Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:84152 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 53313 invoked from network); 2 Mar 2015 08:39:59 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 2 Mar 2015 08:39:59 -0000 Authentication-Results: pb1.pair.com header.from=zeev@zend.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=zeev@zend.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain zend.com designates 74.125.82.177 as permitted sender) X-PHP-List-Original-Sender: zeev@zend.com X-Host-Fingerprint: 74.125.82.177 mail-we0-f177.google.com Received: from [74.125.82.177] ([74.125.82.177:35058] helo=mail-we0-f177.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 36/E0-48321-ED124F45 for ; Mon, 02 Mar 2015 03:39:59 -0500 Received: by wevl61 with SMTP id l61so31803865wev.2 for ; Mon, 02 Mar 2015 00:39:55 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:references:in-reply-to:mime-version :thread-index:date:message-id:subject:to:cc:content-type :content-transfer-encoding; bh=rZLC/ILw6mFi51PHQVvVcYVcJkcmqP+1L2zE6tSBoOk=; b=I128d5fWfnDSPoXIMrUZlNQIkzxpjEk5pzyaR+UMoPXBN3KMbC9LuPviiJPhHySWU0 dri1RYfbAuxcEfgk73IWbhLwqVjiAzGS2MeaYQAFIC6Z1BBmmKJzSTAqztjjcr1dZHTI Y2erSc0CQ0t46liFEBNJz8PXLBp8I7918TQwCn/LOsd5SgYdSuTXnHuo0pXrkyOMl5nl XPFrFqBFe5/xnIweQCfO/ZdrdFRbg5at34XBjX6LC4QThxOHPu11Qvrb/DBSl/wvtEDi JX4EkCDOzFtwxk63P2U8YUoFUsPMx4/8XczUVBra/0SYXcMgP6N6uXQJj04THT1UqI7R Jvlw== X-Gm-Message-State: ALoCoQkeHPUGlB3EErOeF0PtMRJYC51Job+uDfRPFhYMbxGrILs0hUJqLKKgGHbQs8OFSaj7iY6GiuxYu807drk39cFd+PV6J6q307vsv5FayKJCBUlgO4PHhapyzZs+HcLy5IGJI77t891PSAcVP4pnGeFo1wNrxA== X-Received: by 10.194.200.229 with SMTP id jv5mr3380051wjc.59.1425285595096; Mon, 02 Mar 2015 00:39:55 -0800 (PST) References: In-Reply-To: MIME-Version: 1.0 X-Mailer: Microsoft Outlook 14.0 Thread-Index: AQHbEgvqZ08kgCvmYfG4mXODzCFejgD7DxronOuIwPA= Date: Mon, 2 Mar 2015 10:39:53 +0200 Message-ID: To: Thomas Punt Cc: PHP internals Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: RE: [PHP-DEV] Coercive STH - some real world tests and updated RFC From: zeev@zend.com (Zeev Suraski) > -----Original Message----- > From: Thomas Punt [mailto:tpunt@hotmail.co.uk] > Sent: Sunday, March 01, 2015 4:03 PM > To: Zeev Suraski; PHP internals > Subject: RE: [PHP-DEV] Coercive STH - some real world tests and updated > RFC > > Hey Zeev, > > > Another change being considered and not yet in the RFC is re-allowing > > leading and trailing spaces for numeric strings (sorry Paddy.) > > I think that rejecting leading and trailing spaces for stringy ints is for the best. > If I only want to accept an integer (in either int or string form), then by > enabling spaces in that input, it would destroy the overall usability of it. > > One scenario I have in mind for this is validating $_GET information for a > RESTful web service. Having potentially an infinite=C2=A0number of URIs t= hat all > point to the same resource isn't good: > > /users/1 > /users/%201 > /users/1%20 > /users/%201%20 > /users/%201%20%20 > etc. > > In this case, I don't want to accept any leading or trailing spaces for the user > ID. So I would therefore not be able to use an=C2=A0`int` type hint becau= se its > acceptance rules would be too lax. > > If spaces are not accepted in stringy ints, and I want to pass a stringy int that > may have leading or trailing spaces in it, then I know I can=C2=A0simply apply a > trim() to it before passing it into a function that's expecting only an int. This > way, the usability of integer-only inputs (as string or ints) isn't compromised > by the rules being too weak. Tom, First of all thanks for the feedback! I think that with leading/trailing spaces we could go either way. It boils down to the question of whether we want spaces to be explicitly trim()'d and have the rule-set more restrictive, or have the rule-set more permissive - preventing some use cases from using it and having to do manual validation instead. Based on the fact this has been a source of back & forth changes (twitter.com/AndreaFaulds/status/570979956349665281), there's not going to be a one size fits all rule-set here. I think that the use cases where it will be harmless to ignore leading/trailing spaces would be more common than those where it's risky or undesired... > > The takeaway from this seems to be that the approach of tightening the > > existing rule-set and applying it to both internal functions and new > > user-land code is viable, and does not cause the sky to come down falling. > > Preliminary tests suggest it actually finds real potential problems. > > > > More tomorrow. > > Overall, a big +1 on this though! The type coercion rules at the moment are > far too lax to be considered useful in most situations IMO. Thanks for the feedback! Zeev