Brian Moon wrote on 16/07/2015 17:19:
On the surface, this sounds like a good thing. Although, I question
that if a user is not checking $result === false, then will they end
up just wrapping this in an empty try/catch so their code does not
fail? There is a mechanism to detect the error now.
I question why the cryptographic functions would not force an integer
to be passed. Those should not accept a boolean and evaluate it as
false. I am not sure what functions you are talking about though.
Maybe 3rd party user land code? Accepting a boolean in those cases is
a bug in that code IMO.
Scott provided an example elsewhere in the thread:
$max = strlen($alphabet) - 1;
for ($i = 0; $i < 32; ++$i) {
$password .= $alphabet[random_int(0, $max)];
}
That demonstrates both a situation where booleans can't be excluded, and
where you'd have to try pretty hard to silently catch the exception in a
way that left your code broken. I suppose you could forget to check if
the generated password is empty, but that doesn't seem all that likely.
If you've gone to the trouble of putting a try block in, you're at least
aware that the function CAN fail.
Regards,
--
Rowan Collins
[IMSoP]
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
