On Fri, Jul 10, 2009 at 11:50:04AM -0400, Alban wrote:
> Le Fri, 10 Jul 2009 16:16:51 +0100, Alain Williams a écrit :
> The GET argument, yes, should be an integer, but it's possible is not !
> In this, actually i always use this syntaxe :
>
> is_child(intval($_GET['age']));
> or
> is_child( (int) ($_GET['age']));
*You* do the above because you know that you should; (hopefully you do
other checks as well). One of the things that we are doing is trying to help the
naive/lazy programmer who doesn't bother - or thinks that javascript checking
is enough :-(
What we want to do is to generate an error/warning message that can tell him
that something is wrong.
> This a big precaution for security reason. And you say it below, many
> users don't check there $_GET and $_POST datas.
> Yes, casting could help us silently but, perhaps, this is not the better
> way for educating these users.
The point is that casting MUST NOT be silent where a conversion is not clean.
It must be stricter than the rules laid out at:
http://uk3.php.net/manual/en/language.types.string.php#language.types.string.conversion
This will not break BC compatability because no code currently uses a cast
in a function argument where the cast is in the function definition. We would
need to be clear
that casting here is stricter than normal.
> And In this case especially, numeric type hiting work very fine.
> The question is who coded the is_child function ?
It doesn't really matter who coded it.
> 1. The use himself ? If he use the type hiting in is function, he know
> how use it.
> 2. It's a PHP core function ? The question is Type hiting or not in php
> core function ? (perhaps in this case I prefer silently casting)
> 3. It's made by a team developper. Working with a team, there is
> certainly some recommendation and guide line (include how to type hiting).
> 3. It's a downloaded librairie make by a third part ? This the third part
> choice, there is certainly a good raison to be strict (or bad, just for
> use type hiting for example).
> Please, excuse my english, I'm very bad :)
Don't worry - you message was well understood.
--
Alain Williams
Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT
Lecturer.
+44 (0) 787 668 0256 http://www.phcomp.co.uk/
Parliament Hill Computers Ltd. Registration Information:
http://www.phcomp.co.uk/contact.php
Past chairman of UKUUG: http://www.ukuug.org/
#include <std_disclaimer.h>
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
