On Fr, 2019-03-01 at 12:25 +0100, Nikita Popov wrote: > For extension authors, the guideline is:
Will zend_parse_paramters and related detect if an exception is thrown and fail? I believe things like database (or other network) extensions have to be really carefully checked, not that we store corrupted data (empty string) in the database (or otherwise send via network) while returning an error to the user. Simple 5 minute example based on your branch: <?php class throws { function __toString() { throw new Exception("Sorry"); } } $db = new sqlite3(':memory:'); $db->exec('CREATE TABLE t(id int, v varchar(255))'); $stmt = $db->prepare('INSERT INTO t VALUES(:i, :v)'); $stmt->bindValue('i', 1234); $stmt->bindValue('v', new throws); try { $stmt->execute(); } catch (Exception $e) { echo "Exception thrown ...\n"; } $stmt->execute(); $query = $db->query("SELECT * FROM t"); while ($row = $query->fetchArray(SQLITE3_ASSOC)) { print_r($row); } ?> This prints Exception thrown ... Array ( [id] => 1234 [v] => ) So during the first execution it notices that the conversion went wrong and aborts the operation, but it keeps th emtpy string as bound value. On second execute it re-uses the values and doesn't notice the error. I fear we have many such cases which are subtle ad hard to find without deep review of any string conversion. And in future we will introduce bugs due to this in places where new conversions are added ... johannes -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php