Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:130294
X-Original-To: internals@lists.php.net
Delivered-To: internals@lists.php.net
Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5])
	by lists.php.net (Postfix) with ESMTPS id 966371A00BC
	for <internals@lists.php.net>; Wed, 11 Mar 2026 22:07:03 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail;
	t=1773266828; bh=ZthZK7D3+jnSLtkaZC5UJst5FAZrJYedphOw3giCgKo=;
	h=References:In-Reply-To:From:Date:Subject:To:Cc:From;
	b=VJnzRxJqmuz0ZEEth1u87MfMKGnY39CY6esT1matufK5RSyGCjAQX7qXDYnUHAz1h
	 oXGFvl7T+ai3CVBapomeN1v2zSzuKb76/9uUkCGE9iJC1G9CAY15qYROscvHyHRqIf
	 KIvIUAx0bei26eGNqVv/apwSb/cI6a6Kbr/ycFFRd6YsdwcaUuhf8qiov3s/V6J+nA
	 dATOgGc/cOvWm/jk9wX/H9KU8fhf9GU9mLoyjAQ2iVjuVmltroKtilJeX/d5ZOHibJ
	 6SCwSYyR2v0wWizhsAJCoqSoWGlsz1xNUcMkDcAnA3ODh32qF/qGg7jeE7xJ8XZgKP
	 hriRs+SdxKejg==
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 3A52B180069
	for <internals@lists.php.net>; Wed, 11 Mar 2026 22:07:05 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-25) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=0.6 required=5.0 tests=ARC_SIGNED,ARC_VALID,BAYES_50,
	DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_MISSING,
	HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,
	SPF_PASS autolearn=no autolearn_force=no version=4.0.1
X-Spam-Virus: No
X-Envelope-From: <narf@devilix.net>
Received: from mail-vk1-f179.google.com (mail-vk1-f179.google.com [209.85.221.179])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Wed, 11 Mar 2026 22:06:59 +0000 (UTC)
Received: by mail-vk1-f179.google.com with SMTP id 71dfb90a1353d-56b0cc3d395so297519e0c.3
        for <internals@lists.php.net>; Wed, 11 Mar 2026 15:06:54 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1773266814; cv=none;
        d=google.com; s=arc-20240605;
        b=Ht71FZOyBHrFqtRyxPuLUpJw8ALTe7AQ/vwIL8zcyTntcUXroUmoFZPlbiMtYx1GSZ
         brbPPwYWL0bZzQMY/o9qecD9vx1eEnn/QCnnDgHLhP2uwZvIb5UZMCl+H1UVFzE5aBch
         5I+MG8oEha85Xt3FBrI9gizpMN/+cpdQy1PDgW1ixX+qLlm7SRnBzs1dcnT8FEoz52Ot
         M+7qS5xUMBp3T58d2Zmr02ext1lw38tglCyGHpsL8xys/oMcjRfeYxBYB1ukRTzVl5q5
         pPvK7FhsxKmgvbQRcjaT4fCK4gbClt1SLeX/U6Wbxd/rgirprxc0PSKA3IAir+nn8ORN
         OXhA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:dkim-signature;
        bh=ZthZK7D3+jnSLtkaZC5UJst5FAZrJYedphOw3giCgKo=;
        fh=MIkhAVhX1W8pfz3g2pO0XpcZB6/L6IB6VQV1FN72OzI=;
        b=Qwb1h5/3hTai7dkE216Anyhfb+BCBBBAHx0AxUEAX+dACAqxieJH9bTYZDK+CTGJqs
         XTPsY8JsXFtUCOp0zqd9peN/yPA0nOWrsLCfLpZgVA2VdTQh+La5dOH/nt2W4rlFMu0t
         LEqUZhthaOPD4BxLNwnZ+lwHJfUm9jp86XqFoYN0f9psK0Xx1hQThOqaHqote7HOVW5y
         lrDksRbYGP9KLJC/WaatO+MI6UrA6W6cR6Qr0iEDeFFDq4POU1yqku4VlLeGTY+lZATp
         p5D7D7Vs+7qfY38f8NqBLKIAoNUqyQ+NlLqEzWrsnz/5YDIp+fF7m/nrkaLlKDc8sdA8
         tMnQ==;
        darn=lists.php.net
