Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:128765 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by lists.php.net (Postfix) with ESMTPS id 4BAF51A00BC for ; Wed, 1 Oct 2025 22:12:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1759356676; bh=nt435iSaGnURE4Jt8wZmbclLst4whvrwepN+RVaepGs=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=SvfH/NF1f21ed/9IhqK9g2N8/ADlNFweA/2uv6MMTzi9boM0XaZyKcac8/QV08PGE BcY85cRe+/+pvt0okQoo7FdB3DSFFL4Zp9f9+om1I8kQMYpdDtA4N57najY8FWrImw /vQc9OqgYzbbWKmcKfApRSuta0TQqf+kkf2i3xoFsBZByqC2lE84wxUKxWHRQntV/n 8b7EzZpVXXuwjTsOknBST2AEyQWvjQ5oL2Sl/RXCQHG3g0xDQYqkCyXe2W5/xSH56t TvzLP0FqID3sSujnpWsKXqXnnJCH1Phd6B4jH5RuNYTy/Zcq4r8/arSHXemeTPE7vN db+bCWILrXSfQ== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 0BF8D180081 for ; Wed, 1 Oct 2025 22:11:12 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-25) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=0.6 required=5.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_MISSING,HTML_MESSAGE, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=4.0.1 X-Spam-Virus: No X-Envelope-From: Received: from mail-vs1-f50.google.com (mail-vs1-f50.google.com [209.85.217.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Wed, 1 Oct 2025 22:11:11 +0000 (UTC) Received: by mail-vs1-f50.google.com with SMTP id ada2fe7eead31-5a46c3b3a5bso224822137.0 for ; Wed, 01 Oct 2025 15:12:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=devilix.net; s=google; t=1759356749; x=1759961549; darn=lists.php.net; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=nt435iSaGnURE4Jt8wZmbclLst4whvrwepN+RVaepGs=; b=tiuNZYwwQ3RVLc39GqHyfZnnCUFKU4iacdNvEg2ODS+NAfuWKRl+hgtKgABwprwZHj sG9iZ40fl1olhA1CozyiuW66JMSoFYYwWfw4Iuq/oRHH4QS/D6EUIW0jLnZR6toGxlku M8qSt2Nv0jHhnEeVOgSFzp+VvP+2sfO5Y8MIY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1759356749; x=1759961549; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=nt435iSaGnURE4Jt8wZmbclLst4whvrwepN+RVaepGs=; b=LF+LXzA7wPurGjE3pVT+VyK1B01We0N7HN63e4TCzqvorH3DeY2k7Xj5QgqcxD71lG TpNMbDboFc2RxYbMtnPTna/GCnRDPaUAX9wcpg+7atNZG/mI7QGxyXt71pj6+psmE7Zp nzWqkaPzyCGYKXJCUhzcWjGOVsS2pL5sNRV7p87dIHnuNSO2CAhOqJaUASrbT4dLgWxX 83/caxjo/hx4ZRConjn+O5qAOrX+l1XkFqSQLRK8gcRZ8A2sk354mIgNhQ9BYSb4x/qh 3VnsrwipvA1syM6QC605jDe6jhUJk5yCVsHpVyscpoTMsEFI4JyG2l22E8eSzxCabm1W uCtQ== X-Forwarded-Encrypted: i=1; AJvYcCVPUGXpri93wmpA2dDxf7Yg8wK+7s6OS176uPKhzTZAjPxR2MuO59WvTNxTP6VDk2BnyELv7+gtxRc=@lists.php.net X-Gm-Message-State: AOJu0YxU4XI/5KqkvsGbHxYe0L0US3LH5pCnMjMqHfAyRzNSMktxNzqz NrkwDMNuop6HpEKO0N54ft7ggJOgZkXmlg4cHNu0VGpjg7aVC5RgL1jh4Uv9ol8crR2kYNxY33e kHNwzgTThm+XRYgLzTWO4zQ+N8Ary5WyERWgGqvkY X-Gm-Gg: ASbGnctJoPgWefh1aURqoadLihGEgy9OCix/ZO0SuKBpNzwtO8OYjcym8mCt8jN2xSX lBuApAGvaxEyYq6fFRJeH+Vnf/o2hLHIkYBQdJ22krs5CMXPwKjvbXJ9hKYkdkX+GaQgacFanWe qrRyaq7Mtf2jVhbRuOF2rSMjYOjNYqpLQ3KBHjw+dumHLfGQ6qSjYFqOwDNhzk608EmtwPJHmk0 47p7k+1WlnXserYmLBLskKkzL33 X-Google-Smtp-Source: AGHT+IHp5qL63XeXuYXYYrgopCknd8oT80fnWjOl/fHQa859+Bb1bHHVbc/8AlMSzBs4YRqL3zZxifu8oOHTx5UEH5c= X-Received: by 2002:a05:6102:2ace:b0:5a0:4f93:fc31 with SMTP id ada2fe7eead31-5d3fe4dd87bmr2362336137.4.1759356749635; Wed, 