Hi Pierre, On Mon, Mar 30, 2015 at 10:54 AM, Pierre Joye <pierre....@gmail.com> wrote:
> Same effects but totally unrelated topics. All functions dealing with > large external numbers had the same issues, since ever. It has nothing > to do with STH. > Yes, it is. Developers make casting mistakes like this even when they are used to strict typing. This make me worry about wrong casting usage with PHP7. For example, $db->findById($id); The method prototype should be function findById(string $id) to be correct. I think there will be many users write wrong code such as function findById(int $id) One may argue most systems are 64 bit anyway and would not be much issue. However, many IoT devices uses 32 bit OS still. 32 bit systems cannot be ignored yet. User will cast $id to int without thinking the consequence. This could create security hole as (int)$id for string results in 0/negative value. Casting external values to int/float is wrong and evil simply. Current type hint encourages/requires casts even if users are not realizing the consequence fully. We do make mistake like this bug. We cannot assume PHP user will not. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net
