Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:126297
X-Original-To: internals@lists.php.net
Delivered-To: internals@lists.php.net
Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5])
	by qa.php.net (Postfix) with ESMTPS id E3B071A00BC
	for <internals@lists.php.net>; Wed,  5 Feb 2025 13:26:21 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail;
	t=1738761815; bh=m8LNgVYQ2HmQ5Cpbudn/rY99HqrcMoWiILdqfk29/Gw=;
	h=Date:From:To:In-Reply-To:References:Subject:From;
	b=gChoD+95mSJMKvkjLFxypHVyouDpUui4RFVwDct3eBGea4PssE1JW+hlHZpThy+SU
	 cKBS+so0D+GkKbxyo89pC6Fajha1TEiCku/puk6EyoDVLKCUdR3mkfoCmE3F00TOvV
	 lTA9ZtMmvpNuRWrlMJADdM8szoJ4NCAvNH5ftRXl0tTfxnVuhYokxQ3LtE1zGGxCbD
	 cMyKr5EUTeKj2qPk1qiPrNElZXXomfo1V9+aoJS9/x03m7FilOUYgCewJstZSfhA51
	 3NePeDzXf1xrRC1poR82LGV7fLIAlpAhMvk88b73Kj/e9/CxQ0VMYitSNcaeUz3hYb
	 XTo8fZTfoU74A==
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 01CE5180071
	for <internals@lists.php.net>; Wed,  5 Feb 2025 13:23:35 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_MISSING,HTML_MESSAGE,
	RCVD_IN_DNSWL_LOW,SPF_HELO_PASS,SPF_PASS autolearn=no
	autolearn_force=no version=4.0.0
X-Spam-Virus: No
X-Envelope-From: <rob@bottled.codes>
Received: from fhigh-b6-smtp.messagingengine.com (fhigh-b6-smtp.messagingengine.com [202.12.124.157])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Wed,  5 Feb 2025 13:23:34 +0000 (UTC)
Received: from phl-compute-01.internal (phl-compute-01.phl.internal [10.202.2.41])
	by mailfhigh.stl.internal (Postfix) with ESMTP id A1725254011B
	for <internals@lists.php.net>; Wed,  5 Feb 2025 08:26:19 -0500 (EST)
Received: from phl-imap-09 ([10.202.2.99])
  by phl-compute-01.internal (MEProxy); Wed, 05 Feb 2025 08:26:19 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bottled.codes;
	 h=cc:content-type:content-type:date:date:from:from:in-reply-to
	:in-reply-to:message-id:mime-version:references:reply-to:subject
	:subject:to:to; s=fm1; t=1738761979; x=1738848379; bh=LwAhlZ16Xt
	A/8bQuyPQHEyxyOCaqsS1+hvOWDtwvu7o=; b=IR+MI/WSoz7Qqt+u64cW5By3Z5
	6F3Pa+jn4qK8qO1MZJtDl7P5Qr79L2kIuiMg0+DrOvLAhcdpQiu5JAfqI9ns1ZpY
	jmLNN28SZi+2IaHPjgIMn+bYpdsjVy8ByF+URwr0R6weTf0yhUQRQ2KeSFsHUTvp
	zSvN0FlpcfVAUoW+dZ1wt7lNscsdc4bPVBtPXHjIMSRUd87pOftaYmdax6zbWaky
	rAVsInnmN2UFlx6adPnY0gRVfyibtb4WwLG2N29JtqkgM1+gHC8gou6xpFBET0/+
	J2b9ap491l8zb/4GbHlP8fJJQT1HJMTsNo+PYKg40Z7wgUM3ZQerOIAtYH0g==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:content-type:content-type:date:date
	:feedback-id:feedback-id:from:from:in-reply-to:in-reply-to
	:message-id:mime-version:references:reply-to:subject:subject:to
	:to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t=
