Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:92505 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 54910 invoked from network); 19 Apr 2016 23:11:00 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 19 Apr 2016 23:11:00 -0000 Authentication-Results: pb1.pair.com header.from=smalyshev@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=smalyshev@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.220.51 as permitted sender) X-PHP-List-Original-Sender: smalyshev@gmail.com X-Host-Fingerprint: 209.85.220.51 mail-pa0-f51.google.com Received: from [209.85.220.51] ([209.85.220.51:36685] helo=mail-pa0-f51.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id A6/8C-22821-30BB6175 for ; Tue, 19 Apr 2016 19:10:59 -0400 Received: by mail-pa0-f51.google.com with SMTP id er2so11049465pad.3 for ; Tue, 19 Apr 2016 16:10:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding; bh=cMoO4blhrqmXbDQAFLDATJfkbKunC/rkE1+t/RcyBrc=; b=fr8bNqICffWbFJD8ZuwwScHCoKhTzYSU1Y379n/+hRCC4FBho0fqYch2eKlArNR7we rVGXtb29pXJIQJnFS4/P8FJY7EAFlA1L5mm5i3KfXjoxVQQxULUfjgqMLTzyfrkLYpeX vJkC7rj6SAVaCiAkFaZqp+epeDzGhAnZ20ieD4s1FDlcYJufDiz+m94nmLyC92Ps0eGH AdhwYzrpxMszH0IaoczxiEyKHFRc1gcYOgquZLJF/vVsrKd/UAh5lfux28+rCUO6CBzN DQe0cWQcdYpXKYsKeDdC/DKe0XTKh9SWL/4rvz55Kkw2VrxYCo3fwyObJzcQ65lhHVa0 LwRA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=cMoO4blhrqmXbDQAFLDATJfkbKunC/rkE1+t/RcyBrc=; b=fIsUmJl6EKm793iA2b3Qtw33YfxXCBpIzU5eNHO16YPkFxd1is/IwtnpWESmCD6qeZ loyyb2Bd+Jt4PIuaIRKozKIp9j2XzgRlksw/vSohxVRGmf95JxuL+vVK2jhafRSFcQXE /i4R3K6klMC9wN3KLIPkYqbjVFDQSTp4jhMvvX6BZoEHXBhcBz1yzcpEHjKU8w9Sv2OF 2i0LM1KaUub7qjJ0N+9M07zsfoXPcp/tK/I+/mYg4DGHgjSwOgC2f2EoSrZ947gG0gsY cxPky/KAh7rOtBib2h+8HZRXYmkN8pPGlTcQqzLaWJxXoSxTsD0UAPvEqrGPZxC2WzqE y0zA== X-Gm-Message-State: AOPr4FWl+dahPQiDgnw9XHbpa3ncCg8y3AFjtTSt5updWrWWNz5DLIuq1tVVsT0VQI3LZw== X-Received: by 10.66.136.10 with SMTP id pw10mr7747213pab.113.1461107456310; Tue, 19 Apr 2016 16:10:56 -0700 (PDT) Received: from Stas-Air.local (76-220-46-95.lightspeed.sntcca.sbcglobal.net. [76.220.46.95]) by smtp.gmail.com with ESMTPSA id lz5sm15101715pab.34.2016.04.19.16.10.54 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 19 Apr 2016 16:10:54 -0700 (PDT) To: Marco Pivetta References: <570EAB0D.6080706@gmail.com> <570EB67E.8010908@garfieldtech.com> <5B147E88-CC0A-4CBC-A49D-C7FE3BF557C0@zend.com> <6F.C3.12455.94C5F075@pb1.pair.com> <20160414094440.GF19347@phcomp.co.uk> <570FD94F.90703@fleshgrinder.com> <570FE8A9.4020809@gmail.com> <20.53.29891.17401175@pb1.pair.com> <57110BCD.5030009@garfieldtech.com> <571124C2.9040606@gmx.de> <57112F31.8070209@garfieldtech.com> <57167C35.8080601@gmail.com> <57168FCC.7000507@garfieldtech.com> Cc: "internals@lists.php.net" Message-ID: <5716BAF9.6000302@gmail.com> Date: Tue, 19 Apr 2016 16:10:49 -0700 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:38.0) Gecko/20100101 Thunderbird/38.7.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] Re: Improving PHP's type system From: smalyshev@gmail.com (Stanislav Malyshev) Hi! > Any reflector-based system, such as a serializer, an ORM or just a > dependency injection or configuration loader would be able to do operations > in a much more precise and less complex way. This should be solved by annotations. Yes, I know all the story, but it does not change the fact that ORM serialization is not the same as internal PHP typing, and arguing we need to change PHP typing system because it makes it easier for (a particular) ORM serializer is putting the cart in front of the horse. > Having a configuration system that expects to call setters with specific > parameter types can allow the configuration system to validate the given > data upfront, providing meaningful exceptions to the user, without having > to write an entire separate config specification. We already have system that provides meaningful exceptions to the user. It's called PHP engine. The system you describe changes nothing but wording of error messages. This is not really worth changing the typing system in PHP. > Having a serializer that expects certain types of data allows rejecting any > kind of value that is possibly insecure, and would cause a RCE > vulnerability by unserializing a value into something with a malicious > `__wakeup` in it. All examples of unserialize problems so far were in the engine and those examples have all the types already known, the problem was/is unserializer has no way to use this information. This problem is not solved by adding more syntax. > In general, improving the type system provides a much more interesting and > practical playground for any kind of tool that would rely on static That's my point - "more interesting playground" does not sound like a reason enough to mess with the type system of the language used by millions. This sounds like a good description of a thesis project or a academic proof-of-concept language, not something mature widely-used language prizing simplicity should be aiming for. I completely agree that *if* we added a ton of shiny things into PHP then there would be a lot of interesting stuff to play with. I am saying that is not the reason enough to actually add them. -- Stas Malyshev smalyshev@gmail.com