Re: [PHP-DEV] [RFC] is_trusted - was is_literal

On 23.06.2021 16:40, Sara Golemon wrote: > Seriously. What about this looks spammy, I ask you? I don't know the other, but this one has X-Spam-Status: No, score=1.147 tagged_above=-999 required=4.5 tests=[BAYES_00=-1.9, GUARANTEED_100_PERCENT=2.699, MAILING_LIST_MULTI=-1, RCVD_IN_

Re: [PHP-DEV] Introduce str_left/right In 8.1

To George, et al, HI George, > I really don't see the point of these functions. These functions provide a clearer semantics for their usage. Substr, as Sara has mentioned, can be an alternative to these functions. Does it make clear that substr returns the either ends of a string? No, substr ret

Re: [PHP-DEV] [RFC] Name issue - is_literal/is_trusted

> On 24 Jun 2021, at 08:30, Scott Arciszewski wrote: > > On Wed, Jun 23, 2021, 9:23 PM Bruce Weirdan > wrote: > >> On Thu, Jun 24, 2021 at 3:41 AM Scott Arciszewski >> wrote: >>> The failure condition of this query is >>> "return all rows from the table already bein

Re: [PHP-DEV] [RFC] Name issue - is_literal/is_trusted

On Wed, Jun 23, 2021, 9:23 PM Bruce Weirdan wrote: > On Thu, Jun 24, 2021 at 3:41 AM Scott Arciszewski > wrote: > > The failure condition of this query is > > "return all rows from the table already being queried", not "return > > arbitrary data the attacker selects from any table that the > > a

Re: [PHP-DEV] [RFC] Name issue - is_literal/is_trusted

On Thu, Jun 24, 2021 at 3:41 AM Scott Arciszewski wrote: > The failure condition of this query is > "return all rows from the table already being queried", not "return > arbitrary data the attacker selects from any table that the > application can read". Imagine that was a DELETE rather than SELE

Re: [PHP-DEV] [RFC] Name issue - is_literal/is_trusted

On Wed, Jun 23, 2021 at 8:09 PM Bruce Weirdan wrote: > > > - String + int concatenation isn't an injection risk. > > I think this demonstrates it very well could be: > https://externals.io/message/114988#115038 > > -- > Best regards, > Bruce Weirdan > m

Re: [PHP-DEV] [RFC] Name issue - is_literal/is_trusted

On Thu, 24 Jun 2021 at 1:09 am, Bruce Weirdan wrote: > > - String + int concatenation isn't an injection risk. > > I think this demonstrates it very well could be: > https://externals.io/message/114988#115038 That’s the developer choosing to use a variable, and it’s no different than the deve

Re: [PHP-DEV] [RFC] clamp

Hello Kim Hallberg, > The RFC for the clamp function is now open and under discussion, you now have > 2 weeks > to discuss, suggest improvements and open issues before voting is considered. >From https://wiki.php.net/rfc/clamp - > Current userland implementations are handled in several ways,

Re: [PHP-DEV] [RFC] Name issue - is_literal/is_trusted

> - String + int concatenation isn't an injection risk. I think this demonstrates it very well could be: https://externals.io/message/114988#115038 -- Best regards, Bruce Weirdan mailto:weir...@gmail.com -- PHP Internals - PHP Runtime Development Mai

Re: [PHP-DEV] [RFC] Add parse_query_string as an alternative to parse_str

I really prefer the Sara suggestion, instead of creating a new function to do the same thing. parse_str($str): array. Atenciosamente, David Rodrigues Em qua., 23 de jun. de 2021 às 20:20, Sara Golemon escreveu: > On Wed, Jun 23, 2021 at 5:02 PM Kamil Tekiela > wrote: > > > I would like to pr

Re: [PHP-DEV] [RFC] clamp

Hi Kim Hallberg, > The RFC for the clamp function is now open and under discussion, you now have > 2 weeks > to discuss, suggest improvements and open issues before voting is considered. > > Any and all feedback is welcomed. > > The RFC is available for viewing here: https://wiki.php.net/rfc/c

Re: [PHP-DEV] [Vote] make Reflection*#setAccessible() no-op

Mi Marco Pivetta, > I'm opening the vote for making `Reflection*#setAccessible()`. > > Voting starts today (2021-06-23) and ends in 14 days (2021-07-07). > > Vote at https://wiki.php.net/rfc/make-reflection-setaccessible-no-op > > Discussion: https://marc.info/?l=php-internals&m=162360269505048

