Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:86834 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 41064 invoked from network); 24 Jun 2015 05:24:35 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 24 Jun 2015 05:24:35 -0000 Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.160.178 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.160.178 mail-yk0-f178.google.com Received: from [209.85.160.178] ([209.85.160.178:36332] helo=mail-yk0-f178.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id BA/43-11255-01F3A855 for ; Wed, 24 Jun 2015 01:24:33 -0400 Received: by ykdr198 with SMTP id r198so18152761ykd.3 for ; Tue, 23 Jun 2015 22:24:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=yxpxXajxTwqES4B+vnFztKNFZ7ufp3cobhFNK16o/W4=; b=NU6hutxQCf+0uohZ2A1vQ7hRKpboIrna+JoF45GZdU2UKJ4AAAGQO9YmE8W9uSRGrs Xn/TuGG/cghkr8I+qSZx+w4ow7fxf8eYnVy9IB49DZrsFVlFwkZE06jg/BnR5mh6WUlC zUOGBq15oEgiELJlYLxTCEhRBnvj5YeALi1gb2VBZeXDykP/W5OZ080wpEGCqBFdnPZ/ Kk/nzK3to7QwKdOo0TVLblgzduB4stfXbA8j6RtIcbr8qOkaBziWbVCC+F8ZdInSv80G vy6bNwVNVoirq71VGWbPN3btMZylGHK6E9XA5k8sQ/onn7id26Czqdu74gN3dIbGJchj EL8A== X-Received: by 10.170.167.131 with SMTP id j125mr3143041ykd.50.1435123470095; Tue, 23 Jun 2015 22:24:30 -0700 (PDT) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.129.48.129 with HTTP; Tue, 23 Jun 2015 22:23:50 -0700 (PDT) In-Reply-To: References: Date: Wed, 24 Jun 2015 14:23:50 +0900 X-Google-Sender-Auth: YpfOCMrLh8eTC0ShpsTYvylp4gA Message-ID: To: Anthony Ferrara Cc: Xinchen Hui , "internals@lists.php.net" Content-Type: multipart/alternative; boundary=001a113ac028a4df1605193cb89a Subject: Re: [PHP-DEV] Optimizing php_html_entities() From: yohgaki@ohgaki.net (Yasuo Ohgaki) --001a113ac028a4df1605193cb89a Content-Type: text/plain; charset=UTF-8 Hi Anthony, On Wed, Jun 24, 2015 at 12:00 PM, Yasuo Ohgaki wrote: > On Wed, Jun 24, 2015 at 10:40 AM, Anthony Ferrara > wrote: > >> > >> > IMHO, escape/unescape/encode/decode/conversion function is better to >> accept >> > any types. >> > HTML template may be separated script, but database code etc may not. >> > >> > Writing code like >> > >> > > > declare(strict_types=1); >> > $sql = 'SELECT * FROM '. pg_escape_identifier((string)$table). ' WHERE >> id '. >> > pg_escpae_literal((string)$id).';'; >> > pg_query($sql); >> > ?> >> > >> > is better to be avoided. i.e. (string) cast before passing parameter. >> >> I agree 100%. Instead, the developer should get an error if the >> parameter is not a string. Because it is an error. If you're passing >> > an array to `pg_escape_identifier`, you have FAR WORSE problems. >> Having the function accept anything and return anything (as you're >> proposing) would eliminate any ability to detect this problem. >> > > I agree 100%. > > >> If people blind cast, that's their problem. We shouldn't make it >> harder for people to detect problems by blindly accepting anything >> under the sun. >> > > strict_types=1 creates issue for int/float which is valid and accepted > without strict_types. > > We will have mixed types due to type hint and it's problematic. > If escape functions accept string/int/float/object(only when > it has __toString), it's easier for users. Safety is guaranteed also. > > Other than escape/conversion functions that expect "string" type > should get type errors. > > > > Another example. JSON decode convert numeric to int/float >> > >> > > > declare(strict_types=1); >> > $data = json_decode($json); >> > $str = mb_convert_kana((string) $data['some_data'], 'AKHV'); >> > ?> >> > >> > Are we going to enforce users to use (string) casts for conversion >> functions >> > to switch >> > strict_types=1? >> >> No, the entire point is to have them actually validate the types. > > > I fully agree. > > But people will do this, unless we make conversion functions accept > safe/valid scalars/objects... Or worse, people make assumption that > variables are safe to output w/o escape... > > Since there weren't contracts before PHP7, I think we may adjust contract > for some functions before PHP7 release. > Another reason of this optimization is type affinity that I would like to add. https://wiki.php.net/rfc/introduce-type-affinity With type affinity, "integer string"/"float string" are converted to int/float type and PHP can execute script more efficiently with type hint. i.e. Type affinity eliminates countless "string" -> "int/float" conversions with weak type hint. Issue with converted values is int/float cannot escape as it is now because they expect "string" strictly with "strict_types=1", as well as it requires needless type conversions to "string" in weak mode. e.g. htmlspecialchars, pg_escape_string/identifier/literal, etc. Therefore, I would like to allow int/float for these functions. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net --001a113ac028a4df1605193cb89a--