Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:127863
X-Original-To: internals@lists.php.net
Delivered-To: internals@lists.php.net
Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5])
	by lists.php.net (Postfix) with ESMTPS id 73E171A00D0
	for <internals@lists.php.net>; Thu,  3 Jul 2025 16:05:04 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail;
	t=1751558591; bh=N9Nw2VN2o/9zkilnL/8I/Ya8z2f/H0+mFOcxpOzA9hc=;
	h=Date:From:To:cc:Subject:In-Reply-To:References:From;
	b=bYLTHabUAN9zZ2kJcQ5s9UorqIxmnhHGQv1gSW+dhplV4Z3RtY2feFyNjj4QzMlOn
	 Q9I2Rjq3MkScLgpplAaNDdu3k9LLqI+WHsYr5Z7WYq/jemUVvXbOVugv5+KJfpGP2K
	 eIMFkOEZeSiEswe83CIRcTda2PB92HOqsF0nIXvpi+TPVaj+QZ/IXzMEbYDIJnt1Pc
	 JRHBB9JDAKCrVSsxAg3qQvSt8Em+AnBUXqegAddCbJL58Ur5dyP5CixgmTRXZWneH0
	 cJ6ljm45bfrMoPcYmxXob10zcXtXU9PKXD5sk9N7GeTUMn9hSUpCHegXam9j32YFJh
	 lgK8e+pFWECmQ==
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 6943D180083
	for <internals@lists.php.net>; Thu,  3 Jul 2025 16:03:10 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-25) on php-smtp4.php.net
X-Spam-Level: ***
X-Spam-Status: No, score=3.6 required=5.0 tests=BAYES_50,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,SPF_HELO_PASS,
	SPF_SOFTFAIL autolearn=no autolearn_force=no version=4.0.1
X-Spam-Virus: Error (Cannot connect to unix socket
	'/var/run/clamav/clamd.ctl': connect: Connection refused)
X-Envelope-From: <derick@php.net>
Received: from xdebug.org (xdebug.org [82.113.146.227])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Thu,  3 Jul 2025 16:03:08 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail;
	t=1751558699; bh=N9Nw2VN2o/9zkilnL/8I/Ya8z2f/H0+mFOcxpOzA9hc=;
	h=Date:From:To:cc:Subject:In-Reply-To:References:From;
	b=kT4+TDMOmah9kojHWO5GS5KmQHMCpzE9cormGIipPmjVY+JNgg5xPeQuQoIAKItVp
	 cj3o9SQeuRfpHtpLr7art5vb3XAxPpCOZT5C4R0g1FVNEOuhcANuN+iJXMsxroIlte
	 dpdTrlrCahmEV0D1c3FkYHsUQK4DdLdu10ky+3BOR6hjXxLqY6+y64V/+6GQL44hx0
	 OkAqa6aozVNtENWhSuKDTyhxbPb58Pn7l70DWDvhI7WcNG5EEtYiKAPFoCdTymLQ22
	 BT9bFGtOcherjIwjmZ7jyK8V11KWECbXvMJ3zMq2mMkuqJNRv6vpstOCY9VkGk15eD
	 Ekxoae10HF8vA==
Received: from localhost (localhost [IPv6:::1])
	by xdebug.org (Postfix) with ESMTPS id 428A310C033;
	Thu, 03 Jul 2025 17:04:59 +0100 (BST)
Date: Thu, 3 Jul 2025 17:04:59 +0100 (BST)
To: "Gina P. Banyard" <internals@gpb.moe>
cc: PHP internals <internals@lists.php.net>
Subject: Re: [PHP-DEV] [RFC] Deprecations for PHP 8.5
In-Reply-To: <hzKdzBWWITU1ePjv3qcyK-OzroFAkWst9MQBw2zvKSA8pk1iqruLZZWTTh9gYDo2QX8EY_PiirVYDuwne2Upr3GlqZk570wtLOF49aaP-HQ=@gpb.moe>
Message-ID: <eb5b84a5-c665-279a-f9e4-8e162b5cb0b8@php.net>
References: <hzKdzBWWITU1ePjv3qcyK-OzroFAkWst9MQBw2zvKSA8pk1iqruLZZWTTh9gYDo2QX8EY_PiirVYDuwne2Upr3GlqZk570wtLOF49aaP-HQ=@gpb.moe>
Precedence: bulk
list-help: <mailto:internals+help@lists.php.net
list-unsubscribe: <mailto:internals+unsubscribe@lists.php.net>
list-post: <mailto:internals@lists.php.net>
List-Id: internals.lists.php.net
x-ms-reactions: disallow
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="8323329-1201033345-1751558699=:42779"
From: derick@php.net (Derick Rethans)

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.

--8323329-1201033345-1751558699=:42779
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: QUOTED-PRINTABLE

On Wed, 2 Jul 2025, Gina P. Banyard wrote:

> Some should be non-controversial, others a bit more. If such, they=20
> might warrant their own dedicated RFC, or be dropped from the proposal=20
> altogether.

The changes to filter continue to undermine what the extension was meant=20
to do. The filter.default INI setting was deprecated in PHP=20
8.1, which was already a mistake.

The intention behind the filter extension was that admins can set a=20
default filter for *all* data coming in through this `filter.default`=20
setting as a "safe" fallback. That could/should probably even be a=20
filter that just makes all data "=E2=98=BA" for example, to indicate you're=
=20
working with unsanitised data. (I don't think there is such a filter=20
though).

This fallback could then be 'circumvented' by using the=20
filter_input/input_array() functions, so that each of them can employ=20
its own unique, and useful, filter on that specific element in the=20
GET/POST/etc arrays.

Saying that "The filter_input() and filter_input_array() functions=20
operate on the original values provided by the SAPI that populate the=20
superglobals for $_GET, $_POST, $_SERVER, $_ENV, and $_COOKIE. " is=20
basically documenting the *original intention of these functions*.

If there is anything odd with your example, is that you can modify the=20
values in GET/POST/etc superglobals to begin with.

"As it is easy and straight forward to have the same behaviour by using=20
filter_var($_GET['a'], /* other params */) and filter_var_array($_GET,=20
/* other params */), we propose to deprecate filter_input() and=20
filter_input_array()."

No. The whole point is that these functions read the raw data, the one=20
that wasn't filtered by the default filter (which has been inadvisably=20
deprecated).

I would therefore *undeprecate* filter.default, and allow these filter=20
functions are they currently are, because they implement the original=20
design idea behind this extension.

cheers,
Derick
--8323329-1201033345-1751558699=:42779--