Re: [PHP-DEV] [RFC] Add parse_query_string as an alternative to parse_str

On Wed, Jun 23, 2021 at 5:02 PM Kamil Tekiela wrote: > I would like to propose a new simple RFC that aims to add a new function > called parse_query_string as an alternative to parse_str. > > https://wiki.php.net/rfc/parse_str_alternative > > The functionality stays the same, only the name and th

Re: [PHP-DEV] Introduce str_left/right In 8.1

On Wed, Jun 23, 2021 at 2:10 PM Mike Schinkel wrote: > I have frequently heard the justification of maintenance burden mentioned > as an objection to adding specific features. And in many cases, it is easy > to see why future maintenance burden would be a concern. > > However, it *seems* in this

[PHP-DEV] [RFC] Add parse_query_string as an alternative to parse_str

Hi Internals, I would like to propose a new simple RFC that aims to add a new function called parse_query_string as an alternative to parse_str. https://wiki.php.net/rfc/parse_str_alternative The functionality stays the same, only the name and the way of returning the array changes. While it is

Re: [PHP-DEV] Introduce str_left/right In 8.1

On 23/06/2021 22:28, Christoph M. Becker wrote: substr() is about bytes, not characters. They all may have upvoted the wrong answer. The only correct answer has just 17 upvotes. Just to out-pedant you, I'll point out that what most people would think of as a "character" is neither a byte no

Re: [PHP-DEV] Introduce str_left/right In 8.1

On 23.06.2021 at 21:10, Mike Schinkel wrote: > Replying to both Sara's and G.P.B.'s emails below: > >> On Jun 23, 2021, at 12:48 PM, Sara Golemon wrote: >> >> Using some context, I would assume you mean this: >> >> function str_left(string $str, int $len): string { >> return substr($str, 0, $len

Re: [PHP-DEV] [VOTE] Deprecate autovivification on false

Hi All, The voting on https://wiki.php.net/rfc/autovivification_false has been closed. The RFC is accepted with score 34:2 (94%) Thanks, Kamil

Re: [PHP-DEV] Introduce str_left/right In 8.1

Replying to both Sara's and G.P.B.'s emails below: > On Jun 23, 2021, at 12:48 PM, Sara Golemon wrote: > > Using some context, I would assume you mean this: > > function str_left(string $str, int $len): string { > return substr($str, 0, $len); > } > > function str_right(string $str, int $len)

[PHP-DEV] [RFC] clamp

Hello internals, The RFC for the clamp function is now open and under discussion, you now have 2 weeks to discuss, suggest improvements and open issues before voting is considered. Any and all feedback is welcomed. The RFC is available for viewing here: https://wiki.php.net/rfc/clamp

Re: [PHP-DEV] [RFC] Name issue - is_literal/is_trusted

On Wed, Jun 23, 2021 at 10:54 AM Craig Francis wrote: > > On Wed, 23 Jun 2021 at 14:37, Larry Garfield wrote: > > > I'm still very torn on is_literal; I fear that the people who would > > benefit from it are the very people that don't use the tools that would > > leverage it (DBALs et al), and so

Re: [PHP-DEV] Introduce str_left/right In 8.1

On Wed, Jun 23, 2021 at 6:49 PM Sara Golemon wrote: > On Wed, Jun 23, 2021 at 9:15 AM Hamza Ahmad > wrote: > > > > > Since feature freeze for 8.1 is approaching, I want to request two useful > > string functions that exist in various languages-especially those that > run > > on web servers and u

[PHP-DEV] Re: Requesting RFC karma

On 23.06.2021 at 17:56, Kim Hallberg wrote: > With the initial attitude for the clamp proposal being mostly positive > I am moving ahead with the RFC and am therefore requesting RFC karma > to create this RFC. > > If anyone would like to grant me this karma my username for the wiki is: > thinkver

Re: [PHP-DEV] Introduce str_left/right In 8.1

On Wed, Jun 23, 2021 at 9:15 AM Hamza Ahmad wrote: > > Since feature freeze for 8.1 is approaching, I want to request two useful > string functions that exist in various languages-especially those that run > on web servers and used in databases. These are respectively `left();` and > `right();` >

[PHP-DEV] Requesting RFC karma

Hi internals, With the initial attitude for the clamp proposal being mostly positive I am moving ahead with the RFC and am therefore requesting RFC karma to create this RFC. If anyone would like to grant me this karma my username for the wiki is: thinkverse Thank you, Kim Hallberg. -- PHP Int

