Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:129605
Precedence: list
MIME-Version: 1.0
References: <CAH5C8xXUPKgd0wWwLC3G2Ye=kRZN58gK3DY82v5GoduBNNtb5A@mail.gmail.com>
 <007f01dc6799$bd08f3d0$371adb70$@glaive.pro>
In-Reply-To: <007f01dc6799$bd08f3d0$371adb70$@glaive.pro>
Date: Sat, 13 Dec 2025 22:28:33 +0100
Message-ID: <CAH5C8xVJBS-KhcvmRbWTRHjFhsbX2QpZRWRCip5x4YM2_EcErA@mail.gmail.com>
Subject: Re: [PHP-DEV] [RFC] [Discussion] Followup Improvements for ext/uri
To: Juris Evertovskis <juris@glaive.pro>
Cc: PHP Internals List <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="00000000000001f4ed0645dc10b3"
From: kocsismate90@gmail.com (=?UTF-8?B?TcOhdMOpIEtvY3Npcw==?=)

--00000000000001f4ed0645dc10b3
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hi,


> 1. Query setters and types of their parameter. Quote from the builder
> example:
>
>
>
> ```
>
>     ->setQuery*(*"a=3D1&b=3D2"*])*
>
>     ->setQueryParams*([*"a" =3D> 1, "b" =3D> 2*])* *// Has the same effec=
t as
> the setQuery() call above*
>
> ```
>
>
>
> I=E2=80=99d expect the `setQueryParams` to set the particular params that=
 I
> specified instead of overriding all the query (which I=E2=80=99d expect `=
setQuery`
> to do).
>

I'm happy that you raised this concern because I wouldn't ever have thought
the behavior was unclear. My expectation with setters is that they
completely override the related property.
If they were intended to add/append the query params then something like
addQueryParams() should be used instead. And I think this question has just
highlighted why
it's a bad idea to remove the set prefix from the Builder methods: because
it would also remove some additional context about what the method exactly
does (which is
apparently not even entirely clear with the set prefix included, but
without the set prefix, one would have zero clue if it's an append or set
operation).


> Maybe it would be possible for `setQuery` to accept string, array and
> instances of `*QueryParams`? And `setQueryParams` could either be left ou=
t
> or override just the selected params? As far as I see, there is no
> equivalent `withQueryParams` so there=E2=80=99s no precedent on how such =
a method
> should work, right?
>

Good call, I've already updated the RFC so that setQueryParams() accepts a
UriQueryParams/UrlQueryParams instance. It was just an oversight on my part=
.
But I don't really like to use union types (mainly because the method
behavior needs extra explanation), that's why I chose to add two
distinct methods for the query handling.


> Btw I wasn=E2=80=99t able to find docs on the existing Uri classes (had t=
o look it
> up in the prev RFC). Is the search broken or are the docs just not there
> yet?
>

Yes, unfortunately, the docs are not there yet :( I usually prioritize my
work in favor of php-src, and since I apparently chose a massive
undertaking yet again, I have very limited time
for anything else. But I'll try to find time to add the missing stuff to
the documentation.


> 2. Regarding the interface extraction, is there any difference between th=
e
> internal states of `Uri\WhatWg\UrlQueryParams` and
>  `Uri\Rfc3986\UriQueryParams` objects? I would naively expect not only a
> common interface, but a common class. A `QueryParams` that could be
> supplied to any of the withers/setters and that would be able to
> `->toRfc3986QueryString()` or `->toWhatWgQueryString()` on use not on
> instantiation.
>

I have already been thinking a lot about this question for a while, and I
agree that the two QueryParams implementations are very similar: the only
difference between them is how
they parse the query string into query params and how they recompose the
query params to a query string. So I would be happy to be able to unify the
two implementations, that would be a huge
simplification. However, there are two reasons why I'm very hesitant to do
so:
- We should be absolutely sure that an unified implementation cannot cause
parsing confusion vulnerability. E.g. when the query params are parsed
according to one specification, and then
they are recomposed according to the other one. For example, one difference
(this is also mentioned in the RFC) is that WHATWG URL removes the leading
"?" character during parsing,
while RFC 3986 leaves it as-is. These differences must be considered very
carefully.
- If we have two dedicated classes, then they can evolve separately with
specification-specific behavior. If it turns out that we want to add
support for some specification-specific feature, then
a specification-specific class is better suited for the purpose. I can't
really come up with many examples, but maybe additional percent-encoding
capabilities could be needed (e.g. getFirstPercentEncoded()).


