[PHP-DEV] Re: Nullsafe Types

2021-06-24 Thread Eugene Sidelnyk
I would really like to hear your thoughts on this. On Thu, Jun 24, 2021, 10:14 PM Eugene Sidelnyk wrote: > Hello, everybody! > > After using nullsafe operator for a while, I have some further thoughts. > In most cases when we make type nullable, we would use nullsafe operator > if we don't know

Re: [PHP-DEV] [RFC] Name issue - is_literal/is_trusted

2021-06-24 Thread Craig Francis
On Thu, 24 Jun 2021 at 21:25, Dan Ackroyd wrote: > > Please can you go into some detail about what you think people are > > meant to do when they detect a non-literal used where a literal is > > expected? > > There is a whole load of hand waving going on of "you can protect > yourself!" but then

Re: [PHP-DEV] [RFC] Name issue - is_literal/is_trusted

2021-06-24 Thread Dan Ackroyd
On Thu, 24 Jun 2021 at 19:12, Joe Watkins wrote: > > we're not > talking about a function that protects you from all possible security > concerns or bugs. I know. We're talking about something that is meant to protect programmers against silly mistakes. And this RFC doesn't do that. It allows s

Re: [PHP-DEV] Introduce str_left/right In 8.1

2021-06-24 Thread Mike Schinkel
> On Jun 24, 2021, at 8:04 AM, G. P. B. wrote: > > Moreover, the fact that only a very restricted number of programming > languages, which are some of the earliest languages ever, implement those > functions should tell you something about programming language design > as a whole, which is that m

Re: [PHP-DEV] [RFC] clamp

2021-06-24 Thread Bob Magic
why stop with clamp? add wrap too. imagine being against clamp but ok with floor and ceiling. lets make our math lib even better.

[PHP-DEV] Nullsafe Types

2021-06-24 Thread Eugene Sidelnyk
Hello, everybody! After using nullsafe operator for a while, I have some further thoughts. In most cases when we make type nullable, we would use nullsafe operator if we don't know how to deal with it. This causes clogging main code with this ? signs. Possible solution is to make nullsafe type in

Re: [PHP-DEV] [RFC] Name issue - is_literal/is_trusted

2021-06-24 Thread Joe Watkins
Nobody has demonstrated that "string" . int can lead to anything but mistakes. It CANNOT lead to injection, and that's what we're talking about, we're not talking about a function that protects you from all possible security concerns or bugs. The actual definition of injection matters, when we ar

Re: [PHP-DEV] [Vote] Partial Function Application

2021-06-24 Thread Levi Morrison via internals
On Thu, Jun 24, 2021 at 11:12 AM Claude Pache wrote: > > > > > Le 24 juin 2021 à 18:02, Larry Garfield a écrit : > > > > On Wed, Jun 16, 2021, at 11:16 AM, Larry Garfield wrote: > >> Hi folks. The vote for the Partial Function Application RFC is now > >> open, and will run until 30 June. > >> >

Re: [PHP-DEV] [Vote] Partial Function Application

2021-06-24 Thread Claude Pache
> Le 24 juin 2021 à 18:02, Larry Garfield a écrit : > > On Wed, Jun 16, 2021, at 11:16 AM, Larry Garfield wrote: >> Hi folks. The vote for the Partial Function Application RFC is now >> open, and will run until 30 June. >> >> https://wiki.php.net/rfc/partial_function_application >> >> Of p

Re: [PHP-DEV] [RFC] Name issue - is_literal/is_trusted

2021-06-24 Thread Mike Schinkel
> On Jun 24, 2021, at 6:33 AM, Stephen Reay wrote: > >> On 24 Jun 2021, at 17:07, Kamil Tekiela wrote: >> >> Hi Stephen, >> >> I believe the idea was for dynamically generate table names, or numbered >> tables/columns. E.g. >> >> function getTable(string $table){ >>// is_literal check

