Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:34471
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Received-SPF: error (pb1.pair.com: domain sambarrow.com from 205.234.132.11 cause and error)
To: Stefan Esser <stefan.esser@sektioneins.de>
Cc: Stanislav Malyshev <stas@zend.com>, internals Mailing List <internals@lists.php.net>
In-Reply-To: <477E853E.5000308@sektioneins.de>
References: <477DB7BF.10201@chiaraquartet.net>
	 <20080104105558.GC7861@mint.phcomp.co.uk>
	 <477E5649.2080104@chiaraquartet.net> <477E619C.2050107@sektioneins.de>
	 <477E79AE.6050407@zend.com>  <477E853E.5000308@sektioneins.de>
Content-Type: text/plain
Date: Fri, 04 Jan 2008 14:22:07 -0500
Message-ID: <1199474527.15292.208.camel@sbarrow-desktop>
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] type hinting
From: sam@sambarrow.com (Sam Barrow)

On Fri, 2008-01-04 at 20:13 +0100, Stefan Esser wrote:
> Stanislav Malyshev schrieb:
> >> * the code gets smaller because not so many typechecks in every function
> > What do you mean "not so many"? You need one per checked parameter.
> There is a difference in complexity between a userlevel type check and a
> low level type check.

Definitely. User-level is 10 times more written code and is slower.

> >> * with type hints byte code optimizer can optimize the code far better
> > Do you have any optimizer that can do that? Any plans to make one? Any
> > tests showing you can optimize real-life application this way?
> How should one have an optimizer for that as long PHP does not have this
> feature? Noone would implement one that is capable of doing this not
> knowing if the feature ever makes it into PHP.

Very true, thank you for pointing that out.

> > That is true, type hints do make static analysis easier - strict
> > typing is created exactly for that purpose. However, it only helps if
> > all the code is strictly typed - otherwise you just move point of
> > failure around. And in any case, type won't help you much form most
> > real static analysis purposes, such as security - "string" can hold
> > anything.
> That is not completely true. If for example 10 functions use type
> hinting and other functions not, then you have atleast 10 functions
> where you can analyse better.
> 
> A "simple" example is:
> 
> function decryptID($id)
> {
>     return $id ^ SOME_RUNTIME_CONSTANT;
> }
> 
> function getUserFromId($id)
> {
>     $sql = "select * from user where id=".decrypt($id);
>     ...
> }
> 
> To analyse this construct a static code analyser has a lot todo and it
> still needs to check every call to getUserFromId() to verify if this is
> an actual security hole, because it doesn't know the content of
> SOME_RUNTIME_CONSTANT and therefore the return value of decryptID could
> be a binary xored string. However a type hint of int in the decryptID()
> function would allow the analyser to know that decryptID() always return
> int and this would tell it that this is not a security hole. You see in
> this example that just partial usage of type hinting can mean the
> difference between a false positive and a definitive unexploitability.

In general, type hinting gives you more control over your code. Also, if
$id is an int, you prevent having to escape the data to avoid sql
injection.

> Greetings,
> Stefan Esser
>