> Similarly with the builders I fail to see why do I need to decide on
> `Uri\Rfc3986\UriBuilder` and `Uri\WhatWg\UrlBuilder` at the start instead
> of having `Uri\Builder` that could be consumed via `->buildRfc3986Url()` =
or
> `->buildWhatWgUri(). Is that UserInfo thing the whole dealbreaker? To me
> all the other parts like specifying host, port and so on seem spec-agnost=
ic
> until serialization.
>

Yes, the userinfo is just one of the deal breakers. Not too long ago, I
modified the RFC text, and added more info about how validation exactly
works. According to my plans,
the individual setters would also make some basic validation (formatting of
the component), while the build() methods would make sure that some global
rules are also satisfied
(there's a bit more info in the RFC about this). And this is only possible
to implement if there are two different builders.

M=C3=A1t=C3=A9

--00000000000001f4ed0645dc10b3
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr">Hi,</div><div class=3D"gmail_quote gmail_=
quote_container"><div>=C2=A0</div><blockquote class=3D"gmail_quote" style=
=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding=
-left:1ex"><div class=3D"msg-2458778861733807521"><div lang=3D"LV" style=3D=
"overflow-wrap: break-word;"><div class=3D"m_-2458778861733807521WordSectio=
n1"><p class=3D"MsoNormal"><span style=3D"font-size:11pt">1. Query setters =
and types of their parameter. Quote from the builder example:<u></u><u></u>=
</span></p><p class=3D"MsoNormal"><span style=3D"font-size:11pt"><u></u>=C2=
=A0<u></u></span></p><p class=3D"MsoNormal"><span style=3D"font-size:11pt">=
```<u></u><u></u></span></p><p class=3D"MsoNormal"><span style=3D"font-size=
:11pt">=C2=A0=C2=A0=C2=A0 -&gt;setQuery<b>(</b>&quot;a=3D1&amp;b=3D2&quot;<=
b>])</b><u></u><u></u></span></p><p class=3D"MsoNormal"><span style=3D"font=
-size:11pt">=C2=A0=C2=A0=C2=A0 -&gt;setQueryParams<b>([</b>&quot;a&quot; =
=3D&gt; 1, &quot;b&quot; =3D&gt; 2<b>])</b> <i>// Has the same effect as th=
e setQuery() call above</i><u></u><u></u></span></p><p class=3D"MsoNormal">=
<span style=3D"font-size:11pt">```<u></u><u></u></span></p><p class=3D"MsoN=
ormal"><span style=3D"font-size:11pt"><u></u>=C2=A0<u></u></span></p><p cla=
ss=3D"MsoNormal"><span style=3D"font-size:11pt">I=E2=80=99d expect the `set=
QueryParams` to set the particular params that I specified instead of overr=
iding all the query (which I=E2=80=99d expect `setQuery` to do).</span></p>=
</div></div></div></blockquote><div><br></div><div>I&#39;m happy that you r=
aised this concern because I wouldn&#39;t ever have thought the behavior wa=
s unclear. My expectation with setters is that they completely override the=
 related property.</div><div>If they were intended to add/append the query =
params then something like addQueryParams() should be used instead. And I t=
hink this question has just highlighted why</div><div>it&#39;s a bad idea t=
o remove the set prefix from the Builder methods: because it would also rem=
ove some additional context about what the=C2=A0method exactly does (which =
is</div><div>apparently not even entirely clear with the set prefix include=
d, but without the set prefix, one would have zero clue if it&#39;s an appe=
nd or set operation).</div><div>=C2=A0</div><blockquote class=3D"gmail_quot=
e" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204)=
;padding-left:1ex"><div class=3D"msg-2458778861733807521"><div lang=3D"LV" =
style=3D"overflow-wrap: break-word;"><div class=3D"m_-2458778861733807521Wo=
rdSection1"><p class=3D"MsoNormal"></p><p class=3D"MsoNormal"><span style=
=3D"font-size:11pt">Maybe it would be possible for `setQuery` to accept str=
ing, array and instances of `*QueryParams`? And `setQueryParams` could eith=
er be left out or override just the selected params? As far as I see, there=
 is no equivalent `withQueryParams` so there=E2=80=99s no precedent on how =
such a method should work, right?</span></p></div></div></div></blockquote>=
<div><br></div><div>Good call, I&#39;ve already updated the RFC so that=C2=
=A0setQueryParams() accepts a UriQueryParams/UrlQueryParams instance. It wa=
s just an oversight on my part.</div><div>But I don&#39;t really like to us=
e union types (mainly because the method behavior needs extra explanation),=
 that&#39;s why I chose to add two distinct=C2=A0methods for the=C2=A0query=
 handling.</div><div><span style=3D"font-size:11pt">=C2=A0</span></div><blo=
ckquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left=