01 Oct 2025 15:12:29 -0700 (PDT) Precedence: list list-help: list-post: List-Id: x-ms-reactions: disallow MIME-Version: 1.0 References: In-Reply-To: Date: Thu, 2 Oct 2025 01:12:19 +0300 X-Gm-Features: AS18NWD061pD4ojujqz2ryGq8TrTMMz3Onj-aWrmv74pGQlkIuZQcU-6Z4INVH0 Message-ID: Subject: Re: [PHP-DEV] [DISCUSSION] Validating regex pattern To: Alexandre Daubois Cc: Christian Schneider , PHP internals list Content-Type: multipart/alternative; boundary="0000000000001870180640202af2" From: narf@devilix.net (Andrey Andreev) --0000000000001870180640202af2 Content-Type: text/plain; charset="UTF-8" On Wed, Oct 1, 2025, 15:22 Alexandre Daubois wrote: > > > It boils down to: If you are not confident that you construct the > pattern in a safe way then what would you do if a validation function > returns false? You can notify the developer but that is already > accomplished with the preg_* warning when an invalid pattern is given. > Creating an error page for the user on a warning is also already possible. > That's why i'm on the fence whether a validation function does more good or > harm. > > I don't understand how it could be harmful. Early validation is useful > when it comes to avoiding unnecessary operations if we can already be > sure that it will fail later for obvious reasons. For me, it falls > into the same category as email or URL validation in filter_var. > That's also why I think it would be more appropriate as a flag for > this function rather than a dedicated function. > Emails and URLs are commonly expected end user inputs. Regular expressions are not, and that is almost always a bad idea. A bad idea which would be encouraged by making it easy to implement. I am generally in favor of adding niche functionality, but this one does worry me. Cheers, Andrey. --0000000000001870180640202af2 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

On Wed, Oct 1, 2025, 15:22 Alexandre= Daubois <alex.daubois+p= hp@gmail.com> wrote:

> It boils down to: If you are not confident that you construct the patt= ern in a safe way then what would you do if a validation function returns f= alse? You can notify the developer but that is already accomplished with th= e preg_* warning when an invalid pattern is given. Creating an error page f= or the user on a warning is also already possible. That's why i'm o= n the fence whether a validation function does more good or harm.

I don't understand how it could be harmful. Early validation is useful<= br> when it comes to avoiding unnecessary operations if we can already be
sure that it will fail later for obvious reasons. For me, it falls
into the same category as email or URL validation in filter_var.
That's also why I think it would be more appropriate as a flag for
this function rather than a dedicated function.

Emails and URLs are commonly= expected end user inputs. Regular expressions are not, and that is almost = always a bad idea.
A bad idea which would be encoura= ged by making it easy to implement.

I am generally in favor of adding niche functionality, but this= one does worry me.

Chee= rs,
Andrey.

--0000000000001870180640202af2--