	1738761979; x=1738848379; bh=LwAhlZ16XtA/8bQuyPQHEyxyOCaqsS1+hvO
	WDtwvu7o=; b=KwmFlRe8FMCaVXEx5mfyVZqtzvh6aS4DbhXCKeESyDZT45jID+z
	PL90Yg7VuRtUjoys2oCficMdne7UqCQx/sOfibc3/iEhBXCYwYREhvao6tKmUfQv
	xZcB//ty4bekPYJJ5bK+5FrYPd1FayW0zW1Ca1Kc8rIe0q1DPvFLc1LOxne0s9Gw
	DO6f/XUg11rt7bTmIakP5iEEo59BvuDzIxE9O0bUJWb623TXlDFJ+B+FEydCNeXY
	g5gS3/z4RWUbZI6h8Jx1fv/iINWMlxZhETSqYRW4cZYCfZ3zI9gW+nHETHxU9lAW
	B10QazsgIu3VIFWaJzkYj8PIuW3dR+yIKkQ==
X-ME-Sender: <xms:-majZ7ZuHAlgDtPZg9ccGkPFCQO9CnbzxMGpZK4nRQCEpWoLbg6Wcg>
    <xme:-majZ6bDUJi9QUxr2bjyt4So7TB2KUDFcHKbX0BdG3ldUeq4kpGVxe6ViAVI2_gwu
    1Mh5pZKpp0Jue2vFHM>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefvddrtddtgddvfeehjecutefuodetggdotefrod
    ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpggftfghnshhusghstghrihgsvgdp
    uffrtefokffrpgfnqfghnecuuegrihhlohhuthemuceftddtnecunecujfgurhepofggff
    fhvffkjghfufgtsegrtderreertdejnecuhfhrohhmpedftfhosgcunfgrnhguvghrshdf
    uceorhhosgessghothhtlhgvugdrtghouggvsheqnecuggftrfgrthhtvghrnhepuefhhe
    fhieekieetgfffheejvedugffhtdetjeeijedtvdduffetvedvffeijedvnecuffhomhgr
    ihhnpehgihhthhhusgdrtghomhdpphhhphdrnhgvthenucevlhhushhtvghrufhiiigvpe
    dtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehrohgssegsohhtthhlvggurdgtohguvghs
    pdhnsggprhgtphhtthhopedupdhmohguvgepshhmthhpohhuthdprhgtphhtthhopehinh
    htvghrnhgrlhhssehlihhsthhsrdhphhhprdhnvght
X-ME-Proxy: <xmx:-majZ9_JkrLnC6WR-jpmCxM57vo2YgAzWCgplmMthr5NpyELyM9xAQ>
    <xmx:-majZxq6Var8y-msveD9fzru2PY8uu1c45H8tppwwxb9heaSrRxAEA>
    <xmx:-majZ2pd7-MqBFpD9EuT2Ci5EBB65GXbblML91tNHCXPoy7RkmxqDQ>
    <xmx:-majZ3SedqWiPo3vBr7geJwSt1J9hiDS9VK_CWlZNM6j7P78Rou56w>
    <xmx:-2ajZ9Sj1QZc2FXJQDIrNvVYwY1wecsB3lViBF5TzAakU3KdSflLU44y>
Feedback-ID: ifab94697:Fastmail
Received: by mailuser.phl.internal (Postfix, from userid 501)
	id B3ED3780068; Wed,  5 Feb 2025 08:26:18 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
Precedence: bulk
list-help: <mailto:internals+help@lists.php.net
list-unsubscribe: <mailto:internals+unsubscribe@lists.php.net>
list-post: <mailto:internals@lists.php.net>
List-Id: internals.lists.php.net
x-ms-reactions: disallow
MIME-Version: 1.0
Date: Wed, 05 Feb 2025 14:25:58 +0100
To: internals@lists.php.net
Message-ID: <b542f990-4055-477d-a66e-e00f520fae6b@app.fastmail.com>
In-Reply-To: <cbe7b1ea-4d23-4b7c-9dd9-f400ca7c5d11@gmx.de>
References: <cbe7b1ea-4d23-4b7c-9dd9-f400ca7c5d11@gmx.de>
Subject: Re: [PHP-DEV] Deprecate filter_input() or not?
Content-Type: multipart/alternative;
 boundary=16f3d363a300445dbee2934c0ee7d98d
From: rob@bottled.codes ("Rob Landers")