Re: [PHP-DEV] [RFC] Name issue - is_literal/is_trusted

2021-06-24 Thread Larry Garfield
On Thu, Jun 24, 2021, at 11:18 AM, Scott Arciszewski wrote: > On Thu, Jun 24, 2021 at 5:22 AM Stephen Reay wrote: > 1. I never claimed that it wasn't a bug. > 2. I never claimed it wasn't impactful. > 3. I never claimed it wasn't security-affecting. > > I've simply said that this isn't an exampl

Re: [PHP-DEV] [RFC] Name issue - is_literal/is_trusted

2021-06-24 Thread Scott Arciszewski
On Thu, Jun 24, 2021 at 5:22 AM Stephen Reay wrote: > > If you **inject a `1=1` clause where one didn't exist before**, that's > > injection. Notice the introduction of an OR operator in the examples > > you cited. > > Please, explain to us all, how `where foo=‘bar’ OR 1=1` is functionally > diff

Re: [PHP-DEV] [RFC] clamp

2021-06-24 Thread Mike Schinkel
> On Jun 24, 2021, at 7:59 AM, Pierre wrote: > > Le 24/06/2021 à 11:44, Michał Marcin Brzuchalski a écrit : >> I get an impression that we constantly add things into standard library >> which are from a language perspective irrelevant >> and that all could be developed in userland with no harm

Re: [PHP-DEV] [Vote] Partial Function Application

2021-06-24 Thread Larry Garfield
On Wed, Jun 16, 2021, at 11:16 AM, Larry Garfield wrote: > Hi folks. The vote for the Partial Function Application RFC is now > open, and will run until 30 June. > > https://wiki.php.net/rfc/partial_function_application > > Of particular note, a few people had asked about using ...? instead of

Re: [PHP-DEV] Checking that Closure is static

2021-06-24 Thread Dmitry Eliseev
чт, 24 июн. 2021 г. в 17:38, Claude Pache : > Le 18 juin 2021 à 16:35, Дмитрий Елисеев a écrit : > > Hello! When I use a static anonymous function as an HTTP-action in > some frameworks like: > > $app = new App(); > $app->get('/', static function () { > return new Response('Hello!); > }) > > I g

[PHP-DEV] PHP 8.1.0alpha2 is available for testing

2021-06-24 Thread Ben Ramsey
PHP 8.1.0alpha2 has just been released and can be downloaded from: https://downloads.php.net/~patrickallaert/ Or use the git tag: php-8.1.0alpha2 Windows binaries are available at: https://windows.php.net/qa/ Please test it carefully, and report any bugs at https://bugs.php.net 8.1.0alpha3 shou

Re: [PHP-DEV] Checking that Closure is static

2021-06-24 Thread Claude Pache
> Le 18 juin 2021 à 16:35, Дмитрий Елисеев a écrit : > > Hello! When I use a static anonymous function as an HTTP-action in > some frameworks like: > > $app = new App(); > $app->get('/', static function () { > return new Response('Hello!); > }) > > I get a warning "Cannot bind an instance t

[PHP-DEV] Re: Checking that Closure is static

2021-06-24 Thread Dmitry Eliseev
18 june 2021 at 17:35, Dmitry Eliseev : > > Hello! When I use a static anonymous function as an HTTP-action in some > frameworks like: > > $app = new App(); > $app->get('/', static function () { >return new Response('Hello!); > }) > > I get a warning "Cannot bind an instance to a static closur

Re: [PHP-DEV] Introduce str_left/right In 8.1

2021-06-24 Thread Hamza Ahmad
> I can also imagine bikeshed... This is what can be discussed apart from whether these function come to PHP. I am waiting for the other voices; there is surely someone that can come up with a more creative name, a name that is short yet descriptive. > str_left_part/str_right_part is just what ca

Re: [PHP-DEV] Introduce str_left/right In 8.1

2021-06-24 Thread G. P. B.
On Thu, 24 Jun 2021 at 07:20, Hamza Ahmad wrote: > HI George, > > > I really don't see the point of these functions. > > These functions provide a clearer semantics for their usage. Are they though? The naming doesn't convey anything as pointed out by Kamil. > Substr, > as Sara has mentioned

