Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:56766
Return-Path: <ekneuss@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 71739 invoked from network); 4 Dec 2011 16:39:37 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 4 Dec 2011 16:39:37 -0000
Authentication-Results: pb1.pair.com header.from=ekneuss@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=ekneuss@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.214.42 as permitted sender)
X-PHP-List-Original-Sender: ekneuss@gmail.com
X-Host-Fingerprint: 209.85.214.42 mail-bw0-f42.google.com  
Received: from [209.85.214.42] ([209.85.214.42:40696] helo=mail-bw0-f42.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 01/E0-65129-642ABDE4 for <internals@lists.php.net>; Sun, 04 Dec 2011 11:39:35 -0500
Received: by bkcjf3 with SMTP id jf3so119078bkc.29
        for <internals@lists.php.net>; Sun, 04 Dec 2011 08:39:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=mime-version:sender:in-reply-to:references:date
         :x-google-sender-auth:message-id:subject:from:to:cc:content-type;
        bh=ANkDzFVAb/rEAFekeTzK0LvGWpkcLX2glRhCQKMEP3Y=;
        b=izPAHUIsbzFp0VMnx6ua2ayctm9GLWXGe7XVgfN7Q8k3kUuOYuFkU4EYutNH/NPbex
         +Y6Q7wEiKuqmOLcFKnWUDt+2g+1W7kp+4zCwFvurL0aqiMsPFy9HvOP7ACI7JecpZHd2
         Km/1R8fAnaxqsTD5NSGXt1q2CARPGX5Z7sMss=
MIME-Version: 1.0
Received: by 10.205.137.144 with SMTP id io16mr2704482bkc.23.1323016770130;
 Sun, 04 Dec 2011 08:39:30 -0800 (PST)
Sender: ekneuss@gmail.com
Received: by 10.204.192.72 with HTTP; Sun, 4 Dec 2011 08:39:30 -0800 (PST)
In-Reply-To: <CABBJUpfNRaa580ZCtsYHCbDat1Sxbo7tNz2MiNQ68foPFTq61g@mail.gmail.com>
References: <4EDA4989.2010702@akbkhome.com>
	<CAH-PCH76g4LwEwzaEvU3Hp7PeeyMUN4sc0uZExkedhHvYYnm9A@mail.gmail.com>
	<CABBJUpfNRaa580ZCtsYHCbDat1Sxbo7tNz2MiNQ68foPFTq61g@mail.gmail.com>
Date: Sun, 4 Dec 2011 17:39:30 +0100
X-Google-Sender-Auth: -Gd907nxqTm8TiH_5wC9EGcRahs
Message-ID: <CACQesk4xNrm3VfreZX5NAQZ+DqDt5w6ecOKw70e=Yjn1EPeDag@mail.gmail.com>
To: Laruence <laruence@php.net>
Cc: Ferenc Kovacs <tyra3l@gmail.com>, Alan Knowles <alan@akbkhome.com>, 
	PHP Internals List <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=0015173feb669d933204b346d856
Subject: Re: [PHP-DEV] Fixing string offsets of strings.
From: colder@php.net (Etienne Kneuss)

--0015173feb669d933204b346d856
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Hi,

On Sun, Dec 4, 2011 at 15:25, Laruence <laruence@php.net> wrote:

> +1.
>
> thanks.
>
> On Sun, Dec 4, 2011 at 10:05 PM, Ferenc Kovacs <tyra3l@gmail.com> wrote:
> > On Sat, Dec 3, 2011 at 5:08 PM, Alan Knowles <alan@akbkhome.com> wrote:
> >
> >> I've had a look at making string offsets of strings a bit saner.
> >>
> >> At present with the fix for array dereferencing :  ?search=3Dhello and=
 a
> >> test like isset($_GET['search']['name'])  results in true, which is ha=
s
> >> potential security problems and is very confusing for any programmer
> >> finding and working out why something like that may be failing.
> >>
> >> To solve this quite a few people agreed that not allowing non-numeric
> >> string offsets on strings would be the smart way to go, the change is
> going
> >> to break BC, so the idea is to at least not break it too badly...
> >>
> >> This patch is a start.
> >> https://bugs.php.net/patch-**display.php?bug_id=3D60362&**
> >> patch=3Dfirst_effort_to_fix_**this&revision=3Dlatest<
> https://bugs.php.net/patch-display.php?bug_id=3D60362&patch=3Dfirst_effor=
t_to_fix_this&revision=3Dlatest
> >
> >>
> >> It's been quite a while since I hacked on the engine, so the patch onl=
y
> >> works reasonably well.. (see the FIXME on the tests at the bottom of t=
he
> >> patch.)
> >>
> >> The patch changes the following:
> >>  * $s =3D "string";  $s['offset'] -- produces a warning (and returns a=
n
> >> empty string)
> >>  * $s =3D "string";  $s['1'] -- works as before..
> >>  * $s =3D "string";  $s[true] $s[false] $s[0.1] -- give a notice (cast=
 it
> to
> >> an int if you want to get rid of the notice) - however work as before.
> >>  * changes the warning on invalid indexes to say "Uninitialized or
> >> invalid" rather than just "Uninitialized"
> >>  * fixes most of the related tests
>

What about other edge cases like $string['   2   '], $string['2foo']?

I like the idea of the patch, I just find it a bit inconsistent for
$s['offset'] to return an empty string while other cases of implicit
conversions work as before. It doesn't bring much to return an empty string
instead of the first char. I believe every case should work as before,
throwing a notice is enough IMO.

Also, you don't mention whether your patch modifies the behavior of
isset(), is $str =3D "foo"; isset($str['bar'])  true or false ?

Best,


> >>
> >
> > I think that those changes are pretty much in line with the discussion
> that
> > we had.
> > Thanks for fixing this!
> >
> >
> > --
> > Ferenc Kov=C3=A1cs
> > @Tyr43l - http://tyrael.hu
>
>
>
> --
> Laruence  Xinchen Hui
> http://www.laruence.com/
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>


--=20
Etienne Kneuss
http://www.colder.ch

--0015173feb669d933204b346d856--