Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:59022 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 34080 invoked from network); 18 Mar 2012 22:38:54 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 18 Mar 2012 22:38:54 -0000 Authentication-Results: pb1.pair.com smtp.mail=adamjonr@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=adamjonr@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.214.170 as permitted sender) X-PHP-List-Original-Sender: adamjonr@gmail.com X-Host-Fingerprint: 209.85.214.170 mail-ob0-f170.google.com Received: from [209.85.214.170] ([209.85.214.170:59857] helo=mail-ob0-f170.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id FE/D2-41178-DF3666F4 for ; Sun, 18 Mar 2012 17:38:53 -0500 Received: by obbup19 with SMTP id up19so725199obb.29 for ; Sun, 18 Mar 2012 15:38:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=fQcf4dmtUZbLtkjtwY1jIx5xy9To/Ca2IT+LNtcyMMY=; b=OSUgOpcgqfu1FgkGw2fYe+SERbq4RejPRJH93eH7XOAbtuD9/fU3GsYgCv0eA8bzpy 0ChjhhFju8Wv0mHHtbMUueIOy/BCCxIJx79L9sbN3dBBoUt8n8OlG6X21Wgp3oni3QAb 8cidu2z+CdM0XEyngQA0LzkswcaPZio/B04b8qhHdS7GzeaXKn5bGHxHn5vZvt6GJIV4 SS3RiTa2JS6iy9MyngMr4ggDNb5buMX3WQDPHBhwtLa27zcjrjsIJPV6XwrPMSnu5/hX 3HEvYirvKTia0uwm36TtYlGLVuegs+rISSzyCdU2dBPqD9EODKxc9vFSAeSgbA3Ulyf3 6vwA== MIME-Version: 1.0 Received: by 10.182.12.6 with SMTP id u6mr11601910obb.12.1332110330468; Sun, 18 Mar 2012 15:38:50 -0700 (PDT) Received: by 10.182.128.68 with HTTP; Sun, 18 Mar 2012 15:38:50 -0700 (PDT) In-Reply-To: References: Date: Sun, 18 Mar 2012 18:38:50 -0400 Message-ID: To: PHP Internals List Content-Type: multipart/alternative; boundary=f46d0444edd30c9ae104bb8c1b79 Subject: Re: [PHP-DEV] Scalar-type-hinting - which way is the best to go? From: adamjonr@gmail.com (Adam Jon Richardson) --f46d0444edd30c9ae104bb8c1b79 Content-Type: text/plain; charset=ISO-8859-1 On Sun, Mar 18, 2012 at 7:12 AM, Simon Schick wrote: > > Hi, All > > Just to add an example why I want a more strictly type-check here as > we have in the current type-juggling: > > http://www.brandonsavage.net/an-xss-vulerability-in-the-making/?utm_source=rss&utm_medium=rss&utm_campaign=an-xss-vulerability-in-the-making I see the example given as one of poor validation, not a reason for more strict type checking in a dynamic, weakly typed language. One could: - use a regex - setting the third argument (strict comparison) of in_array() to true -OR- looping through the array and checking equivalence with === - ensure the type juggled value (the integer form) was returned and used rather than using the original string I actually like the conversation on scalar type hinting, and I've even offered some ideas for integrating a form of it, too. However, poor input validation is not one of the reasons that I would use to justify its inclusion. The goal of proper input validation should be to account for page requests that include invalid data and provide appropriate feedback within the natural flow of the application. Erring out when calling a more strongly typed function at runtime does not provide this type of application flow. Adam --f46d0444edd30c9ae104bb8c1b79--