On 27.05.2010, at 14:31, Richard Quadling wrote: > In any decent course regarding defensive programming, we are told to > filter input and escape output. One easy way of filtering input is to > cast and verify. > > Once cast and verified we know we've got the right type and acceptable values. > > In databases, you can't usefully have a column containing multiple > types. Everything would end up as a char/text column to allow you to > put a date AND a string AND a number AND a boolean value in the > column.
Now think about how often you write a new API and how often you consume existing API's. Now think about how much code you need to validate, cast etc. Now think about where you want that code to be, in your API consuming code or in the API. I think the choice is obvious: You dont want to have to replicate this validation/cast code all over the place, when it could be in one single location for that API call. Now lets take your lazy devs are lazy argument. I think there is a saying that only lazy dev's are good devs. But even so, PHP is not successful because it required highly skilled and disciplined developers. This has gotten PHP a bad rep with a fair number of people because of security issues that are in popular applications. Now of course we know you can write secure PHP apps, but isnt it in the best interest if the language to encourage that API's and API consuming code is written with as little effort as possible to be as functional and secure as possible? Again, API developers are likely to be more competent than those consuming the API's that just how the food chain goes. Furthermore every API method will be called multiple times and so moving the validation/cast logic there is simply efficient. regards, Lukas Kahwe Smith m...@pooteeweet.org -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
