On 20/11/14 07:29, Yasuo Ohgaki wrote:
> $id = $_GET['id'];
> pg_qeury("SELECT * FROM some_table WHERE id = $id;");
Anybody using that method of passing parameters to a database needs much
better education. This particular proposal just adds yet another 'how
not to' rather than actually fixing the
Hi!
> Please refer to CWE/SANS TOP 25, Monster Mitigation especially.
>
> http://cwe.mitre.org/top25/#Mitigations
>
> and ISO 27000. (I cannot provide link to it, since one should buy the
> document to read)
Could you please be more specific about how this relevant to this
specific case? "But a
Hi Stas,
On Thu, Nov 20, 2014 at 4:10 PM, Yasuo Ohgaki wrote:
> Please refer to CWE/SANS TOP 25, Monster Mitigation especially.
>
> http://cwe.mitre.org/top25/#Mitigations
>
> and ISO 27000. (I cannot provide link to it, since one should buy the
> document to read)
>
> Programmer should control
Hi Stas,
On Thu, Nov 20, 2014 at 10:28 AM, Stanislav Malyshev
wrote:
> > I like this RFC overall. Precise parameter checks is good for security
> > always.
>
> I don't see how it matters for security at all. If you need an int,
> (int) works as well as any proposed check, security-wise. You may
Hi!
> I like this RFC overall. Precise parameter checks is good for security
> always.
I don't see how it matters for security at all. If you need an int,
(int) works as well as any proposed check, security-wise. You may want
different diagnostics, etc. but this doesn't have to do much with
secur
Hi!
> The point of this discussion is that there is an RFC on the table
> which can be implemented in such a way that it fixes this behaviour
> (by introducing a default parent, or injecting an empty constructor)
> or such that it carefully preserves it (by making a special case for
> parent::__co
Rather than being a bug, this matter is simply a "gotcha", one that Julien
Pauli' pointed out in his "PHP gotcha 2013" (see
https://gist.github.com/jpauli/8196145). After consulting with other
knowledgeable members of the PHP Community last year, I understand that this
is an optimization feat
> On 19 Nov 2014, at 21:57, Levi Morrison wrote:
>
>> Since some things might have changed since you last read the RFC, I
>> encourage you to read through it again. If there are any questions which
>> have not yet been covered on the mailing list, feel free to ask them.
>
> - The RFC does no
> Since some things might have changed since you last read the RFC, I encourage
> you to read through it again. If there are any questions which have not yet
> been covered on the mailing list, feel free to ask them.
- The RFC does not address how this is different from
FILTER_VALIDATE_* from
> On 19 Nov 2014, at 21:29, Lester Caine wrote:
>
> On 19/11/14 20:39, Andrea Faulds wrote:
>> Since some things might have changed since you last read the RFC, I
>> encourage you to read through it again. If there are any questions which
>> have not yet been covered on the mailing list, feel
On 19/11/14 20:39, Andrea Faulds wrote:
> Since some things might have changed since you last read the RFC, I encourage
> you to read through it again. If there are any questions which have not yet
> been covered on the mailing list, feel free to ask them.
What happens on a 32bit machine?
--
L
Good evening,
I am putting the Safe Casting Functions RFC to a vote.
https://wiki.php.net/rfc/safe_cast#vote
Voting starts today (2014-11-19) and ends in 10 days’ time (2014-11-29).
Since some things might have changed since you last read the RFC, I encourage
you to read through it again. If t
> On 20 Nov 2014, at 00:26, Christoph Becker wrote:
>
> Tjerk Meesters wrote:
>
>> Hi list,
>>
>> As I was fiddling with CSV data reading and writing I noticed that fgetcsv()
>> is inherently incompatible with fputcsv() when it comes to the enclosure
>> escape character that’s used.
>>
>> E
> On 19 Nov 2014, at 19:04, Anatol Belski wrote:
>
> Yeah, try_string(new A) == (string)(new A), but try_int(new A) !=
> (int)(string)(new A) in the RFC. Whereby '10' were pretty valid for int,
> no?
Oh, you’re saying how to_int/to_float don’t accept __toString objects. I
suppose they could, b
On Wed, November 19, 2014 19:47, Andrea Faulds wrote:
>>> __toString() always errors if it doesn’t return a string, I see no
>>> reason to change that.