Re: [PHP-DEV] [RFC] clamp

2021-06-24 Thread Pierre
Le 24/06/2021 à 11:44, Michał Marcin Brzuchalski a écrit : I get an impression that we constantly add things into standard library which are from a language perspective irrelevant and that all could be developed in userland with no harm. Cheers, -- Michał Marcin Brzuchalski Hello, I respectfu

Re: [PHP-DEV] Introduce str_left/right In 8.1

2021-06-24 Thread Andreas Leathley
On 24.06.21 13:17, Kamil Tekiela wrote: I am against adding these functions, but for different reasons than Sara and George. If we add str_left and str_right then there should be a corresponding variant in mbstring. The byte-string functions are rarely useful. Adding these functions to mbstring u

Re: [PHP-DEV] Introduce str_left/right In 8.1

2021-06-24 Thread Hamza Ahmad
HI Kamil, Thanks for the opinions. I have two questions: 1. Though it's true that naming choice is something to discuss about, is it really a big issue that can prevent from these functions to be introduced? We can ask both developers and user community about the name choice. 2. Since my basic goa

Re: [PHP-DEV] Introduce str_left/right In 8.1

2021-06-24 Thread Guilliam Xavier
On Thu, Jun 24, 2021 at 1:17 PM Kamil Tekiela wrote: > I am against adding these functions, but for different reasons than Sara > and George. > If we add str_left and str_right then there should be a corresponding > variant in mbstring. The byte-string functions are rarely useful. Adding > these

Re: [PHP-DEV] Introduce str_left/right In 8.1

2021-06-24 Thread Kamil Tekiela
I am against adding these functions, but for different reasons than Sara and George. If we add str_left and str_right then there should be a corresponding variant in mbstring. The byte-string functions are rarely useful. Adding these functions to mbstring unnecessarily complicates the extension for

Re: [PHP-DEV] [RFC] Name issue - is_literal/is_trusted

2021-06-24 Thread Rowan Tommins
On 24/06/2021 11:35, Stephen Reay wrote: On 24 Jun 2021, at 17:16, Craig Francis wrote: On Thu, 24 Jun 2021 at 10:55, Stephen Reay wrote: but still I have to keep asking: Why integers at all? While I'm not a fan of this approach, there is a lot of existing code and tutorials that use: $s

Re: [PHP-DEV] [RFC] Name issue - is_literal/is_trusted

2021-06-24 Thread Stephen Reay
> On 24 Jun 2021, at 17:16, Craig Francis wrote: > > On Thu, 24 Jun 2021 at 10:55, Stephen Reay wrote: > >> but still I have to keep asking: Why integers at all? >> > > > While I'm not a fan of this approach, there is a lot of existing code and > tutorials that use: > > $sql = 'WHERE id

Re: [PHP-DEV] [RFC] Name issue - is_literal/is_trusted

2021-06-24 Thread Stephen Reay
> On 24 Jun 2021, at 17:07, Kamil Tekiela wrote: > > Hi Stephen, > > I believe the idea was for dynamically generate table names, or numbered > tables/columns. E.g. > > function getTable(string $table){ > // is_literal check here > } > > $number = (int) $_GET['tableno']; > if($number

Re: [PHP-DEV] [RFC] Name issue - is_literal/is_trusted

2021-06-24 Thread Craig Francis
On Thu, 24 Jun 2021 at 10:55, Stephen Reay wrote: > but still I have to keep asking: Why integers at all? > While I'm not a fan of this approach, there is a lot of existing code and tutorials that use: $sql = 'WHERE id IN (' . implode(',', array_map('intval', $ids)) . ')'; $sql = sprintf('SEL

Re: [PHP-DEV] [RFC] Name issue - is_literal/is_trusted

2021-06-24 Thread Kamil Tekiela
Hi Stephen, I believe the idea was for dynamically generate table names, or numbered tables/columns. E.g. function getTable(string $table){ // is_literal check here } $number = (int) $_GET['tableno']; if($number < 0 || $number > 10) { throw new Exception("Invalid number"); } $tablename

