Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:86075 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 5251 invoked from network); 30 Apr 2015 06:52:04 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 30 Apr 2015 06:52:04 -0000 Authentication-Results: pb1.pair.com smtp.mail=smalyshev@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=smalyshev@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.192.180 as permitted sender) X-PHP-List-Original-Sender: smalyshev@gmail.com X-Host-Fingerprint: 209.85.192.180 mail-pd0-f180.google.com Received: from [209.85.192.180] ([209.85.192.180:34645] helo=mail-pd0-f180.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 7B/82-27026-311D1455 for ; Thu, 30 Apr 2015 02:52:03 -0400 Received: by pdbqa5 with SMTP id qa5so51662268pdb.1 for ; Wed, 29 Apr 2015 23:52:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=f9vyvuqqRdAf14w52Z1yl9Lw+avBNJDddayN7T6wTZk=; b=SFhKb9WmVOlwVI71smQCpqV/U40/i0g9pEKVyOjaAGU1+oGnJHiWIVuVr5BgB+YDmW NsAqEqE/UaAypn0CBdGsT9hpx8IeUItxI8C/7TqcEtjAKCB6gossXeBO8TO32TZI6DkL KULUcwLbib7cDYchGt/JvRTXAwI4oNdQakDnnGdwH2uF33T2kJGa1FmZP3Fnw+vxjE5u cbdtpIXXAfMexbG48TTp5pGQaHF84UqdkIHRuPW+kT5TGPxwo/IzKrwn7/ZZ2KRMjMNq sRRbu9gcqLXaeIqR/gkPhb01F4K/Sb46kakoeq3fjfi1oShHYfDczo6mUe/9FB2dcsjA Kaig== X-Received: by 10.70.30.193 with SMTP id u1mr5325170pdh.59.1430376720581; Wed, 29 Apr 2015 23:52:00 -0700 (PDT) Received: from Stas-Air.local (108-66-6-48.lightspeed.sntcca.sbcglobal.net. [108.66.6.48]) by mx.google.com with ESMTPSA id qy2sm941691pab.5.2015.04.29.23.51.59 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 29 Apr 2015 23:51:59 -0700 (PDT) Message-ID: <5541D0F8.8020907@gmail.com> Date: Wed, 29 Apr 2015 23:51:36 -0700 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:31.0) Gecko/20100101 Thunderbird/31.6.0 MIME-Version: 1.0 To: Yasuo Ohgaki CC: Ryan Pallas , "internals@lists.php.net" References: <55401F31.9030703@gmail.com> <55416849.9010808@gmail.com> <5541753D.5050908@gmail.com> <55419C0C.7020207@gmail.com> <5541C0E0.2080006@gmail.com> In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] Adding "numeric" type hint From: smalyshev@gmail.com (Stanislav Malyshev) Hi! > Unfortunately, not all users does this and new PHP type hint opens new hole > that security researchers and attackers are interested in. I am sorry, but you still brought no proof at all that there are any security implications. Without such proof, these claims are baseless, so I intend to ignore them from now until such time as some proof would be provided, and advise others to do the same. > I prefer relaxed int/float type hint a lot, but "numeric" can be > alternative. No, it can't, because it's not a type, it's string regex check, and we should not mix those with types. > It's much easier users to advocate "Use numeric type hint for database > record ID/etc", rather than "Use string type hint for database _and_ > validate > it's content by yourself". The latter is the right thing to do (well, except for the part where string type is not really necessary unless you expect to get something that can't be made string, in which case your code is very messed up by that point). > PHP were weakly typed and too strict type hint creates issue. Weakening > a bit does not harm any, narrowing window to attack. If user needs native There's no attack, and it does harm the design of the language by mixing types with unrelated string regex checks. > int/float strictly, they should/can use "strict" mode also. > > Do you see issues with relaxing? Yes, lots of them. -- Stas Malyshev smalyshev@gmail.com