Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:127932 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by lists.php.net (Postfix) with ESMTPS id 569E31ADBF0 for ; Mon, 7 Jul 2025 15:31:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1751902201; bh=AOwcBVZSMTDiC5Z1lFvveG9B9tqISELSc7qm3mDrQCM=; h=Date:To:From:Cc:Subject:In-Reply-To:References:From; b=U9emyO4QCODcBrgOb/b2zXjdDQAAc+rnysCNwsPEW/YGyL23kHa9J7BrzK6ubZ8Aa 9mBzbjKwPtDMjf6ZmeqnbydKg54ZQnyrROYdwPKc8pRAIdnLwrt03gzHK5soo9OWxi I49TMUDohHJnYYdtY3n3kpP6ABYGTg1ZSZnRmbzPpgaTkFm3ZgM0JdqX6GcRUlFMDn NoxvmfOxablS0RsjzQWQ3axJa8FwDkx82TqykJim+exSbVx4WgSOePWtqdzsufBeJY r1aQlzRHkqErdqG17MmtXNig1xfb6nHQ9Ux1/b+oP4nVtIxoFMJQ2D/byLC+xg8z9W JJD0YhGZRTg+A== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 77C9618060F for ; Mon, 7 Jul 2025 15:29:58 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-25) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-1.2 required=5.0 tests=BAYES_40,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H5,RCVD_IN_MSPIKE_WL,SPF_HELO_PASS,SPF_PASS autolearn=no autolearn_force=no version=4.0.1 X-Spam-Virus: Error (Cannot connect to unix socket '/var/run/clamav/clamd.ctl': connect: Connection refused) X-Envelope-From: Received: from mail-24420.protonmail.ch (mail-24420.protonmail.ch [109.224.244.20]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Mon, 7 Jul 2025 15:29:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gpb.moe; s=protonmail; t=1751902305; x=1752161505; bh=AOwcBVZSMTDiC5Z1lFvveG9B9tqISELSc7qm3mDrQCM=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector; b=K0l8nWHMKLvp8kc6Xb3PxNmk/gdosAsbTb2Vj8Q0z4gLDkYMJ325ktUTibWo6RR0d SNoktBe8IEb8Ukx13pXfezMpQEaw0P3Es0p85Xh9za9ONyzMjPmNnPYiHMmruq8RpN HWeqccra8xvXebyWwIQqoTAsdPhwSQApUTjouPgyPHHs4RgXUR9+eTpv41i0SyWX1Y xrGlAAT0GQMu7uEmoNO0fCGHeQWuy9IliXYotYJpQAqMVFwdFfuaGME5JKOcAKP5z9 0FFIrKwQ/NStIFoxwqoJW8nuoNvi/nwG6ha5gxHQxn1SgVawhFBX5eYTtT32W2/IYO S00wc6hmNhOSA== Date: Mon, 07 Jul 2025 15:31:42 +0000 To: Derick Rethans Cc: PHP internals Subject: Re: [PHP-DEV] [RFC] Deprecations for PHP 8.5 Message-ID: In-Reply-To: References: Feedback-ID: 96993444:user:proton X-Pm-Message-ID: f04047aac77d375d4fe768b5453066c3e04300e8 Precedence: bulk list-help: list-post: List-Id: internals.lists.php.net x-ms-reactions: disallow MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable From: internals@gpb.moe ("Gina P. Banyard") On Thursday, 3 July 2025 at 17:05, Derick Rethans wrote: > On Wed, 2 Jul 2025, Gina P. Banyard wrote: >=20 > > Some should be non-controversial, others a bit more. If such, they > > might warrant their own dedicated RFC, or be dropped from the proposal > > altogether. >=20 >=20 > The changes to filter continue to undermine what the extension was meant > to do. The filter.default INI setting was deprecated in PHP > 8.1, which was already a mistake. The reason that INI setting was deprecated was because it was effectively r= esurrecting magic quotes, and even weirder combinations. So no, it was deprecated for a good reason, but if you care so much about t= his, feel free to raise an RFC to undeprecate it. > The intention behind the filter extension was that admins can set a > default filter for all data coming in through this `filter.default` > setting as a "safe" fallback. That could/should probably even be a > filter that just makes all data "=E2=98=BA" for example, to indicate you'= re > working with unsanitised data. (I don't think there is such a filter > though). >=20 > This fallback could then be 'circumvented' by using the > filter_input/input_array() functions, so that each of them can employ > its own unique, and useful, filter on that specific element in the > GET/POST/etc arrays. >=20 > Saying that "The filter_input() and filter_input_array() functions > operate on the original values provided by the SAPI that populate the > superglobals for $_GET, $_POST, $_SERVER, $_ENV, and $_COOKIE. " is > basically documenting the original intention of these functions. In such case, we should provide sapi_X() functions that allow to query the = raw values even without the filter extension. Regardless, I have removed the functions from the RFC as multiple people fi= nd use in them. > If there is anything odd with your example, is that you can modify the > values in GET/POST/etc superglobals to begin with. This is core PHP behaviour, if you want to propose making those values read= only, I would be in favour. > "As it is easy and straight forward to have the same behaviour by using > filter_var($_GET['a'], /* other params /) and filter_var_array($_GET, > / other params */), we propose to deprecate filter_input() and > filter_input_array()." >=20 > No. The whole point is that these functions read the raw data, the one > that wasn't filtered by the default filter (which has been inadvisably > deprecated). >=20 > I would therefore undeprecate filter.default, and allow these filter > functions are they currently are, because they implement the original > design idea behind this extension. >=20 > cheers, > Derick Again I disagree that the INI setting should be undeprecated as stated abov= e. Moreover, I would love to know what the original design idea of this extens= ion is and why was this never documented. Because the documentation was in a horrendous state before I tried improvin= g it last winter, and the extension is also in a state filled with bugs and= XFAILed tests. Best regards, Gina P. Banyard