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=devilix.net; s=google; t=1773266814; x=1773871614; darn=lists.php.net;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc:subject:date:message-id:reply-to;
        bh=ZthZK7D3+jnSLtkaZC5UJst5FAZrJYedphOw3giCgKo=;
        b=iOZCgStv73jR8gLJ4HUmh+GSVoPSUlPcEYpYCugRGLM/6l0bcOp9e+F9AW7KSnNcn3
         Uzer+rB0qTYmNU3TtMW0UGSnYB8PEbTcQtpdzjaLzt6XLx4qLXCra0TAqSkn/1QRcW12
         gtC7UQV82lqOACFGqLWyRy09eyetqhsMfAjn4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1773266814; x=1773871614;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=ZthZK7D3+jnSLtkaZC5UJst5FAZrJYedphOw3giCgKo=;
        b=D/Uz6EtX61UxhdWQ4LicF6payPUPfoV87fDihhIUcRw/WYH0RoAVTEwVXeYhxSZZaL
         DmL4jQLfm1XjwyQAABxpwgmTqoX74MwA1KJZ3ZI9njJFNc6nXtOsD/bXo2PXRmMfcA7C
         vFhWX2ODG90Uu4B0zjdwAhSQnt1NWNLvK6Gt7INU+DW2KpwmxmD6HGw7nP+LxxCAD/ri
         t7l3WTdGLuKzVrybSd0KDsoCQW+yhEefguQCZ3eNTieQvvSIbW+wQQrQ60GPj+KW1ySg
         eRZDSpNcy6eSQVk8escpckR6k5+9cbo3+UXPgQwLpTBj5sm20YqWNwOsNBp1aMu6TAnM
         pNnQ==
X-Forwarded-Encrypted: i=1; AJvYcCVpxsggRq+1RY/8C6EhPD3uQNRcacQJcPiFaDS9pTuUd+QAyJNacpIe+VcyS3L6WIJ3/PJEHrzuXzQ=@lists.php.net
X-Gm-Message-State: AOJu0YxIhwL1DBCOUbogREzi/NUGgy5/MMtfueHii4qjo1DyHoMDxO2N
	VsgqWP6mOoW/C35x+rfNScKoz49KMtO7TG5a9RycfDQWu9rACZdKYY0z5nlPjDFV7Ni5EjkntCJ
	N5u1nNsRsbyIDqQMgwj9MNuZt/YFtKo/GTgnR8Ror
X-Gm-Gg: ATEYQzyTwRfXnLLS3viimK/8XMmckbH60Uu8oggItc+LxKGY9h6JFHn27QPvBsdj4QD
	UJOLfKddktz6RUWw6uyowkarmNCmOFHQZeTSaMRtlKNOKGJKimSz9JIIhCC1tTPvXSyW0EX9dal
	bzkxwGj5AgQwEChzD5eY4so7MyzXZ6+eP1Zu8C7MqexZOGjKR25+yH9D2NQeyn9Nz0joAgAlc59
	A9l/MuLISn642XMoollKmRI+iCXr1rw6LDTdp7PgRN8fNHaj39AcgF7UQ19oOj2A81adp5jLGdz
	wri1oNLuXGF0t65Uc9lDEAwvcM06W9XWZIxNTsQ0ikrNYly7lMGyzNUIVu8Xn6Ku7pZD
X-Received: by 2002:a05:6122:3788:b0:566:4689:46eb with SMTP id
 71dfb90a1353d-56b472be35dmr1736490e0c.0.1773266814151; Wed, 11 Mar 2026
 15:06:54 -0700 (PDT)
Precedence: list
list-help: <mailto:internals+help@lists.php.net>
list-unsubscribe: <mailto:internals+unsubscribe@lists.php.net>
list-post: <mailto:internals@lists.php.net>
List-Id: <internals.lists.php.net>
x-ms-reactions: disallow
MIME-Version: 1.0
References: <939CFA28-A6FF-433F-85A0-B83345CEF4A6@cmpct.info> <6c498ed3-3cb0-47a5-a64e-4ad202eba141@bastelstu.be>
In-Reply-To: <6c498ed3-3cb0-47a5-a64e-4ad202eba141@bastelstu.be>
Date: Thu, 12 Mar 2026 00:06:43 +0200
X-Gm-Features: AaiRm53d-nV0dqBBTfB_UYQuoWEDvXQlET7xacxGPONeq9hA887tSM-aFYImSsE
Message-ID: <CAPhkiZwXXj5opb3ycUL-yK0mhgDjDcFwCu62OiczD1=F9jiXZA@mail.gmail.com>
Subject: Re: [PHP-DEV] [RFC] Display Function Arguments in Errors
To: =?UTF-8?Q?Tim_D=C3=BCsterhus?= <tim@bastelstu.be>
Cc: Calvin Buckley <calvin@cmpct.info>, PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="0000000000008cbb1b064cc6dac5"
From: narf@devilix.net (Andrey Andreev)

