Dan, On Thu, Apr 30, 2015 at 12:02 PM, Dan Ackroyd <dan...@basereality.com> wrote:
> On 30 April 2015 at 02:17, Yasuo Ohgaki <yohg...@ohgaki.net> wrote: > > Current PHP: Search query failure. > > New PHP type hint: Fatal error because foreign key is out of PHP int > range. > > There may be some confusion; NikiC is still doing some work to tidy up > the EngineExceptions. When that is finished passing a variable of the > wrong type will give a TypeException. > > > If user are using type hints everywhere, it may be limited to attackers > > seeing fatal errors. If not, attacker can succeed system wide DoS attack > by > > simple operation. > > Passing in invalid primary keys should never result in a DoS > attack...and I have no idea why you think it would be due to the > presence or absence of scalar type hints. > It's very simple. PHP int can be smaller than DBMS's int. With type hints, valid ID can cause fatal error. > > > Yasuo wrote: > > How many of us are expected that > > mydb_find_by_id(INT_MAX+1); > > Note: INT_MAX+1 is pseudo integer string value. > > Well currently it isn't: > > var_dump(PHP_INT_MAX + 1); > float(9.2233720368548E+18) > You should realize that DBMS returns values as strings. Record ID included, of course. > > > Yasuo wrote: > > How about have "numeric" type hint that accepts any format/class(GMP) > > of numeric values? > > > > The issue is that weak mode type hint is *not* weak at all. It forces to > > have machine native type rather than it's data form. > > So what you're suggesting is adding a numeric type that acts like GMP > and allow arbitrary precision arithmetic on values? Isn't that just > GMP? Except you'd need to convert the variable to be 'numeric' before > doing any operation on it i.e. something like: > > $x = (numeric)INT_MAX; > mydb_find_by_id($x+1); > > Unless you're also suggesting replacing PHP's current maths operations... Have you ever try to change record ID supplied by DBMS? I guess not. In this case, IDs are integer like string and it works perfectly regardless of PHP int type. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net
