Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:86063
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 82944 invoked from network); 30 Apr 2015 04:38:46 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 30 Apr 2015 04:38:46 -0000
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.214.176 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.214.176 mail-ob0-f176.google.com  
Received: from [209.85.214.176] ([209.85.214.176:36687] helo=mail-ob0-f176.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id B9/E1-05379-5D1B1455 for <internals@lists.php.net>; Thu, 30 Apr 2015 00:38:46 -0400
Received: by obbeb7 with SMTP id eb7so36028560obb.3
        for <internals@lists.php.net>; Wed, 29 Apr 2015 21:38:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type;
        bh=B0BJQPOJmjcO8u+5OY5Ky/4cxaM19yjOqLGLQ20Kj1o=;
        b=VexMRONfhy1pcU3xtLLBGdUvsj2EnoBT9WuQKOzFAPMEhxtN9OgcwEyEsHAeiWryHM
         Plw3pRvZJ0LFelYkDevnScLNbsreyG+ykLBdMJDTXFpCkaVGx24NObIICHZdXFVqaOMz
         PMDmGJtmGzWjfKgVqPwhrS40Ag9kpzkDn0ylvVHIeobq2206BUaWdJFqtn1OBU0yYupU
         l31kTVPgYCGS4cID8QVBYpLV2XrFTjeY6v6XStLng/dxwzV9O5AlDX8yMYRnjuBqHxgh
         LmPsQQUDVpWzV8jXKGrKmNa5ngChfNrVOo2+MNH+KBedEI4oQLTvJOVLCa5ul3/HBS5h
         DLTw==
X-Received: by 10.202.10.193 with SMTP id 184mr1851637oik.90.1430368723596;
 Wed, 29 Apr 2015 21:38:43 -0700 (PDT)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.202.104.196 with HTTP; Wed, 29 Apr 2015 21:38:03 -0700 (PDT)
In-Reply-To: <CA+kxMuQpndb0ymLPQyO_sHti8eYr3JN_pdGt=F3dpSmpsju-eg@mail.gmail.com>
References: <CAGa2bXYzp3XimLXxC+Py2t1DWhCfX8coTdYHzf6zEiKdxA7r8Q@mail.gmail.com>
 <55401F31.9030703@gmail.com> <CAObuZduZBM0GyWJMA1Fd7eCgPE4vFFZrrhpREQ50a4QJhG6Nvg@mail.gmail.com>
 <CAGa2bXar_oXrsPAErNx5BUdkFAy-p8-D0tfhc3pAnDTGBGJJ7Q@mail.gmail.com>
 <55416849.9010808@gmail.com> <CAGa2bXbkCx2Nqb9YBut3id4N=nhjLBGPN8Ucrx7R6mRnGjB2og@mail.gmail.com>
 <554176D6.2030007@gmx.de> <CAGa2bXaPjvkFYtkhRM1JisSvxgR0v8adkD_P_zkUng4xfBWFHg@mail.gmail.com>
 <55418CBE.6050609@gmail.com> <CAGa2bXZAY_9qx9D+K11ApJH9DKzTvxze+=E5=rVhQj_OaGfxGQ@mail.gmail.com>
 <CA+kxMuQpndb0ymLPQyO_sHti8eYr3JN_pdGt=F3dpSmpsju-eg@mail.gmail.com>
Date: Thu, 30 Apr 2015 13:38:03 +0900
X-Google-Sender-Auth: 3nIm7rtxe_bj9ETy-fNDY1Dhwvc
Message-ID: <CAGa2bXZ92xGvS+FgSEvXm9QAwVm-dUeBiTsggCNeMxhtip4-2Q@mail.gmail.com>
To: Dan Ackroyd <danack@basereality.com>
Cc: Rowan Collins <rowan.collins@gmail.com>, 
	"internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a113d1dc6aafaef0514e9ab3f
Subject: Re: [PHP-DEV] Adding "numeric" type hint
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--001a113d1dc6aafaef0514e9ab3f
Content-Type: text/plain; charset=UTF-8

Dan,

On Thu, Apr 30, 2015 at 12:02 PM, Dan Ackroyd <danack@basereality.com>
wrote:

> On 30 April 2015 at 02:17, Yasuo Ohgaki <yohgaki@ohgaki.net> wrote:
> > Current PHP: Search query failure.
> > New PHP type hint: Fatal error because foreign key is out of PHP int
> range.
>
> There may be some confusion; NikiC is still doing some work to tidy up
> the EngineExceptions. When that is finished passing a variable of the
> wrong type will give a TypeException.
>
> > If user are using type hints everywhere, it may be limited to attackers
> > seeing fatal errors. If not, attacker can succeed system wide DoS attack
> by
> > simple operation.
>
> Passing in invalid primary keys should never result in a DoS
> attack...and I have no idea why you think it would be due to the
> presence or absence of scalar type hints.
>

It's very simple. PHP int can be smaller than DBMS's int.
With type hints, valid ID can cause fatal error.


>
>
> Yasuo wrote:
> > How many of us are expected that
> > mydb_find_by_id(INT_MAX+1);
> > Note: INT_MAX+1 is pseudo integer string value.
>
> Well currently it isn't:
>
> var_dump(PHP_INT_MAX + 1);
> float(9.2233720368548E+18)
>

You should realize that DBMS returns values as strings. Record ID included,
of course.



>
>
> Yasuo wrote:
> > How about have "numeric" type hint that accepts any format/class(GMP)
> > of numeric values?
> >
> > The issue is that weak mode type hint is *not* weak at all. It forces to
> > have machine native type rather than it's data form.
>
> So what you're suggesting is adding a numeric type that acts like GMP
> and allow arbitrary precision arithmetic on values? Isn't that just
> GMP? Except you'd need to convert the variable to be 'numeric' before
> doing any operation on it i.e. something like:
>
> $x = (numeric)INT_MAX;
> mydb_find_by_id($x+1);
>
> Unless you're also suggesting replacing PHP's current maths operations...


Have you ever try to change record ID supplied by DBMS? I guess not.
In this case, IDs are integer like string and it works perfectly regardless
of PHP int type.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--001a113d1dc6aafaef0514e9ab3f--