:1px solid rgb(204,204,204);padding-left:1ex"><div class=3D"msg-24587788617=
33807521"><div lang=3D"LV" style=3D"overflow-wrap: break-word;"><div class=
=3D"m_-2458778861733807521WordSection1"><p class=3D"MsoNormal"><span style=
=3D"font-size:11pt">Btw I wasn=E2=80=99t able to find docs on the existing =
Uri classes (had to look it up in the prev RFC). Is the search broken or ar=
e the docs just not there yet?</span></p></div></div></div></blockquote><di=
v><br></div><div>Yes, unfortunately, the docs are not there yet :( I usuall=
y prioritize my work in favor of php-src, and since I apparently chose a ma=
ssive undertaking yet again, I have very limited time</div><div>for anythin=
g else. But I&#39;ll try to find time to add the missing stuff to the docum=
entation.</div><div>=C2=A0<span style=3D"font-size:11pt">=C2=A0</span></div=
><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border=
-left:1px solid rgb(204,204,204);padding-left:1ex"><div class=3D"msg-245877=
8861733807521"><div lang=3D"LV" style=3D"overflow-wrap: break-word;"><div c=
lass=3D"m_-2458778861733807521WordSection1"><p class=3D"MsoNormal"><span st=
yle=3D"font-size:11pt">2. Regarding the interface extraction, is there any =
difference between the internal states of `Uri\WhatWg\UrlQueryParams` and =
=C2=A0`Uri\Rfc3986\UriQueryParams` objects? I would naively expect not only=
 a common interface, but a common class. A `QueryParams` that could be supp=
lied to any of the withers/setters and that would be able to `-&gt;toRfc398=
6QueryString()` or `-&gt;toWhatWgQueryString()` on use not on instantiation=
.</span></p></div></div></div></blockquote><div><br></div><div>I have alrea=
dy been thinking a lot about this question for a while, and I agree that th=
e two QueryParams implementations are very similar: the only difference bet=
ween them is how</div><div>they parse the query string into query params an=
d how they recompose the query params to a query string. So I would be happ=
y to be able to unify the two implementations, that would be a huge</div><d=
iv>simplification. However, there are two reasons why I&#39;m very hesitant=
 to do so:</div><div>- We should be absolutely sure that an unified impleme=
ntation cannot cause parsing confusion vulnerability. E.g. when the query p=
arams are parsed according to one specification, and then</div><div>they ar=
e recomposed according to the other one. For example, one difference (this =
is also mentioned in the RFC) is that WHATWG URL removes the leading &quot;=
?&quot; character during parsing,</div><div>while RFC 3986 leaves it as-is.=
 These differences must be considered very carefully.</div><div>- If we hav=
e two dedicated classes, then they can evolve separately with specification=
-specific behavior. If it turns out that we want to add support for some sp=
ecification-specific feature, then</div><div>a specification-specific class=
 is better suited for the purpose. I can&#39;t really come up with many exa=
mples, but maybe additional percent-encoding capabilities could be needed (=
e.g. getFirstPercentEncoded()).</div><div>=C2=A0</div><blockquote class=3D"=
gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(20=
4,204,204);padding-left:1ex"><div class=3D"msg-2458778861733807521"><div la=
ng=3D"LV" style=3D"overflow-wrap: break-word;"><div class=3D"m_-24587788617=
33807521WordSection1"><p class=3D"MsoNormal"><span style=3D"font-size:11pt"=
>Similarly with the builders I fail to see why do I need to decide on `Uri\=
Rfc3986\UriBuilder` and `Uri\WhatWg\UrlBuilder` at the start instead of hav=
ing `Uri\Builder` that could be consumed via `-&gt;buildRfc3986Url()` or `-=
&gt;buildWhatWgUri(). Is that UserInfo thing the whole dealbreaker? To me a=
ll the other parts like specifying host, port and so on seem spec-agnostic =
until serialization.</span></p></div></div></div></blockquote><div><br></di=
v><div>Yes, the userinfo is just one of the deal breakers. Not too long ago=
, I modified the RFC text, and added more info about how validation exactly=
 works. According to my plans,</div><div>the individual setters would also =
make some basic validation (formatting of the component), while the build()=
 methods would make sure that some global rules are also satisfied</div><di=
v>(there&#39;s a bit more info in the RFC about this). And this is only pos=
sible to implement if there are two different builders.</div><div><br></div=
><div>M=C3=A1t=C3=A9</div></div></div>

--00000000000001f4ed0645dc10b3--