--0000000000008cbb1b064cc6dac5
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hi,

On Wed, Mar 11, 2026 at 8:38=E2=80=AFPM Tim D=C3=BCsterhus <tim@bastelstu.b=
e> wrote:

> I believe there is almost never =E2=80=9CNo Impact=E2=80=9D to the ecosys=
tem. In fact
> the RFC partly acknowledges it in the =E2=80=9CBackward Incompatible Chan=
ges=E2=80=9D
> section. Even if the corresponding sub-vote to default to 1 doesn't
> pass, code needs to be prepared for someone to set it to 1 themselves.
> This includes off-the-shelf software (such as WordPress, or Drupal, or
> whatever).
>
> I have the following two suggestions (that follow pretty naturally, but
> are nevertheless an impact that should be spelled out):
>
> a) Custom error handlers (set_error_handlers()) need to be prepared for
> the error message format to change. Even though we don't make any
> guarantees about error messages themselves, the existing format with
> =E2=80=9Cfunction name first=E2=80=9D is reasonably structured for automa=
ted parsing
> (e.g. using a regular expression). This also includes error tracking
> tools that try to group error messages by function or similar.
>
> b) System administrators have one more INI setting to deal with and need
> to make a decision. Previous versions of the RFC template had an
> explicit =E2=80=9CINI setting=E2=80=9D section, but given it's so rare we=
 add new INI
> settings these days, it has been removed from the template. For the few
> that still add one, properly discussing the consequences still is valuabl=
e.


These are all excellent points.

I want to add one more side-effect that feels discounted: PII and other
sensitive data leaking through logs. Partly what the INI setting is
supposed to address, but IMO it only does so on paper.
I have dealt with that issue many times, and developers tend to either not
take it seriously or propose naive patchwork solutions such as blacklisting
patterns in already produced logs. Plus, there's an inherent temptation to
temporarily enable such settings for debugging purposes, not realizing the
act itself represents a data leak and it is permanent. If this is a serious
problem without args values being present today, imagine the amplification
effect from this addition.

With that being said, I also know the pain of having to deal with
borderline useless error messages. The proposal isn't without merit, but
I'd look for alternative approaches that don't create security headaches.

Cheers,
Andrey.

--0000000000008cbb1b064cc6dac5
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div>Hi,</div><br><div class=3D"gmail_quote gmail_quote_co=
ntainer"><div dir=3D"ltr" class=3D"gmail_attr">On Wed, Mar 11, 2026 at 8:38=
=E2=80=AFPM Tim D=C3=BCsterhus &lt;<a href=3D"mailto:tim@bastelstu.be">tim@=
bastelstu.be</a>&gt; wrote:<br></div><blockquote class=3D"gmail_quote" styl=
e=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);paddin=
g-left:1ex">
I believe there is almost never =E2=80=9CNo Impact=E2=80=9D to the ecosyste=
m. In fact <br>
the RFC partly acknowledges it in the =E2=80=9CBackward Incompatible Change=
s=E2=80=9D <br>
section. Even if the corresponding sub-vote to default to 1 doesn&#39;t <br=
>
pass, code needs to be prepared for someone to set it to 1 themselves. <br>
This includes off-the-shelf software (such as WordPress, or Drupal, or <br>
whatever).<br>
<br>
I have the following two suggestions (that follow pretty naturally, but <br=
>
are nevertheless an impact that should be spelled out):<br>
<br>
a) Custom error handlers (set_error_handlers()) need to be prepared for <br=
>
the error message format to change. Even though we don&#39;t make any <br>
guarantees about error messages themselves, the existing format with <br>
=E2=80=9Cfunction name first=E2=80=9D is reasonably structured for automate=
d parsing <br>
(e.g. using a regular expression). This also includes error tracking <br>
tools that try to group error messages by function or similar.<br>
<br>
b) System administrators have one more INI setting to deal with and need <b=
r>
to make a decision. Previous versions of the RFC template had an <br>
explicit =E2=80=9CINI setting=E2=80=9D section, but given it&#39;s so rare =
we add new INI <br>
settings these days, it has been removed from the template. For the few <br=
>
that still add one, properly discussing the consequences still is valuable.=
</blockquote><div><br></div><div>These are all excellent points.</div><div>=
<br></div><div>I want to add one more side-effect that feels discounted: PI=
I and other sensitive data leaking through logs. Partly what the INI settin=
g is supposed to address, but IMO it only does so on paper.</div><div>I hav=
e dealt with that issue many times, and developers tend to either not take =
it seriously or propose naive patchwork solutions such as blacklisting patt=
erns in already produced logs. Plus, there&#39;s an inherent temptation to =
temporarily enable such settings for debugging purposes, not realizing the =
act itself represents a data leak and it is permanent. If this is a serious=
 problem without args values being present today, imagine the amplification=
 effect from this addition.</div><div><br></div><div>With that being said, =
I also know the pain of having to deal with borderline useless error messag=
es. The proposal isn&#39;t without merit, but I&#39;d look for alternative =
approaches that don&#39;t create security headaches.</div><div><br></div><d=
iv>Cheers,</div><div>Andrey.</div></div></div>

--0000000000008cbb1b064cc6dac5--