Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:87877 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 25369 invoked from network); 23 Aug 2015 14:30:09 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 23 Aug 2015 14:30:09 -0000 Authentication-Results: pb1.pair.com header.from=me@kelunik.com; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=me@kelunik.com; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain kelunik.com from 81.169.146.161 cause and error) X-PHP-List-Original-Sender: me@kelunik.com X-Host-Fingerprint: 81.169.146.161 mo4-p00-ob.smtp.rzone.de Received: from [81.169.146.161] ([81.169.146.161:10849] helo=mo4-p00-ob.smtp.rzone.de) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 21/91-04228-DE8D9D55 for ; Sun, 23 Aug 2015 10:30:08 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1440340201; l=4336; s=domk; d=kelunik.com; h=Content-Type:Cc:To:From:Subject:Date:References:In-Reply-To: MIME-Version; bh=DXQTRwiS1u0icJyKcbUCjSI8voXzeERsVZ1/hQBesvQ=; b=uLuWagxvTWa3pAKsQcpsS2yjMnuDxUoIl6zAhwsil+63mLiOp61V8lcquLIxZXfZDZd WMXaEQvb+jzO96cHTMWSvh62/Y7XYrotwdTc569xlv9XCvPhWBlxTfmPD5Kp9rtoJ5lij 91JK1SijH89qvFasO2iChmQhIIfzAmkGuzE= X-RZG-AUTH: :IWkkfkWkbvHsXQGmRYmUo9mls2vWuiu+7SLDup6E67mzuoNIBqD/sUU= X-RZG-CLASS-ID: mo00 Received: from mail-lb0-f171.google.com ([209.85.217.171]) by smtp.strato.de (RZmta 37.11 AUTH) with ESMTPSA id V02d2cr7NEU1dqy (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (curve secp521r1 with 521 ECDH bits, eq. 15360 bits RSA)) (Client did not present a certificate) for ; Sun, 23 Aug 2015 16:30:01 +0200 (CEST) Received: by lbbpu9 with SMTP id pu9so66590502lbb.3 for ; Sun, 23 Aug 2015 07:30:01 -0700 (PDT) MIME-Version: 1.0 X-Received: by 10.112.67.65 with SMTP id l1mr16270802lbt.86.1440340201676; Sun, 23 Aug 2015 07:30:01 -0700 (PDT) Received: by 10.114.98.104 with HTTP; Sun, 23 Aug 2015 07:30:01 -0700 (PDT) In-Reply-To: <20150823132604.1224B26052F@dd15934.kasserver.com> References: <20150823132604.1224B26052F@dd15934.kasserver.com> Date: Sun, 23 Aug 2015 16:30:01 +0200 Message-ID: To: Thomas Bley Cc: Scott Arciszewski , PHP Internals , Anthony Ferrara Content-Type: multipart/alternative; boundary=001a1134800e13a794051dfb56cf Subject: Re: [PHP-DEV] [RFC] [Discuss] Random Functions Throwing Exceptions in PHP 7.0.0 From: me@kelunik.com (Niklas Keller) --001a1134800e13a794051dfb56cf Content-Type: text/plain; charset=UTF-8 > > why not have false + e_warning for strict_types=0 and fatal error for > strict_types=1 ? > Doing function random_int(): int { ... How's this connected to `strict_types`? It's not. If people use this function without reading documentation, they will also > use other things without documentation like database queries without > binding/escaping, inject html without escaping, etc. > Having core functions suddenly throw exceptions causes many problems in > the code structure. How are these things connected? How does this create any issues in any existing code structure? This RFC affects only two new functions introduced in PHP 7. I think there are a lot of security problems if people ignore return > values, e.g. password comparison, user lookup in database, lookups for > permissions, etc. You compare an edge case, where these two functions currently return false instead of throwing an exception to fail closed, to functions with an expected `true|false` return value. This change is especially important, because these functions may be used in a way like this, as already mentioned in the previous discussions: for ($i = 0; $i < 10; $i++) { $result .= $values[random_int(0, 10)]; } It's simply far too easy to make mistakes in security relevant code. Regards, Niklas --001a1134800e13a794051dfb56cf--