On 13/07/12 12:28, Ryan McCue wrote:
> Somewhat off-topic, but is there a reason why not? It seems to me that
> introducing a new API without using PHP's best method of error handling
> (IMHO) is a little silly.
I don't really trust exception throwing near password-managing functions.
Consider the following:
class UserLogin {
var $loggedIn = false;
function login() {
$row = SELECT * FROM user WHERE username =
escape_string($_POST['user']) ;
$this->checkPassword($row->password);
}
function checkPassword($pw_hash) {
if (password_verify($_POST['password'], $pw_hash)
$this->loggedIn = true;
}
}
The codebase does no global exception handling (because it doesn't throw
exceptions itself),
and also nobody configured the server not to show errors/exceptions
(some say it was
purposely setup to show them).
password_verify() "errors" if the parameters are not strings or the hash
doesn't match a
known hash format.
Which kind of error should you use? errors or exceptions? Provide a
reasoned answer.
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
