Larry Garfield wrote on 23.08.2015 18:19:
> On 08/22/2015 07:33 PM, Thomas Bley wrote: >> Anthony Ferrara wrote on 22.08.2015 21:58: >> >>> All, >>> >>> I am putting a simple RFC up for discussion to make random_* throw >>> exceptions on failure in order to ensure we fail-closed. >>> >>> https://wiki.php.net/rfc/random-function-exceptions >>> >>> Considering this topic has already been discussed, I intend to open >>> voting on this as soon as allowable. Given the voting policy specifies >>> 2 weeks for language changes and 1 week for another, this is assumed >>> to require 1 week of "discussion". >>> >>> With that in mind, I intend to put this RFC up to vote on August 29/30th. >>> >>> Thanks! >>> >>> Anthony >>> >>> -- >>> PHP Internals - PHP Runtime Development Mailing List >>> To unsubscribe, visit: http://www.php.net/unsub.php >>> > > *snip* > >> If people use this function without reading documentation, they will also use >> other things without documentation like database queries without >> binding/escaping, inject html without escaping, etc. >> Having core functions suddenly throw exceptions causes many problems in the >> code structure. >> >> Regards >> Thomas > > It's actually the other way around that is the compelling argument here. > > We *already know* that developers use things without documentation, like > database queries without binding/escaping, inject HTML without escaping, > etc. These things happen all the time, despite extensive documentation > efforts to prevent them from doing so. Therefore, there is little > evidence to suggest that documenting "you must check the return value to > make sure it's not false", no matter how big, red, and flashing we made > it, will result in people actually doing so. > > If we want these functions to be safely used, they need to be naively > safe to use. They simply won't be used safely otherwise, and these are > high-sensitivity functions (by design). > > --Larry Garfield > I guess people continue to use rand() or mt_rand() if they skip the documentation. Even frameworks which are advertised with 100% php7 compatibility use mt_rand(). Regards Thomas -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php