Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:87882
Return-Path: <mails@thomasbley.de>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 47545 invoked from network); 23 Aug 2015 16:52:36 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 23 Aug 2015 16:52:36 -0000
Authentication-Results: pb1.pair.com smtp.mail=mails@thomasbley.de; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=mails@thomasbley.de; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain thomasbley.de from 85.13.137.24 cause and error)
X-PHP-List-Original-Sender: mails@thomasbley.de
X-Host-Fingerprint: 85.13.137.24 dd15934.kasserver.com  
Received: from [85.13.137.24] ([85.13.137.24:38759] helo=dd15934.kasserver.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id A1/04-27100-25AF9D55 for <internals@lists.php.net>; Sun, 23 Aug 2015 12:52:34 -0400
Received: from dd15934.kasserver.com (dd0800.kasserver.com [85.13.143.204])
	by dd15934.kasserver.com (Postfix) with ESMTPSA id 99CBE26052F;
	Sun, 23 Aug 2015 18:52:30 +0200 (CEST)
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-SenderIP: 95.90.234.10
User-Agent: ALL-INKL Webmail 2.11
In-Reply-To: <55D9F2AB.8040404@garfieldtech.com>
References: <20150823003346.A6E6B2617DA@dd15934.kasserver.com><55D9F2AB.8040404@garfieldtech.com>
To: internals@lists.php.net, larry@garfieldtech.com
Message-ID: <20150823165230.99CBE26052F@dd15934.kasserver.com>
Date: Sun, 23 Aug 2015 18:52:30 +0200 (CEST)
Subject: Re: [PHP-DEV] [RFC] [Discuss] Random Functions Throwing Exceptions in PHP 7.0.0
From: mails@thomasbley.de ("Thomas Bley")



Larry Garfield wrote on 23.08.2015 18:19:

> On 08/22/2015 07:33 PM, Thomas Bley wrote:
>> Anthony Ferrara wrote on 22.08.2015 21:58:
>>
>>> All,
>>>
>>> I am putting a simple RFC up for discussion to make random_* throw
>>> exceptions on failure in order to ensure we fail-closed.
>>>
>>> https://wiki.php.net/rfc/random-function-exceptions
>>>
>>> Considering this topic has already been discussed, I intend to open
>>> voting on this as soon as allowable. Given the voting policy specifies
>>> 2 weeks for language changes and 1 week for another, this is assumed
>>> to require 1 week of "discussion".
>>>
>>> With that in mind, I intend to put this RFC up to vote on August 29/30th.
>>>
>>> Thanks!
>>>
>>> Anthony
>>>
>>> -- 
>>> PHP Internals - PHP Runtime Development Mailing List
>>> To unsubscribe, visit: http://www.php.net/unsub.php
>>>
> 
> *snip*
> 
>> If people use this function without reading documentation, they will also use
>> other things without documentation like database queries without
>> binding/escaping, inject html without escaping, etc.
>> Having core functions suddenly throw exceptions causes many problems in the
>> code structure.
>>
>> Regards
>> Thomas
> 
> It's actually the other way around that is the compelling argument here.
> 
> We *already know* that developers use things without documentation, like 
> database queries without binding/escaping, inject HTML without escaping, 
> etc.  These things happen all the time, despite extensive documentation 
> efforts to prevent them from doing so.  Therefore, there is little 
> evidence to suggest that documenting "you must check the return value to 
> make sure it's not false", no matter how big, red, and flashing we made 
> it, will result in people actually doing so.
> 
> If we want these functions to be safely used, they need to be naively 
> safe to use.  They simply won't be used safely otherwise, and these are 
> high-sensitivity functions (by design).
> 
> --Larry Garfield
> 

I guess people continue to use rand() or mt_rand() if they skip the documentation.
Even frameworks which are advertised with 100% php7 compatibility use mt_rand().

Regards
Thomas