Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:86831
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 24394 invoked from network); 24 Jun 2015 03:00:54 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 24 Jun 2015 03:00:54 -0000
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.213.49 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.213.49 mail-yh0-f49.google.com  
Received: from [209.85.213.49] ([209.85.213.49:34639] helo=mail-yh0-f49.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id A4/D1-11255-46D1A855 for <internals@lists.php.net>; Tue, 23 Jun 2015 23:00:53 -0400
Received: by yhnv31 with SMTP id v31so11777893yhn.1
        for <internals@lists.php.net>; Tue, 23 Jun 2015 20:00:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type;
        bh=Gb49rMKnfrytSRf6U5KOGYpQgE8ktBEcEPxqNLgaQh8=;
        b=D3OHkiI0SIjN68hjmFWi1L5MaKQApjejjIPbAPJ7p2EjJYySKdOYJWWYmUKlKKcnUq
         kzxkj5EapU6nskg89HwOARaV+pwoTvf+4FtQArWm43GYuSZPfrpbFqcks6qlBwdzn9mC
         t6oQtArMtnaPU1N+Y5OtFx10z5yS9WjdhhibH9/OlfkMg4qT+4kwSPeevzEI8veLx0SX
         qmxYTEUuZAuBYAbjTRobK0TjQOCYX4DRLu3cpU7JspXKLBS8w6mc7mGcb9KBgdZ6hMd0
         XIFMyNEp9WMLPUyzBJrhuFJ6x1kjnEPO7+EJ0yctW7awiy8akpIYnZgQRDRIHIkHR0xE
         DmHQ==
X-Received: by 10.13.247.3 with SMTP id h3mr47889302ywf.154.1435114849525;
 Tue, 23 Jun 2015 20:00:49 -0700 (PDT)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.129.48.129 with HTTP; Tue, 23 Jun 2015 20:00:10 -0700 (PDT)
In-Reply-To: <CAAyV7nHX9J8_5X6geOmG9jqCbtxkobsEDBUDEcri0p-TrCRyig@mail.gmail.com>
References: <CAGa2bXa9x_BK9O78N_yvAVj7M5V0UEGsy3ch-VOimaqGaKUA3w@mail.gmail.com>
 <CABBJUpeaVXXJ-JJDP+oHUamuDGwM87Myvm4_0qXAh2cZn8rg3A@mail.gmail.com>
 <CAAyV7nHo2jWSNYL-BQc-yg2SoTzOpNFvcmLNpH9vhL9w3_ab7w@mail.gmail.com>
 <CAGa2bXYRB1Mo6B9WA0knrJ6ziKukaNY18aiYzj-QfvYA+o0VVQ@mail.gmail.com>
 <CAGa2bXa0c5ducwf075MEZEE1psbn2vVHJCzX8p1KC9JJkyEe=Q@mail.gmail.com>
 <CAGa2bXbPrj89krFpY-N+GoC1fW0gKL7EBXBFP5iLUJAWf3mZ1g@mail.gmail.com> <CAAyV7nHX9J8_5X6geOmG9jqCbtxkobsEDBUDEcri0p-TrCRyig@mail.gmail.com>
Date: Wed, 24 Jun 2015 12:00:10 +0900
X-Google-Sender-Auth: eQIyeJh-_D5Jk4aW3ZIwRnwGRo4
Message-ID: <CAGa2bXZhUPZ2wvtTP_yYuhVUrhkZTFOHh8vx956jW-8aXEY5ag@mail.gmail.com>
To: Anthony Ferrara <ircmaxell@gmail.com>
Cc: Xinchen Hui <laruence@php.net>, "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=94eb2c0802a0d1672f05193ab6b9
Subject: Re: [PHP-DEV] Optimizing php_html_entities()
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--94eb2c0802a0d1672f05193ab6b9
Content-Type: text/plain; charset=UTF-8

Hi Anthony,

On Wed, Jun 24, 2015 at 10:40 AM, Anthony Ferrara <ircmaxell@gmail.com>
wrote:

> >
> > IMHO, escape/unescape/encode/decode/conversion function is better to
> accept
> > any types.
> > HTML template may be separated script, but database code etc may not.
> >
> > Writing code like
> >
> > <?php
> > declare(strict_types=1);
> > $sql = 'SELECT * FROM '. pg_escape_identifier((string)$table). ' WHERE
> id '.
> > pg_escpae_literal((string)$id).';';
> > pg_query($sql);
> > ?>
> >
> > is better to be avoided. i.e. (string) cast before passing parameter.
>
> I agree 100%. Instead, the developer should get an error if the
> parameter is not a string. Because it is an error. If you're passing
>
an array to `pg_escape_identifier`, you have FAR WORSE problems.
> Having the function accept anything and return anything (as you're
> proposing) would eliminate any ability to detect this problem.
>

I agree 100%.


> If people blind cast, that's their problem. We shouldn't make it
> harder for people to detect problems by blindly accepting anything
> under the sun.
>

strict_types=1 creates issue for int/float which is valid and accepted
without strict_types.

We will have mixed types due to type hint and it's problematic.
If escape functions accept string/int/float/object(only when
it has __toString), it's easier for users. Safety is guaranteed also.

Other than escape/conversion functions that expect "string" type
should get type errors.


> Another example. JSON decode convert numeric to int/float
> >
> > <?php
> > declare(strict_types=1);
> > $data = json_decode($json);
> > $str = mb_convert_kana((string) $data['some_data'], 'AKHV');
> > ?>
> >
> > Are we going to enforce users to use (string) casts for conversion
> functions
> > to switch
> > strict_types=1?
>
> No, the entire point is to have them actually validate the types.


I fully agree.

But people will do this, unless we make conversion functions accept
safe/valid scalars/objects... Or worse, people make assumption that
variables are safe to output w/o escape...

Since there weren't contracts before PHP7, I think we may adjust contract
for some functions before PHP7 release.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--94eb2c0802a0d1672f05193ab6b9--