Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:86825 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 7022 invoked from network); 24 Jun 2015 01:41:00 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 24 Jun 2015 01:41:00 -0000 Authentication-Results: pb1.pair.com header.from=ircmaxell@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=ircmaxell@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.176 as permitted sender) X-PHP-List-Original-Sender: ircmaxell@gmail.com X-Host-Fingerprint: 209.85.217.176 mail-lb0-f176.google.com Received: from [209.85.217.176] ([209.85.217.176:36351] helo=mail-lb0-f176.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 93/11-31425-CAA0A855 for ; Tue, 23 Jun 2015 21:41:00 -0400 Received: by lbbpo10 with SMTP id po10so17359455lbb.3 for ; Tue, 23 Jun 2015 18:40:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=Eg8Lhvj5VZPU+25zdwIiOyF2yfJVj4XHzQfEnFidNQg=; b=CB5eNXO0H8MOXEsViUZkofe6+fDgW8C8fBBzDV+y1R9NlMJ9CIOPM+UWwN4YgBWH5m KqAawXLMtHyOCliFZ8VIusLhI+ubaxyF0Ci6aYpGfkulIgf3/wh1mzYLlF2w7QQSFquI KoXkOF+qQ1D2dHU6rUidmTbPoXGXn8DCJ+mAOxnVBw8osGcIFbPfmziaYFMkbgyeJ3bd /Zpo4QIcZy9GtMVGCCVOORzmWM54Uz8ZPm53QUV3Xyl/GIoC+xoZM3HYrDjNNzgXhlb3 814d0exUOUP2lfhfd/fW7BXUCxggH20DeJmJEQoXzpNE9LaBUuQFlf47X+bzctPYjeZT 5efQ== MIME-Version: 1.0 X-Received: by 10.112.168.102 with SMTP id zv6mr37642158lbb.45.1435110056685; Tue, 23 Jun 2015 18:40:56 -0700 (PDT) Received: by 10.25.90.75 with HTTP; Tue, 23 Jun 2015 18:40:56 -0700 (PDT) In-Reply-To: References: Date: Tue, 23 Jun 2015 21:40:56 -0400 Message-ID: To: Yasuo Ohgaki Cc: Xinchen Hui , "internals@lists.php.net" Content-Type: text/plain; charset=UTF-8 Subject: Re: [PHP-DEV] Optimizing php_html_entities() From: ircmaxell@gmail.com (Anthony Ferrara) Yasuo, > > IMHO, escape/unescape/encode/decode/conversion function is better to accept > any types. > HTML template may be separated script, but database code etc may not. > > Writing code like > > declare(strict_types=1); > $sql = 'SELECT * FROM '. pg_escape_identifier((string)$table). ' WHERE id '. > pg_escpae_literal((string)$id).';'; > pg_query($sql); > ?> > > is better to be avoided. i.e. (string) cast before passing parameter. I agree 100%. Instead, the developer should get an error if the parameter is not a string. Because it is an error. If you're passing an array to `pg_escape_identifier`, you have FAR WORSE problems. Having the function accept anything and return anything (as you're proposing) would eliminate any ability to detect this problem. If people blind cast, that's their problem. We shouldn't make it harder for people to detect problems by blindly accepting anything under the sun. > Another example. JSON decode convert numeric to int/float > > declare(strict_types=1); > $data = json_decode($json); > $str = mb_convert_kana((string) $data['some_data'], 'AKHV'); > ?> > > Are we going to enforce users to use (string) casts for conversion functions > to switch > strict_types=1? No, the entire point is to have them actually validate the types. Anthony