Re: [PHP-DEV] [RFC] Name issue - is_literal/is_trusted

2021-06-24 Thread Stephen Reay
> On 24 Jun 2021, at 14:29, Scott Arciszewski wrote: > > On Thu, Jun 24, 2021 at 2:10 AM Stephen Reay wrote: >> >> >> >> On 24 Jun 2021, at 08:30, Scott Arciszewski wrote: >> >> On Wed, Jun 23, 2021, 9:23 PM Bruce Weirdan wrote: >> >> On Thu, Jun 24, 2021 at 3:41 AM Scott Arciszewski >

Re: [PHP-DEV] [RFC] clamp

2021-06-24 Thread Michał Marcin Brzuchalski
czw., 24 cze 2021 o 02:15 tyson andre napisał(a): > Hello Kim Hallberg, > > > The RFC for the clamp function is now open and under discussion, you now > have 2 weeks > > to discuss, suggest improvements and open issues before voting is > considered. > > > From https://wiki.php.net/rfc/clamp - > >

Re: [PHP-DEV] [RFC] Name issue - is_literal/is_trusted

2021-06-24 Thread Stephen Reay
> On 24 Jun 2021, at 14:14, Scott Arciszewski wrote: > > On Thu, Jun 24, 2021 at 2:10 AM Stephen Reay wrote: >> Hi Scott, >> >> I wrote that example where an integer could be dangerous. > > I don't disagree that it's an example where an integer could be dangerous. > > Danger is too broad t

Re: [PHP-DEV] [RFC] Name issue - is_literal/is_trusted

2021-06-24 Thread Scott Arciszewski
On Thu, Jun 24, 2021 at 4:34 AM Guilliam Xavier wrote: > > > On Thu, Jun 24, 2021 at 9:14 AM Scott Arciszewski wrote: >> >> On Thu, Jun 24, 2021 at 2:10 AM Stephen Reay >> wrote: >> >> > I would absolutely make use of a function that tells me if the string >> > given is in fact from something

Re: [PHP-DEV] [RFC] Name issue - is_literal/is_trusted

2021-06-24 Thread Guilliam Xavier
On Thu, Jun 24, 2021 at 9:14 AM Scott Arciszewski wrote: > On Thu, Jun 24, 2021 at 2:10 AM Stephen Reay > wrote: > > > I would absolutely make use of a function that tells me if the string > given is in fact from something controlled by the developer. But once that > same string can also include

Re: [PHP-DEV] Introduce str_left/right In 8.1

2021-06-24 Thread Guilliam Xavier
On Thu, Jun 24, 2021 at 12:51 AM Sara Golemon wrote: > > [...] I'm > not going to vote for it though, because it belongs in composer/packagist > land, not in core. I've listed the reasons for this in the str_contains() > threads, feel free to reference those, they're still valid and correct. >

Re: [PHP-DEV] Introduce str_left/right In 8.1

2021-06-24 Thread Guilliam Xavier
On Wed, Jun 23, 2021 at 11:54 PM Rowan Tommins wrote: > On 23/06/2021 22:28, Christoph M. Becker wrote: > > substr() is about bytes, not characters. They all may have upvoted the > > wrong answer. The only correct answer has just 17 upvotes. > > > Just to out-pedant you, I'll point out that wha

Re: [PHP-DEV] [RFC] Name issue - is_literal/is_trusted

2021-06-24 Thread Scott Arciszewski
On Thu, Jun 24, 2021 at 2:10 AM Stephen Reay wrote: > > > > On 24 Jun 2021, at 08:30, Scott Arciszewski wrote: > > On Wed, Jun 23, 2021, 9:23 PM Bruce Weirdan wrote: > > On Thu, Jun 24, 2021 at 3:41 AM Scott Arciszewski > wrote: > > The failure condition of this query is > "return all rows from

Re: [PHP-DEV] [RFC] Name issue - is_literal/is_trusted

2021-06-24 Thread Scott Arciszewski
On Thu, Jun 24, 2021 at 2:10 AM Stephen Reay wrote: > Hi Scott, > > I wrote that example where an integer could be dangerous. I don't disagree that it's an example where an integer could be dangerous. Danger is too broad to have a meaningful discussion about. You can, of course, always do danger