Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:61211
Return-Path: <keisial@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 4200 invoked from network); 13 Jul 2012 21:54:54 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 13 Jul 2012 21:54:54 -0000
Authentication-Results: pb1.pair.com header.from=keisial@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=keisial@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 74.125.82.170 as permitted sender)
X-PHP-List-Original-Sender: keisial@gmail.com
X-Host-Fingerprint: 74.125.82.170 mail-we0-f170.google.com  
Received: from [74.125.82.170] ([74.125.82.170:51642] helo=mail-we0-f170.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 66/51-20866-C2990005 for <internals@lists.php.net>; Fri, 13 Jul 2012 17:54:53 -0400
Received: by weyr1 with SMTP id r1so2992760wey.29
        for <internals@lists.php.net>; Fri, 13 Jul 2012 14:54:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=message-id:date:from:user-agent:mime-version:to:cc:subject
         :references:in-reply-to:content-type:content-transfer-encoding;
        bh=RcfMYRtS1Dbh2RmGI8d6seL+nnq9vA6SM8o8+VGMAtM=;
        b=qQJjq2Kf5p5AUjuhPO6lbTgfQnhEfwUY5Ih3nd0X+j40qd4cd3tLLXeaWo1uES7IRy
         N6nC0nPuZpzpVDR+Gdz5OKYD+6O/7k9Wg7RJlVW/ZVMhbQ6RipaSAq/SrzXPakih3AJu
         EwmxCdlVnflMIwvWMKu/5tZEokZRcvm3mZUbqgrb9wMF595bGuFiamvG0IIYKkvvggRG
         uN03yaVPIgX3Nsjc8e0VCz2/Wsi0BMLKg+9nBzy/C66RiEu2yl4y2C4wzKS2m1xR/55J
         p429oSdWI6L5mtSO2Dtrj3aRjzK2GQFE9ooS1I+vEjDI2k1nA9GjMIHBWZZm0rON6umM
         Y7Ig==
Received: by 10.180.97.135 with SMTP id ea7mr795168wib.11.1342216490156;
        Fri, 13 Jul 2012 14:54:50 -0700 (PDT)
Received: from [192.168.1.26] (27.Red-83-44-158.dynamicIP.rima-tde.net. [83.44.158.27])
        by mx.google.com with ESMTPS id df4sm5674511wib.4.2012.07.13.14.54.48
        (version=SSLv3 cipher=OTHER);
        Fri, 13 Jul 2012 14:54:49 -0700 (PDT)
Message-ID: <5000990F.30105@gmail.com>
Date: Fri, 13 Jul 2012 23:54:23 +0200
User-Agent: Thunderbird
MIME-Version: 1.0
To: Ryan McCue <lists@rotorised.com>
CC: internals@lists.php.net
References: <CAAyV7nFRT24rksh6iDWxstfQwJ4+KdEC7Zs6EC8wBtJ8Zorf7w@mail.gmail.com> <CAKZjf5ROuK-Kt1GAPJm0A2-mksw2kJ7C4bOMtz1+dPrYheqzSA@mail.gmail.com> <CAAyV7nFBk1j20LiYvz--2K+BPNgm6_WEGPtY0t5oC57PhCupVg@mail.gmail.com> <4FFFF84D.9070202@rotorised.com>
In-Reply-To: <4FFFF84D.9070202@rotorised.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] [PROPOSED] password_hash RFC - Implementing simplified
 password hashing functions
From: keisial@gmail.com (=?ISO-8859-1?Q?=C1ngel_Gonz=E1lez?=)

On 13/07/12 12:28, Ryan McCue wrote:
> Somewhat off-topic, but is there a reason why not? It seems to me that
> introducing a new API without using PHP's best method of error handling
> (IMHO) is a little silly.
I don't really trust exception throwing near password-managing functions.
Consider the following:

class UserLogin {
    var $loggedIn = false;
    function login() {
        $row = SELECT * FROM user WHERE username =
escape_string($_POST['user']) ;
        $this->checkPassword($row->password);
    }
    function checkPassword($pw_hash) {
        if (password_verify($_POST['password'], $pw_hash)
            $this->loggedIn = true;
    }
}

The codebase does no global exception handling (because it doesn't throw
exceptions itself),
and also nobody configured the server not to show errors/exceptions
(some say it was
purposely setup to show them).
password_verify() "errors" if the parameters are not strings or the hash
doesn't match a
known hash format.
Which kind of error should you use? errors or exceptions? Provide a
reasoned answer.