Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:127092 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by qa.php.net (Postfix) with ESMTPS id B10F31A00BC for ; Fri, 11 Apr 2025 01:10:38 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1744333694; bh=1fTM1UZXzfuCHvZqlp0+hkoO/xvG0oLfCTquxCADfpc=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=ccavP6KEdEiHkkzSuqliUrOX4ujJb0NglA4qpuZL6W+QeApO7nV4Jojfq2vPjEodO PW6L2CfJxGJiuAvgd2M0xDyvlkPoQoKTMuVDPwJkvu8MD4MaPRFe02P36L3W2C8nI7 mAmnYcCKt15UCUjHWhhF7hED2C/TrP2qKAHsIWICHbscGokqpOnABC3l3Zgy2diZem DWdqMUC31vCVBI4CZIZbW2l8RgaG/S64cMQA116ZM4qWV5dldfT74o6S2rilRdYo96 EDC2AOrt1Kk/0A57wh4bXoLGhRR/xHfWDgsInQNqs1RV8i4zgyizU9gyNcxB4ddKtG QYwB0PVYWGNFQ== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 8A219180079 for ; Fri, 11 Apr 2025 01:08:13 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-1.7 required=5.0 tests=ARC_SIGNED,ARC_VALID,BAYES_00, DKIM_INVALID,DKIM_SIGNED,DMARC_MISSING,SPF_HELO_NONE,SPF_NONE autolearn=no autolearn_force=no version=4.0.0 X-Spam-Virus: No X-Envelope-From: Received: from sender-of-o51.zoho.com.au (sender-of-o51.zoho.com.au [103.138.129.13]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Fri, 11 Apr 2025 01:08:12 +0000 (UTC) ARC-Seal: i=1; a=rsa-sha256; t=1744333827; cv=none; d=zohomail.com.au; s=zohoarc; b=TvOKYFsAr80Mnn1DF5M8nGND+BNRinA8ZF7CV+zJbtrxTQqh2f4VReLeZq0CBVtB+CpKeEAFRUeUbgwdWAOnNUEK9oeTpLsdTqvv4tNMCiO84eT4vq/LAzsnjz7ZpchyvLw/4PvJG7VRA+sLIjdgecIOH+H8wU7RyUePnOvr2jg= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com.au; s=zohoarc; t=1744333827; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:Subject:To:To:Message-Id:Reply-To; bh=1fTM1UZXzfuCHvZqlp0+hkoO/xvG0oLfCTquxCADfpc=; b=ZIra3fi7NuKAnuR0bWaDzHXiM66exofMO/0SzTeMZbV0ZHM+ZCHd87AW8dfwTPV6IoEkm0rcsOpw7KNKSLsPyy9fm9FzzIAsr0SjrYqQ8UgvF73u1rJQHnOJ3V/79wbNGf45OwCd7K1uZ+BVPMcV7Ms76r9VAZab8z/aDIup9mo= ARC-Authentication-Results: i=1; mx.zohomail.com.au; dkim=pass header.i=nicols.co.uk; spf=pass smtp.mailfrom=andrew@nicols.co.uk; dmarc=pass header.from= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1744333827; s=zmail; d=nicols.co.uk; i=andrew@nicols.co.uk; h=MIME-Version:References:In-Reply-To:From:From:Date:Date:Message-ID:Subject:Subject:To:To:Cc:Cc:Content-Type:Content-Transfer-Encoding:Message-Id:Reply-To; bh=1fTM1UZXzfuCHvZqlp0+hkoO/xvG0oLfCTquxCADfpc=; b=SvVFL9IP29n+NZ3gd5NZoJV1cOlfUgeqqcvFOctYXRgxpHkyi1It2hMP6OnDiY0t PFaZfEntPORGFkCCLc1wdKCr7wjLzYlK1GjhDzr/ruqRP/rLloWrlrclLn9hRp8aa5I rJUQD/rt6PcXBiE/fn/wjeszTV8YXPYAb2wrBIS8= Received: by mx.zoho.com.au with SMTPS id 1744333824840722.0256124848146; Fri, 11 Apr 2025 11:10:24 +1000 (AEST) Received: by mail-ej1-f42.google.com with SMTP id a640c23a62f3a-ac2bdea5a38so246050866b.0 for ; Thu, 10 Apr 2025 18:10:23 -0700 (PDT) X-Gm-Message-State: AOJu0Yy8niZKN9r5q7olmXwVr3LeeCYmF4CtJvPpCE0GAxXQh8Ftm+eN 8z+r+mQUH/oUAK9g5n/mNh6T+GnENO0RKpx2PmcOLqO9FkQ8cC3SFr3/tBC+72vnRPzGshPzVr8 NqnM3HbwLSnmq1Y6VgbRCLdXP8EU= X-Google-Smtp-Source: AGHT+IGdV+pWSPglUUEmIqaXteVpnbM8yOjIuORbPZgGywKnfx5zapvS9WO+05e3+4EJCBAOvMrX1SBWELzz+nrPD/g= X-Received: by 2002:a17:907:3f17:b0:ac6:f6ea:cc21 with SMTP id a640c23a62f3a-acad36bde74mr60690966b.55.1744333822374; Thu, 10 Apr 2025 18:10:22 -0700 (PDT) Precedence: bulk list-help: list-post: List-Id: internals.lists.php.net x-ms-reactions: disallow MIME-Version: 1.0 References: <2e02e8bd16ccd8f326a014fa3812da43@bastelstu.be> In-Reply-To: <2e02e8bd16ccd8f326a014fa3812da43@bastelstu.be> Date: Fri, 11 Apr 2025 09:10:11 +0800 X-Gmail-Original-Message-ID: X-Gm-Features: ATxdqUG6ECrGUf2tBntxEV5_hYfjwbj2w9SnmQHqlxPgAQJilSQfwE8zeT8WdaQ Message-ID: Subject: Re: [PHP-DEV] [RFC] [Discussion] Change default for zend.exception_ignore_args INI setting To: =?UTF-8?Q?Tim_D=C3=BCsterhus?= Cc: internals@lists.php.net Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-ZohoMailClient: External From: andrew@nicols.co.uk (Andrew Lyons) On Thu, 10 Apr 2025 at 23:20, Tim D=C3=BCsterhus wrote: > As I had said on GitHub before, but to put it onto the list for > visibility: > > I'd rather see the value in `php.ini-production` being changed to `Off` > to match the built-in default. see > https://github.com/php/php-src/pull/18215#issuecomment-2768618516 Thanks Tim, Can you please explain why you think the default should be to always show arguments? I asked this question in the Pull Request too and didn't really get a clear answer. I did try to address your concerns in the RFC itself. To summarise: * you referenced a stackoverflow chat asking about the difference, and noting that the defaults for production and development should probably be standardised as much as possible; * you noted that the correct solution would be to set `display_errors` to Off; and * you also noted that the framework's error handler should be properly configured. In response to these I have extended the RFC to cover making the development INI file the same as the production INI and default value by setting all of these to the 'On' value. Regarding setting `display_errors` to Off, I do agree, but I feel that this is a separate RFC. I've highlighted this as future scope in the RFC and I've also noted that there is often still value in displaying errors without the arguments. That is to say that I feel that display_errors should default to Off, and exception_ignore_args should default to On. Having defaults which do not reveal arguments unless explicitly configured to do so is a much safer option than just showing everything. I do agree that the framework's error handler should be properly configured, but mistakes happen and it is better to fail in as safe a way as possible. The reality is that a framework that is configuring the error handling properly is also capable of calling `ini_set('zend.exception_ignore_args', 0);` during its own initialisation and being explicit about wanting to have that information. Developers are also able to configure their PHP environment with developer appropriate configuration. Ultimately mistakes can, and do, happen. PHP should be configured with safe defaults as standard.