Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:87872 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 68441 invoked from network); 23 Aug 2015 00:33:51 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 23 Aug 2015 00:33:51 -0000 Authentication-Results: pb1.pair.com smtp.mail=mails@thomasbley.de; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=mails@thomasbley.de; sender-id=unknown Received-SPF: error (pb1.pair.com: domain thomasbley.de from 85.13.137.24 cause and error) X-PHP-List-Original-Sender: mails@thomasbley.de X-Host-Fingerprint: 85.13.137.24 dd15934.kasserver.com Received: from [85.13.137.24] ([85.13.137.24:58558] helo=dd15934.kasserver.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 8B/A1-51090-DE419D55 for ; Sat, 22 Aug 2015 20:33:50 -0400 Received: from dd15934.kasserver.com (dd0800.kasserver.com [85.13.143.204]) by dd15934.kasserver.com (Postfix) with ESMTPSA id A6E6B2617DA; Sun, 23 Aug 2015 02:33:46 +0200 (CEST) MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-SenderIP: 95.90.234.10 User-Agent: ALL-INKL Webmail 2.11 To: internals@lists.php.net, ircmaxell@gmail.com Message-ID: <20150823003346.A6E6B2617DA@dd15934.kasserver.com> Date: Sun, 23 Aug 2015 02:33:46 +0200 (CEST) Subject: Re: [PHP-DEV] [RFC] [Discuss] Random Functions Throwing Exceptions in PHP 7.0.0 From: mails@thomasbley.de ("Thomas Bley") Anthony Ferrara wrote on 22.08.2015 21:58: > All, > > I am putting a simple RFC up for discussion to make random_* throw > exceptions on failure in order to ensure we fail-closed. > > https://wiki.php.net/rfc/random-function-exceptions > > Considering this topic has already been discussed, I intend to open > voting on this as soon as allowable. Given the voting policy specifies > 2 weeks for language changes and 1 week for another, this is assumed > to require 1 week of "discussion". > > With that in mind, I intend to put this RFC up to vote on August 29/30th. > > Thanks! > > Anthony > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > Hi, I think there are a lot of security problems if people ignore return values, e.g. password comparison, user lookup in database, lookups for permissions, etc. Having false + E_WARNING highlighted in the documentation with a yellow box and the Caution title should be enough. For those who want exceptions can implement this in userland: $rand = random_int(10,100); if ($rand === false) { throw new Exception('error ...'); } // or write a wrapper like random_int_exception(...). If people use this function without reading documentation, they will also use other things without documentation like database queries without binding/escaping, inject html without escaping, etc. Having core functions suddenly throw exceptions causes many problems in the code structure. Regards Thomas