>> But in the other cases it converts strings to numbers. I mean like
>> class A {function __toString(){return '10';}} $a = (string) (new A);
>> //
> On 19 Nov 2014, at 18:28, Anatol Belski wrote:
>
> On Wed, November 19, 2014 15:49, Andrea Faulds wrote:
>>
>>> On 19 Nov 2014, at 08:33, Anatol Belski wrote:
>>> object(Stringable)#2 (0) {} - and similar actually, what if _toString()
>>> returns some int/float literal? that should pass as w
On Wed, November 19, 2014 15:49, Andrea Faulds wrote:
>
>> On 19 Nov 2014, at 08:33, Anatol Belski wrote:
>>
>>
>> while briefly looking through the conversion examples, i see some weird
>> results
>>
>> string(5) “31e+7” - shouldn't this be valid for int?
>
> The trend seems to be to consider t
On Wed, Nov 19, 2014 at 4:10 PM, Andrea Faulds wrote:
>
>> On 19 Nov 2014, at 15:07, Alain Williams wrote:
>>
>> It is a problem trying to maintain code for different versions of PHP,
>> especially where there are syntax differences. It would be really nice to
>> have
>> some sort of conditional
On Wed, Nov 19, 2014 at 3:33 PM, Alain Williams wrote:
> On Wed, Nov 19, 2014 at 02:27:12PM +, Rowan Collins wrote:
>
> > PEAR is not a single organisation who can mass update all the
> > modules; the guidelines could be updated, if they haven't been
> > already, but there would still be a wh
On 19.11.2014 16:07, Alain Williams wrote:
> On Wed, Nov 19, 2014 at 02:41:09PM +, Chris Wright wrote:
>
>
>> Note that, for users who are insane enough to expect to maintain PHP4-7
>> support in a single codebase, it's also easily possible to work with both
>> styles even after this change i
Tjerk Meesters wrote:
> Hi list,
>
> As I was fiddling with CSV data reading and writing I noticed that fgetcsv()
> is inherently incompatible with fputcsv() when it comes to the enclosure
> escape character that’s used.
>
> Example: http://3v4l.org/LHEZj
>
> The above example code demonstrat
> On 19 Nov 2014, at 15:07, Alain Williams wrote:
>
> It is a problem trying to maintain code for different versions of PHP,
> especially where there are syntax differences. It would be really nice to have
> some sort of conditional compilation as in C. Eg:
>
> It would be nice to be able to do
On Wed, Nov 19, 2014 at 02:41:09PM +, Chris Wright wrote:
> Note that, for users who are insane enough to expect to maintain PHP4-7
> support in a single codebase, it's also easily possible to work with both
> styles even after this change is introduced:
> ...
It is a problem trying to maint
> On 19 Nov 2014, at 08:33, Anatol Belski wrote:
>
> while briefly looking through the conversion examples, i see some weird
> results
>
> string(5) “31e+7” - shouldn't this be valid for int?
The trend seems to be to consider things with exponents or decimal points as
floats. Even though ther
On 19 November 2014 14:27, Rowan Collins wrote:
> Alain Williams wrote on 19/11/2014 13:46:
>
>> On Wed, Nov 19, 2014 at 02:41:54PM +0100, Remi Collet wrote:
>>
>>> -BEGIN PGP SIGNED MESSAGE-
>>> Hash: SHA1
>>>
>>> Le 19/11/2014 00:11, Levi Morrison a écrit :
>>>
[1]: https://wiki.ph
Tjerk Meesters wrote on 19/11/2014 12:20:
Hi list,
As I was fiddling with CSV data reading and writing I noticed that fgetcsv() is
inherently incompatible with fputcsv() when it comes to the enclosure escape
character that’s used.
Example: http://3v4l.org/LHEZj
The above example code demonst
Hi,
On Wed, Nov 19, 2014 at 4:33 PM, Alain Williams wrote:
> On Wed, Nov 19, 2014 at 02:27:12PM +, Rowan Collins wrote:
>
>> PEAR is not a single organisation who can mass update all the
>> modules; the guidelines could be updated, if they haven't been
>> already, but there would still be a w
On Wed, Nov 19, 2014 at 02:27:12PM +, Rowan Collins wrote:
> PEAR is not a single organisation who can mass update all the
> modules; the guidelines could be updated, if they haven't been
> already, but there would still be a whole repository full of
> libraries which used this.
