Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:85538 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 95153 invoked from network); 30 Mar 2015 02:15:13 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 30 Mar 2015 02:15:13 -0000 Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.214.174 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.214.174 mail-ob0-f174.google.com Received: from [209.85.214.174] ([209.85.214.174:35773] helo=mail-ob0-f174.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id CD/D0-24000-FA1B8155 for ; Sun, 29 Mar 2015 21:15:12 -0500 Received: by obcjt1 with SMTP id jt1so109323732obc.2 for ; Sun, 29 Mar 2015 19:15:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=1kNjAQ6uElxNdQELg89MrZatl77nj8iMV1NGQtWq+pQ=; b=eYm3Kw9hiZmM8JhZS9/PSSB6LKHOjbAknHatO7lE6/qTHaioF35OofaVZ04M3ugyBV D7GMrLAXU/HcRnWBGQjwslJEgTKc+QYMXyQwAozjB/aZQWyQnNix3DMKF+V3c1Pk9Xwb JG23kBPE0h2AQofAWIa5O+NXKha6/HZV1qtqYsVfclOzKPD+QxR0SLGB/6Eae7DNmNMs 4J2aelUOLzjhJqeQsTlp1KSrElW1QCqPpLVStBACbLPtt7vJpqTkDPbjJQOP7nDlTv8r Hb9Ez8WC3eRier+e4czBrEI569fwXErMZgilmYEIsy16f9QFyAkfF0V8AYfOXyodqwJp rVIw== X-Received: by 10.202.201.77 with SMTP id z74mr12346503oif.35.1427681709163; Sun, 29 Mar 2015 19:15:09 -0700 (PDT) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.202.58.2 with HTTP; Sun, 29 Mar 2015 19:14:29 -0700 (PDT) In-Reply-To: References: Date: Mon, 30 Mar 2015 11:14:29 +0900 X-Google-Sender-Auth: QbfLbkqk3xXU4JRECiu3fWG9y94 Message-ID: To: Pierre Joye Cc: Jakub Zelenka , PHP internals list Content-Type: multipart/alternative; boundary=001a1134f920208d9c0512780ddf Subject: Re: [PHP-DEV] JSON float number as string From: yohgaki@ohgaki.net (Yasuo Ohgaki) --001a1134f920208d9c0512780ddf Content-Type: text/plain; charset=UTF-8 Hi Pierre, On Mon, Mar 30, 2015 at 10:54 AM, Pierre Joye wrote: > Same effects but totally unrelated topics. All functions dealing with > large external numbers had the same issues, since ever. It has nothing > to do with STH. > Yes, it is. Developers make casting mistakes like this even when they are used to strict typing. This make me worry about wrong casting usage with PHP7. For example, $db->findById($id); The method prototype should be function findById(string $id) to be correct. I think there will be many users write wrong code such as function findById(int $id) One may argue most systems are 64 bit anyway and would not be much issue. However, many IoT devices uses 32 bit OS still. 32 bit systems cannot be ignored yet. User will cast $id to int without thinking the consequence. This could create security hole as (int)$id for string results in 0/negative value. Casting external values to int/float is wrong and evil simply. Current type hint encourages/requires casts even if users are not realizing the consequence fully. We do make mistake like this bug. We cannot assume PHP user will not. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net --001a1134f920208d9c0512780ddf--