On Apr 15, 2026, at 5:35 PM, Tim Düsterhus <[email protected]> wrote: > > Hi > > Am 2026-04-15 22:09, schrieb Andrey Andreev: >> - It is clearly aiming for default of 1 and unreasonably expects all >> codebases to be (meticulously) updated with SensitiveParameter attribute - >> that is "opt-in security" and not secure by default > > There is no stack trace here, which means that the only functions that are > affected by this RFC are native functions. Userland functions calling > `trigger_error()` don't show the function name. All the native functions in > php-src that handle sensitive inputs have been adapted right with the > introduction of the #[\SensitiveParameter] attribute in PHP 8.2 - and if some > are missing, I would consider that a pre-existing bug that needs fixing. > > And even if this wasn't the case, the ecosystem has widely adopted the > attribute in the 4 years since its introduction, which was easily possible > since attributes are fully backwards and forwards compatible with all PHP > versions (including PHP versions that do not yet support attributes). > > Best regards > Tim Düsterhus
I think I'll edit the RFC to clarify this.