>
> Now, whet
Alain Williams wrote on 19/11/2014 13:46:
On Wed, Nov 19, 2014 at 02:41:54PM +0100, Remi Collet wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Le 19/11/2014 00:11, Levi Morrison a écrit :
[1]: https://wiki.php.net/rfc/remove_php4_constructors
This will just kill PEAR and most of availab
Outch, I didn't know that this use case was still valid. Yes, ofc, +1.
2014-11-19 14:46 GMT+01:00 Alain Williams :
> On Wed, Nov 19, 2014 at 02:41:54PM +0100, Remi Collet wrote:
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA1
> >
> > Le 19/11/2014 00:11, Levi Morrison a écrit :
> > > [1]: h
On Wed, Nov 19, 2014 at 02:41:54PM +0100, Remi Collet wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Le 19/11/2014 00:11, Levi Morrison a écrit :
> > [1]: https://wiki.php.net/rfc/remove_php4_constructors
>
> This will just kill PEAR and most of available libraries on PEAR forge.
>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Le 19/11/2014 00:11, Levi Morrison a écrit :
> [1]: https://wiki.php.net/rfc/remove_php4_constructors
This will just kill PEAR and most of available libraries on PEAR forge.
Yes they are still some use of them
Yes keeping PHP 4 for PEAR is a bad idea
Hi list,
As I was fiddling with CSV data reading and writing I noticed that fgetcsv() is
inherently incompatible with fputcsv() when it comes to the enclosure escape
character that’s used.
Example: http://3v4l.org/LHEZj
The above example code demonstrates how, by default, fputcsv() encodes a
Hi list,
As I was fiddling with CSV data reading and writing I noticed that fgetcsv() is
inherently incompatible with fputcsv() when it comes to the enclosure escape
character that’s used.
Example: http://3v4l.org/LHEZj
The above example code demonstrates how, by default, fputcsv() encodes a
On 18 November 2014 20:22, Rainer Jung wrote:
> Hi there,
>
> the default build process of PHP on Unix/Linux links together all code
> needed for any SAPI that one builds (excluding dynamically loadable
> extensions). This often leads to relatively big SAPI shared object files.
> But most of this
Hi list,
Since it's an often-requested feature/often-brought up bug, I think this PR
should be pushed for merging: https://github.com/php/php-src/pull/904
The patch itself is not very big, and the feature not complicated to test.
I'd like to see this merged for the next version if possible :)
Re
On 19 November 2014 01:50:33 GMT, Stanislav Malyshev
wrote:
>> Yes, that's a bug :-)
>
>No, it is not :)
>We can do it all day but I think I've explained what is going on there.
>If you want to change it, feel free to do the RFC.
The point of this discussion is that there is an RFC on the table
On 19 November 2014 01:50:33 GMT, Stanislav Malyshev
wrote:
>Hi!
>
>> Is there a `.phpt` test-case or discussion backing this?
>
>Backing what? Checking if side effects happen when evaluating args of
>non-existing ctor? Probably not, since nobody ever needed it (correct
>me
>if I'm wrong).
Quit
On Wed, Nov 19, 2014 at 12:11 AM, Levi Morrison wrote:
> Dear Internals,
>
> I am proposing an RFC[1] to remove PHP 4 constructors in PHP 7. If
> accepted, methods with the same name as their defining class will no
> longer be recognized as constructors. As noted in the RFC, there are
> already m
Le Wed Nov 19 2014 at 9:31:50 AM, Julien Pauli a écrit :
> On Wed, Nov 19, 2014 at 5:15 AM, Yasuo Ohgaki wrote:
> > Hi all,
> >
> > On Wed, Nov 19, 2014 at 8:11 AM, Levi Morrison wrote:
> >
> >> I am proposing an RFC[1] to remove PHP 4 constructors in PHP 7. If
> >> accepted, methods with the s
Hi Andrea,
On Wed, November 19, 2014 04:07, Andrea Faulds wrote:
>
>> On 19 Nov 2014, at 03:02, Yasuo Ohgaki wrote:
>>
>>
>> I would like to have DbC to harden app security as well.
>> I'm looking for something like D language.
>>
>>
>> http://dlang.org/contracts.html
>>
>>
>> With DbC, checking
On Wed, Nov 19, 2014 at 5:15 AM, Yasuo Ohgaki wrote:
> Hi all,
>
> On Wed, Nov 19, 2014 at 8:11 AM, Levi Morrison wrote:
>
>> I am proposing an RFC[1] to remove PHP 4 constructors in PHP 7. If
>> accepted, methods with the same name as their defining class will no
>> longer be recognized as const
42 matches
Mail list logo
