Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:86217 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 50538 invoked from network); 14 May 2015 10:18:17 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 14 May 2015 10:18:17 -0000 Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.218.49 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.218.49 mail-oi0-f49.google.com Received: from [209.85.218.49] ([209.85.218.49:34513] helo=mail-oi0-f49.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id DB/B6-31470-86674555 for ; Thu, 14 May 2015 06:18:16 -0400 Received: by oiko83 with SMTP id o83so52036878oik.1 for ; Thu, 14 May 2015 03:18:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=D2f8EimW4x8ZE8lQKIh99e2fOZiwTD9JDR2JqwGFSJk=; b=d3iiheaIuIXFZlfXQwZo//eaNMxlYcPxdhvWUGoGnfrFBsAlgL9ZeeOrJ88AlMYIjG OXpZbKjxLgG5zrzJNhXP7DIdT4AXZeC5gugVJPpnV3IWBI3ybBRiUuYqSPzH3auWZ8Qb /VYvj/Heb/d2IlGV+/ugI2bhFc/+ziMvSwsJGo0CyUYITT+5hU2HUYSbaOS3+qSJBPJG hjMML2PlkbuF/IEAhBFo1SR4fituT4QFKn8EwWmGaYrlZ2zakXzqijXkoQ6RmtTHbjRo NkxYNvAUcr567/gwC45si9WIzVCP7TNdEJk+5ZBwxP2aLyNmi2bQAd0qu/pXLyT2RoG/ T7JQ== X-Received: by 10.202.80.22 with SMTP id e22mr2781460oib.76.1431598693477; Thu, 14 May 2015 03:18:13 -0700 (PDT) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.202.104.196 with HTTP; Thu, 14 May 2015 03:17:32 -0700 (PDT) In-Reply-To: <5554689E.6030408@gmail.com> References: <55518D59.6070108@gmail.com> <5554689E.6030408@gmail.com> Date: Thu, 14 May 2015 19:17:32 +0900 X-Google-Sender-Auth: sYyCzIUX8TmGJ5uOVbk5dVpZ1NY Message-ID: To: Rowan Collins Cc: "internals@lists.php.net" Content-Type: multipart/alternative; boundary=001a113d7e3a95f5af0516080b6c Subject: Re: [PHP-DEV] is_digits() and digits type From: yohgaki@ohgaki.net (Yasuo Ohgaki) --001a113d7e3a95f5af0516080b6c Content-Type: text/plain; charset=UTF-8 Hi Rowan, On Thu, May 14, 2015 at 6:19 PM, Rowan Collins wrote: > Yasuo Ohgaki wrote on 14/05/2015 06:19: > >> I guess DbC will not prevent users from abusing type hints, though. >> > > They'll only "abuse" them in exactly the same way they currently "abuse" > existing checks and casts. > > e.g. $id = intval($_GET['id']); looks perfectly reasonable to most people, > but if you want to use a 64-bit ID on a 32-bit system, you will consider > that a bug. If someone uses an int typehint for the same purpose then it > is, equally, a bug. > > The result of one will probably be retrieving the wrong data, and thus > potential leak or corruption; the result of the other will probably be a > fatal error, which at least stops the broken code in its tracks. I saw such buggy casts too many times in my code auditing experience. Since strict_types=1 requires "certain type", I'm expecting more buggy casts with it. We need safe validation functions so that we can advocate users do proper validation rather than buggy casts. IMHO. There was one attempt https://wiki.php.net/rfc/safe_cast but it failed. We need new one. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net --001a113d7e3a95f5af0516080b6c--