Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:58467 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 29320 invoked from network); 2 Mar 2012 10:30:36 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 2 Mar 2012 10:30:36 -0000 Authentication-Results: pb1.pair.com header.from=simonsimcity@googlemail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=simonsimcity@googlemail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain googlemail.com designates 209.85.214.170 as permitted sender) X-PHP-List-Original-Sender: simonsimcity@googlemail.com X-Host-Fingerprint: 209.85.214.170 mail-tul01m020-f170.google.com Received: from [209.85.214.170] ([209.85.214.170:33420] helo=mail-tul01m020-f170.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 00/E9-11220-B41A05F4 for ; Fri, 02 Mar 2012 05:30:36 -0500 Received: by obbwd1 with SMTP id wd1so1965921obb.29 for ; Fri, 02 Mar 2012 02:30:33 -0800 (PST) Received-SPF: pass (google.com: domain of simonsimcity@googlemail.com designates 10.182.17.100 as permitted sender) client-ip=10.182.17.100; Authentication-Results: mr.google.com; spf=pass (google.com: domain of simonsimcity@googlemail.com designates 10.182.17.100 as permitted sender) smtp.mail=simonsimcity@googlemail.com; dkim=pass header.i=simonsimcity@googlemail.com Received: from mr.google.com ([10.182.17.100]) by 10.182.17.100 with SMTP id n4mr3593310obd.45.1330684233292 (num_hops = 1); Fri, 02 Mar 2012 02:30:33 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=a+sv6dKDW2b4NmI3ot/iCtvVxb9/Oc/bE/muPb8M3qE=; b=YfH97NEWkufBOxYf9aEaVgFgHbM2bfXirt91XkmC8Cxb/7Ydy5joKOPFRJafLGJPrV n8pi8hj5xTt3hjk4BO9lTbhi+CbYsfQprUOkG6dp8+PgdFC42DwiUDc6/jWp8Ma/Hu12 YCjiMffBDPLIopkNIIQ/zfi44eWmleqhHAbWwZrMzQrggCBD5PDLvwHxVXMv8AiWABQm PiX+izkHAaXoYJsG2BafcvsrbhRrSg5f5+S943SdWlbsqwSWtQQ4MRaVX80kZiH4C/Ws hn/qeNb0KXcuugUGu33w11vJRGndBIhPO9iJJxv/zJW+53+iCJ/rigUxe8YwZdgbezCX PSjQ== MIME-Version: 1.0 Received: by 10.182.17.100 with SMTP id n4mr3084862obd.45.1330684233081; Fri, 02 Mar 2012 02:30:33 -0800 (PST) Received: by 10.60.7.229 with HTTP; Fri, 2 Mar 2012 02:30:33 -0800 (PST) In-Reply-To: References: <693e15008681dfe7372eaea66214f8a8.squirrel@www.l-i-e.com> <4F4D5D44.5090307@developersdesk.com> Date: Fri, 2 Mar 2012 11:30:33 +0100 Message-ID: To: Kris Craig Cc: John Crenshaw , Richard Lynch , "internals@lists.php.net" Content-Type: multipart/alternative; boundary=f46d0444692505641504ba401132 Subject: Re: [PHP-DEV] PHP Philosophy (was RE: [PHP-DEV] Scalar type hinting) From: simonsimcity@googlemail.com (Simon Schick) --f46d0444692505641504ba401132 Content-Type: text/plain; charset=UTF-8 Hi, All Let me update my last functions as I got an inspiration from Anthony and his proof-of-concept: foo( (boolean) $b, (integer) $i, (float) $f, (string) $s) { // your code } foo2($b, $i, $f, $s) { $b = (boolean)$b; $i = (integer)$i; $f = (float)$f; $s = (string)$s; // your code } Now here a rule I thought could be acceptable to differ between the type-hint for classes and arrays and this notation: If the type is wrapped in parentheses, the system will try to convert the given value. Otherwise it will handle it strict. Strict is currently only available for classes and arrays, and I don't want to get more things in this list (excepted by resources, what is the last what would make sense here). Dynamic (the one with the parentheses) could then well be something like boolean, integer, float, string and array. Array is also in this list as I would like to have an option to give an object in here that implements all interfaces that makes an object accessible as an array - for example ArrayIterator. Bye Simon 2012/3/2 Simon Schick > Hi, Kris > > I have to confirm that that's not really what I wanted. > But many people were now talking about type-hint to scalar, but that was > maybe in another thread in this list :) > > To get more to the point what were discussing about want: > Why not always (at least try) to transform the data? > > In PHP 5.4 they've introduced quite a lot of new stuff around exactly that: > * Changed silent conversion of array to string to produce a notice. > * Changed silent casting of null/''/false into an Object when adding a > property into a warning. > > I would suppose to add a type-hint for the following types: > * Boolean > * integer > * float > * string > > Here's the last state what I thought about these type-hints ... > Both of the given examples here should give the same result: > > foo(boolean $b, integer $i, float $f, string $s) { > // your code > } > foo2($b, $i, $f, $s) { > $b = (boolean)$b; > $i = (integer)$i; > $f = (float)$f; > $s = (string)$s; > > // your code > } > > If you view it from that site - you can't get an array to do what you can > do with an object. Therefore I think it's quite OK to break the script > there, but here, as you can transform the values, I'd (at least try to) > transform the given data into the expected format. > The only thing I'm quite unsure about - should we trigger a E_WARNING or > E_NOTICE if we have data-loose in this transformation? Just let it pass as > it's transformable, but trigger some error ... > If you want to get a warning or notice in the function *foo2* then open a > new thread, as I think that should not be discussed here. It affects much > more than just the function-call. > > p.s. What about adding another type-hint for resources? > That's something we could check by *is_resource()* and it would make > sense (at least to me). > > Bye > Simon > > > 2012/3/2 Kris Craig > >> I agree with what John said. Limiting the scope to scalars, while having >> some advantages, probably wouldn't pass the "usefulness" test for most >> people. >> >> --Kris >> >> >> On Thu, Mar 1, 2012 at 4:18 PM, John Crenshaw > >wrote: >> >> > From: Richard Lynch [mailto:ceo@l-i-e.com] >> > > On Thu, March 1, 2012 2:38 am, John Crenshaw wrote: >> > > >> You might consider those scripts poor programming practice. We all >> > > >> do. >> > > >> But PHP is the language of the unwashed masses, and that was, and >> is, >> > > >> part of why it is hugely popular. Somebody who barely understands >> > > >> programming can pound away at the keyboard and write a bloody >> useful >> > > >> web application, breaking 10,000 Computer Science rules along the >> > > >> way. >> > > > >> > > > And in 20 minutes I can hack into that application 20 different >> ways. >> > > > This isn't really PHP's fault...or is it? By deliberately catering >> to >> > > > the lowest possible denominator is it possible that PHP itself >> > > > contributes to the proliferation of wildly insecure web sites? I do >> > > > understand the "unwashed masses" argument, and yet, the security >> geek >> > > > in me sometimes questions how "good" this is. >> > > > >> > > > (Before someone flames me, I'm not really saying that we should >> scrap >> > > > any foundational principles or tell basic users to go hang >> themselves. >> > > > This is mostly philosophical musing.) >> > > >> > > We make concerted efforts to educate scripters, by posting the same >> > thing in all our blogs. >> > > >> > > Even if all they understand is "Don't do this!" it's good enough for >> > most of them. >> > > >> > > Other times the decision was made to just deprecate a "feature" and >> > provide a migration path, >> > > if suitable, but spread out over major >> > > releases: >> > > PHP x.0: Feature is bad, but there >> > > PHP x+1.0 Feature is E_DEPRECATED (or documented as such before E_DEP) >> > [This is the bit >> > > where a LOT of scripted edumacation has to happen.) PHP x+2.0 Feature >> is >> > just gone. >> > > >> > > People who completely ignore docs or don't upgrade remain vulnerable, >> > but there's not much >> > > you can do without making life miserable for a bazillion developers. >> > >> > No, you've misunderstood. The average new not-really-a-developer has no >> > concept of security. Every SQL query they write is vulnerable to >> injection. >> > Every echo exposes their site to XSS vulnerabilities. Every form is >> > vulnerable to CSRF. If they did anything with files in their script I >> may >> > be able to read arbitrary files to their server and/or upload and >> execute >> > arbitrary scripts. If they used eval() or system() I can probably >> execute >> > arbitrary shell code and take control of the entire site. If their >> server >> > is badly configured I could capture the entire machine. >> > >> > This isn't a question of keeping software updated and not using >> deprecated >> > functions, this is a question of discipline that is completely missing >> > among the "unwashed masses" as you call them. The intuitive way to >> handle >> > many of the most common PHP tasks is also the completely insecure way. >> > Philosophically, I wonder if we do a great disservice by encouraging >> these >> > people to tinker with code at all. We do so knowing (or at least we >> should >> > know) that anything they create will inevitably be hacked. We fuel the >> > widespread security problems that currently plague the web. >> > >> > John Crenshaw >> > Priacta, Inc. >> > >> > -- >> > PHP Internals - PHP Runtime Development Mailing List >> > To unsubscribe, visit: http://www.php.net/unsub.php >> > >> > >> > > --f46d0444692505641504ba401132--