Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:86067 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 90771 invoked from network); 30 Apr 2015 05:43:23 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 30 Apr 2015 05:43:23 -0000 Authentication-Results: pb1.pair.com header.from=smalyshev@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=smalyshev@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.192.174 as permitted sender) X-PHP-List-Original-Sender: smalyshev@gmail.com X-Host-Fingerprint: 209.85.192.174 mail-pd0-f174.google.com Received: from [209.85.192.174] ([209.85.192.174:35338] helo=mail-pd0-f174.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id C0/21-19182-AF0C1455 for ; Thu, 30 Apr 2015 01:43:23 -0400 Received: by pdbqd1 with SMTP id qd1so50111509pdb.2 for ; Wed, 29 Apr 2015 22:43:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=LZFGzlEgpIme+GZx3u1FRr+o5ALa/T2sw9chqxlxM5s=; b=c262Ag7IIBCephYhHFxao6uGXx75aLNDQfihJdr6plOWAV9dfCzqbr1Z7ZzqKjn5lr LcNhNh1xhyeghFgsK8lpONgGyme2fWY2rKV8qzCjzFKPemorqRhJOWRpR8K3uV89isol GA76/Om4NpMHexEb5glTPf8fwls1n1mwpkvSqjIk7RFz291J6PGlMovu8YeWliCqRRdR LFYPBY8NoSLwu8SJ4nzzjMuNjJaZzzBMFkUv4+pI8YTCJSMDNKJbG5eMLNDxuoNYm2VN q5yx0lKYJD9pXBImD1eQAWS+OrpUPqFG/B5RqKyWb39lgBxo1ORSsjuzgiFVteGqpTbE H68A== X-Received: by 10.70.35.108 with SMTP id g12mr4854666pdj.75.1430372600517; Wed, 29 Apr 2015 22:43:20 -0700 (PDT) Received: from Stas-Air.local (108-66-6-48.lightspeed.sntcca.sbcglobal.net. [108.66.6.48]) by mx.google.com with ESMTPSA id a11sm915849pdj.54.2015.04.29.22.43.19 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 29 Apr 2015 22:43:19 -0700 (PDT) Message-ID: <5541C0E0.2080006@gmail.com> Date: Wed, 29 Apr 2015 22:42:56 -0700 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:31.0) Gecko/20100101 Thunderbird/31.6.0 MIME-Version: 1.0 To: Yasuo Ohgaki CC: Ryan Pallas , "internals@lists.php.net" References: <55401F31.9030703@gmail.com> <55416849.9010808@gmail.com> <5541753D.5050908@gmail.com> <55419C0C.7020207@gmail.com> In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] Adding "numeric" type hint From: smalyshev@gmail.com (Stanislav Malyshev) Hi! > "int" Cast is bad. Incorrect "int" type hint worse as it could trigger DoS. I do not see any potential for DoS here. Trying to assign security implications so it looks like disagreeing with you jeopardizes security is not a good idea. If your code accepts non-numeric data and puts it to functions that except integers without validation, it is bad code and "numeric" hint would not help here, as unvalidated data can contain anything. If unexpected input causes denial of service in your code, it is a code architecture problem, which should not be solved by adding stuff to PHP. > It's not all, but the main issue here is 32 bit CPU & PHP int is too > small for > database record IDs. Correct way to go there is treating these IDs as strings or objects and having code that handles them properly. If they do not fit PHP int, they should not be used with functions that expect int. > To maximize compatibility, arbitrarily size of int/float like > string/value should be > accepted as numeric(or int/float). No, it should not be, since they are neither int nor float. -- Stas Malyshev smalyshev@gmail.com