Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:87887 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 90749 invoked from network); 24 Aug 2015 02:30:35 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 24 Aug 2015 02:30:35 -0000 Authentication-Results: pb1.pair.com header.from=mails@thomasbley.de; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=mails@thomasbley.de; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain thomasbley.de from 85.13.137.24 cause and error) X-PHP-List-Original-Sender: mails@thomasbley.de X-Host-Fingerprint: 85.13.137.24 dd15934.kasserver.com Received: from [85.13.137.24] ([85.13.137.24:40954] helo=dd15934.kasserver.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id E6/A0-20433-8C18AD55 for ; Sun, 23 Aug 2015 22:30:34 -0400 Received: from dd15934.kasserver.com (dd0802.kasserver.com [85.13.143.1]) by dd15934.kasserver.com (Postfix) with ESMTPSA id 8B95326028B; Mon, 24 Aug 2015 04:30:28 +0200 (CEST) MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-SenderIP: 95.90.238.188 User-Agent: ALL-INKL Webmail 2.11 In-Reply-To: <092B2991-5D96-48E2-882D-ABF9DAAC3AC3@gmail.com> References: <20150823153705.F0BDD26052F@dd15934.kasserver.com><092B2991-5D96-48E2-882D-ABF9DAAC3AC3@gmail.com> To: internals@lists.php.net, inefedor@gmail.com Message-ID: <20150824023028.8B95326028B@dd15934.kasserver.com> Date: Mon, 24 Aug 2015 04:30:28 +0200 (CEST) Subject: Re: [PHP-DEV] [RFC] [Discuss] Random Functions Throwing Exceptions in PHP 7.0.0 From: mails@thomasbley.de ("Thomas Bley") Nikita Nefedov wrote on 23.08.2015 18:27: > > >> On 23 Aug 2015, at 18:37, Thomas Bley wrote: >> >> >> consider this code: >> >> declare(strict_types=0); >> ini_set('display_errors', '1'); >> >> function get_random_int(): int { >> return false; >> } >> echo get_random_int(); >> >> and then use strict_types=1 > > So you're implying that in case of returning false with strict_types turned on > that would just throw a TypeError? That would be a bug in PHP. If you were > saying that in this case it should throw a different kind of error (the one > that was proposed by Anthony initially) then it wouldn't make sense again > because then you're creating a straight relation between having strict_types > mode turned on and random_int() throwing exception about not getting a reliable > source of entropy. > > >> Even correct return values of random_int() might create bad passwords. >> So I propose to have a function in core which tests the strength of the >> password: >> >> $password = ''; >> for ($i = 0; $i < 10; $i++) { >> $password .= $characters[random_int(0, 30)]; >> } >> if (password_strength($password) < PHP_PASSWORD_STRONG) { >> throw new Exception("password not strong enough"); >> } > > I don't think it's a good idea, a language delivers features that user would > have a hard time implementing themselves, a small blocks from which you can > build whatever you want. A function that checks if a string contains > alpha-numeric symbols as well as punctuation is pretty easy to implement in > user land. If it would be so easy to implement this function, there would be no problems with weak passwords in PHP software. You can also implement fopen('/dev/urandom','rb') in userland without having random_int(). Regards Thomas