--16f3d363a300445dbee2934c0ee7d98d
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable



On Wed, Feb 5, 2025, at 14:13, Christoph M. Becker wrote:
> Hi all!
>=20
> There is some discussion on a recent bug report[1] about filter_input()
> and related functionality.  The bug report had been closed, because th=
is
> functionality has already been added to the general deprecation RFC for
> PHP 8.5[2].  Then the OP raised a point regarding the usefulness of
> filter_input() to get at the original input, to avoid working with
> possibly modified superglobals.
>=20
> In my opinion, this topic should be discussed here, and not in a bug
> report.  So, has anybody thoughts about the filter_input() deprecation?
>=20
> [1] <https://github.com/php/php-src/issues/17543>
> [2]
> <https://wiki.php.net/rfc/deprecations_php_8_5#deprecate_filter_input_=
filter_input_array_and_filter_has_var>
>=20
> Christoph
>=20

Hey Christoph,

I don=E2=80=99t know why they are focusing on WordPress specifically, bu=
t this function is vital for any software that runs untrusted code (plug=
ins, anything exec=E2=80=99d from /tmp =E2=80=94 ie, templates, compiled=
 containers, etc). Gina suggests using psr7 which suffers from the same =
problem in most frameworks, which allow setting a new request object or =
mutating it in some way.

I=E2=80=99m not sure it should be deprecated and I=E2=80=99d even argue =
not closing tickets just because they are in the mass-deprecation rfc th=
at hasn=E2=80=99t been voted on yet.=20

=E2=80=94 Rob
--16f3d363a300445dbee2934c0ee7d98d
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE html><html><head><title></title><style type=3D"text/css">p.Mso=
Normal,p.MsoNoSpacing{margin:0}</style></head><body><div><br></div><div>=
<br></div><div>On Wed, Feb 5, 2025, at 14:13, Christoph M. Becker wrote:=
<br></div><blockquote type=3D"cite" id=3D"qt" style=3D""><div>Hi all!<br=
></div><div><br></div><div>There is some discussion on a recent bug repo=
rt[1] about filter_input()<br></div><div>and related functionality.&nbsp=
; The bug report had been closed, because this<br></div><div>functionali=
ty has already been added to the general deprecation RFC for<br></div><d=
iv>PHP 8.5[2].&nbsp; Then the OP raised a point regarding the usefulness=
 of<br></div><div>filter_input() to get at the original input, to avoid =
working with<br></div><div>possibly modified superglobals.<br></div><div=
><br></div><div>In my opinion, this topic should be discussed here, and =
not in a bug<br></div><div>report.&nbsp; So, has anybody thoughts about =
the filter_input() deprecation?<br></div><div><br></div><div>[1] &lt;<a =
href=3D"https://github.com/php/php-src/issues/17543">https://github.com/=
php/php-src/issues/17543</a>&gt;<br></div><div>[2]<br></div><div>&lt;<a =
href=3D"https://wiki.php.net/rfc/deprecations_php_8_5#deprecate_filter_i=
nput_filter_input_array_and_filter_has_var">https://wiki.php.net/rfc/dep=
recations_php_8_5#deprecate_filter_input_filter_input_array_and_filter_h=
as_var</a>&gt;<br></div><div><br></div><div>Christoph<br></div><div><br>=
</div></blockquote><div><br></div><div>Hey Christoph,<br></div><div><br>=
</div><div>I don=E2=80=99t know why they are focusing on WordPress speci=
fically, but this function is vital for any software that runs untrusted=
 code (plugins, anything exec=E2=80=99d from /tmp =E2=80=94 ie, template=
s, compiled containers, etc). Gina suggests using psr7 which suffers fro=
m the same problem in most frameworks, which allow setting a new request=
 object or mutating it in some way.<br></div><div><br></div><div>I=E2=80=
=99m not sure it should be deprecated and I=E2=80=99d even argue not clo=
sing tickets just because they are in the mass-deprecation rfc that hasn=
=E2=80=99t been voted on yet.&nbsp;</div><div><br></div><div id=3D"sig12=
1229152">=E2=80=94 Rob<br></div></body></html>
--16f3d363a300445dbee2934c0ee7d98d--