+gMnqMbTno= X-Google-Smtp-Source: AGHT+IHpzPe0z24VF166UN46pbWSqQP7uro9Fy5Q55Xi/7pPPNSNl8aarI22bPtYa524F92L6lssy5JNXP/b5JVFM0I= X-Received: by 2002:a17:907:2993:b0:a00:185a:a150 with SMTP id eu19-20020a170907299300b00a00185aa150mr9467712ejc.38.1701248184654; Wed, 29 Nov 2023 00:56:24 -0800 (PST) MIME-Version: 1.0 References: <6566989F.7010305@adviesenzo.nl> <34dada8e-7f2a-4d94-b7df-d9d3c7b2f3ce@app.fastmail.com> In-Reply-To: Date: Wed, 29 Nov 2023 09:55:59 +0100 Message-ID: To: Robert Landers Cc: Stephen Reay , php internals Content-Type: multipart/alternative; boundary="000000000000b89fbe060b46b5e4" Subject: Re: [PHP-DEV] What is the prevailing sentiment about extract() and compact() ? From: kjarli@gmail.com (Lynn) --000000000000b89fbe060b46b5e4 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Wed, Nov 29, 2023 at 9:20=E2=80=AFAM Robert Landers wrote: > On Wed, Nov 29, 2023 at 8:19=E2=80=AFAM Stephen Reay > wrote: > > > > > > > > > On 29 Nov 2023, at 09:58, Larry Garfield > wrote: > > > > > > On Tue, Nov 28, 2023, at 7:49 PM, Juliette Reinders Folmer wrote: > > >> L.S., > > >> > > >> What with all the drives towards cleaner code, how do people feel > > >> nowadays about `extract()` and `compact()` still being supported ? > > >> > > >> Both have alternatives. The alternatives may be a little more > cumbersome > > >> to type, but also make the code more descriptive, lessens the risk o= f > > >> variable name collisions (though this can be handled via the $flags = in > > >> extract), prevents surprises when a non-associative key would be > > >> included in an array and lessens security risks when used on > untrusted data > > > > > > *snip* > > > > > >> I can imagine these could be candidates for deprecation ? Or limited > > >> deprecation - only when used in the global namespace ? > > >> > > >> For now, I'm just wondering how people feel about these functions. > > >> > > >> Smile, > > >> Juliette > > > > > > extract() has very limited use in some kinds of template engine, whic= h > use PHP require() as a template mechanism. I don't think compact() has a= ny > uses. > > > > > > I very recently was just reminded that these even exist, as i had to > tell one of my developers to not use them. I think it was compact() he w= as > trying to use. I vetoed it. > > > > > > I would not mind if they were removed, but I don't know how large the > BC impact would be. They'd probably need a long deprecation period, just > to be safe. > > > > > > --Larry Garfield > > > > > > -- > > > PHP Internals - PHP Runtime Development Mailing List > > > To unsubscribe, visit: https://www.php.net/unsub.php > > > > > > > Hi, > > > > While I think I understand the goal behind this, I think you're missing > some factors here. > > > > Regarding use-cases for compact: the most common one I can think of fro= m > my work, is for passing multiple local variables as context to a logging > function, but I'd be surprised if its not also used to build faux hash > structures too. > > > > If your goal is to achieve an associative array (i.e a poor mans hash) > of known variable names, using compact in php8+ has *less* risk of > uncaught/unexpected errors than building it manually. Passing an undefine= d > name (i.e. due a typo, or it just not being defined) produces a warning > regardless of whether you build the array manually or pass the name(s) to > compact(). Providing an array key name that doesn't match the variable na= me > (e.g. due to a typo, or a variable being renamed) will produce no error > when building the array manually, but will produce a warning with compact= (). > > > > IDEs (e.g. PHPStorm/IDEA+PHP plugin) can already understand that the > names passed to compact are a variable name, and make changes when a > variable is renamed via the IDE. They simply cannot do the same for plain > array keys. > > > > Due to how variable scope works, the only way to re-implement compact() > with the same key-typo-catching behaviour as a function in userland would > be something that requires the user to pass the result of > get_defined_vars() to every call. > > > > So no, I don't think compact() should be deprecated, what I think > *should* happen, is to promote the current warning on undefined variables= , > to an error, as per > https://wiki.php.net/rfc/undefined_variable_error_promotion. Whether this > is a foregone conclusion or not, I don't know because that RFC doesn't > mention compact() specifically. > > > > > > extract(), as Larry points out has historically been used by 'pure php' > style template systems, in a manner that's generally "safe". Personally I= 'm > less inclined to use this behaviour now (i.e. I'd prefer to access named = & > typed properties from a template than arbitrary local variable names) but= I > don't think that's enough of a case to remove it, because just like with > compact, by nature of how variable scope works, it's very > difficult/impossible to re-implement this in userland, in a way that's > reusable and doesn't involve using worse constructs (e.g. eval'ing the > result of a function) > > > > I think there's possibly an argument to be made for improvements, such > as changing the default mode of extract to something besides > EXTR_OVERWRITE, or to have checks in place preventing the overwrite of > superglobals. > > > > > > Cheers > > > > > > Stephen > > FWIW, I use compact all the time, usually like this: > > try { > // do stuff > } catch(Throwable $exception) { > $this->logger->error("failed to do stuff", compact('exception')); > throw $exception; > } > > But thanks for the reminder to finish the nameof RFC, I was waiting > until after 8.3 to avoid the "trying to rush it to get into 8.3" > shenanigans that happened to another RFC around the same time. If > nameof passes, then it could make this more obvious when refactoring: > > try { > // do stuff > } catch(Throwable $exception) { > $this->logger->error("failed to do stuff", compact(nameof($exception)))= ; > } > > Robert Landers > Software Engineer > Utrecht NL > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: https://www.php.net/unsub.php > > My main concern with compact and extract is the counterintuitive usage of variable names, which is also why I've personally broken production after changing a variable name. If there is another way of using compact in a way where it's used without string and with dollar sign, I won't have a problem with it. I still find `compact(nameof($exception))` a little confusing personally though. I have the feeling that the wish is to have a nice syntactic sugar for compact, not sure about extract though. Extract for me is somewhat of a security concern as it will make it easy to implicitly overwrite variables from a local scope if the array being used is filled elsewhere. Someone adding an array key in another layer of code in an application can cause different behavior on a totally unrelated place when there's a variable collision, and there's no way to detect this when adding (or removing) a key from the array. I'm all for getting rid of extract. For compact I'd like to explore alternative solutions before outright deprecating. I'm still in favor of seeing it gone in its current form though. --000000000000b89fbe060b46b5e4--