Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:79063 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 55765 invoked from network); 21 Nov 2014 03:14:32 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 21 Nov 2014 03:14:32 -0000 Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.213.182 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.213.182 mail-ig0-f182.google.com Received: from [209.85.213.182] ([209.85.213.182:33381] helo=mail-ig0-f182.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id AE/C3-32541-61EAE645 for ; Thu, 20 Nov 2014 22:14:31 -0500 Received: by mail-ig0-f182.google.com with SMTP id hn15so4015549igb.3 for ; Thu, 20 Nov 2014 19:14:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=QrUUtSf9FEB78glrvQXvHQZcmkqsMiMxIZcLWnPi9IA=; b=WkUAI4uvbijYFAFGV7xrrZdy1rQ9EQAGRycX4fk42wY73z0U7LhvPFeuH/IiTtgDZj X19JgE5bqwzc1Tzmi3xsg0kihD1org3y2AFM0c6l76Ax9u/S2IUDULhnDiCkmwsxmOz4 glPSXYCZ9yQpWv/V0GxZptaC8PkWmvDHYwTA6VFg5qFzJRQWAj7Y1eXUnFHIl4udgos3 roLVaZY/JiewDnCINPFX2FTsnV4UXpZ5vrv5pxHn7EC33Dp/i1T6KOKuV/DaA2n6PP46 R+yT6KR3pYFZM6h0q0oLYj59VFkEWomhjoGpvOXAjD1ho3cSd7aP1ZFBgyJtkq9DPOLa th9Q== X-Received: by 10.42.142.201 with SMTP id t9mr3988456icu.60.1416539668552; Thu, 20 Nov 2014 19:14:28 -0800 (PST) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.107.164.217 with HTTP; Thu, 20 Nov 2014 19:13:47 -0800 (PST) In-Reply-To: <5A250A28-F5C2-4FF1-B144-C19B2220EADC@ajf.me> References: <5A250A28-F5C2-4FF1-B144-C19B2220EADC@ajf.me> Date: Fri, 21 Nov 2014 12:13:47 +0900 X-Google-Sender-Auth: Bpo4knJYhxcCnkbA8dSiaH7of6I Message-ID: To: Andrea Faulds Cc: Adam Harvey , Levi Morrison , PHP Internals Content-Type: multipart/alternative; boundary=90e6ba6e84cac12844050855d756 Subject: Re: [PHP-DEV] [VOTE][RFC] Safe Casting Functions From: yohgaki@ohgaki.net (Yasuo Ohgaki) --90e6ba6e84cac12844050855d756 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hi Andrea, On Fri, Nov 21, 2014 at 11:06 AM, Andrea Faulds wrote: > Ideally, usage of these functions should be accompanied by some sort of > validation logic if necessary for the application. They aren=E2=80=99t va= lidation > functions in themselves, they just prevent certain conversions that don= =E2=80=99t > make sense. Say someone fails to do proper validation and does this: > > $user =3D User::get((int)$_GET[=E2=80=98id=E2=80=99]); > > With this code, absolutely anything could be passed for =E2=80=9Cid=E2=80= =9D in the URL > parameter and it=E2=80=99d be converted to a valid integer, transforming = garbage > into apparently valid values. > > On the other hand, say they did this: > > $user =3D User::get(to_int($_GET[=E2=80=98id=E2=80=99])); > > If I pass something that is not a number (like =E2=80=9Cfoobar=E2=80=9D),= it would throw > an exception. > This is good use case. IMHO. PHP should provide easy API by default for more secure application. Parameters sent from client are validated on client with modern web apps. There are number of cases that validating as int/etc is enough. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net --90e6ba6e84cac12844050855d756--