Re: [PHP-DEV] [Vote] make Reflection*#setAccessible() no-op

On Wed, Jun 23, 2021 at 5:49 PM Guilliam Xavier wrote: > > Meanwhile, if anybody knows why the RFC isn't listed on `/rfc`, lemme know >> :D >> > > You have to add it manually, cf https://wiki.php.net/rfc/howto 3.4 > (yeah...) > Excellent, thanks :-D Marco Pivetta http://twitter.com/Ocramius h

Re: [PHP-DEV] [Vote] make Reflection*#setAccessible() no-op

Meanwhile, if anybody knows why the RFC isn't listed on `/rfc`, lemme know > :D > You have to add it manually, cf https://wiki.php.net/rfc/howto 3.4 (yeah...) Cheers -- Guilliam Xavier

[PHP-DEV] [Vote] make Reflection*#setAccessible() no-op

Hey folks, I'm opening the vote for making `Reflection*#setAccessible()`. Voting starts today (2021-06-23) and ends in 14 days (2021-07-07). Vote at https://wiki.php.net/rfc/make-reflection-setaccessible-no-op Discussion: https://marc.info/?l=php-internals&m=162360269505048&w=2 Discussion^2:

Re: [PHP-DEV] [RFC] Name issue - is_literal/is_trusted

On Wed, 23 Jun 2021 at 14:37, Larry Garfield wrote: > I'm still very torn on is_literal; I fear that the people who would > benefit from it are the very people that don't use the tools that would > leverage it (DBALs et al), and so the net benefit will be small. > This RFC will not help those w

Re: [PHP-DEV] Introduce str_left/right In 8.1

On Wed, 23 Jun 2021 at 15:15, Hamza Ahmad wrote: > Hello Internals, > > Since feature freeze for 8.1 is approaching, I want to request two useful > string functions that exist in various languages-especially those that run > on web servers and used in databases. These are respectively `left();` a

Re: [PHP-DEV] [RFC] is_trusted - was is_literal

Resending this, because the mail daemon sent it back as spam, and we shouldn't be running our own mail server any more than we should have been running our own git server. Seriously. What about this looks spammy, I ask you? On Wed, Jun 23, 2021 at 9:36 AM Sara Golemon wrote: > On Mon, Jun 21, 20

[PHP-DEV] Introduce str_left/right In 8.1

Hello Internals, Since feature freeze for 8.1 is approaching, I want to request two useful string functions that exist in various languages-especially those that run on web servers and used in databases. These are respectively `left();` and `right();` Whether it is VBScript or MySQL, these two fu

Re: [PHP-DEV] [Vote] Partial Function Application

On Wed, 16 Jun 2021 at 17:17, Larry Garfield wrote: > Hi folks. The vote for the Partial Function Application RFC is now open, > and will run until 30 June. > > https://wiki.php.net/rfc/partial_function_application > I like. People have either experienced the need for this or they haven't. Ask

[PHP-DEV] Re: Proposal: clamp

> On 23 Jun 2021, at 2:25 AM, Kim Hallberg wrote: > > Greetings internals, > > I present to you a proposal for a new basic math function: clamp. > > function clamp(int|float $num, int|float $min, int|float $max): int|float {} Instead of answering each response individually I’ll post a reply

Re: [PHP-DEV] [RFC] Name issue - is_literal/is_trusted

On Wed, 23 Jun 2021 at 11:27 am, Guilliam Xavier wrote: > Alternatively, if integers are too controversial, how about reverting the > implementation to `is_literal()` > Starting to look like that, yeah.

Re: [PHP-DEV] [RFC] Name issue - is_literal/is_trusted

On Wed, Jun 23, 2021, at 8:05 AM, Hossein Baghayi wrote: > Hello, > What about `is_vulnerable`? Its behaviour would be the inverse of > is_literal. > I mean we don't have to avoid the other side of the coin. That has the same core problem as is_trusted. It's making a claim about the probable sec

Re: [PHP-DEV] [RFC] Name issue - is_literal/is_trusted

Hello, What about `is_vulnerable`? Its behaviour would be the inverse of is_literal. I mean we don't have to avoid the other side of the coin. On Tue, 22 Jun 2021 at 22:41, Craig Francis wrote: > Hi Internals, > > As the name `is_trusted()` seems to be causing contention, I think more > than the

Re: [PHP-DEV] [RFC] is_trusted - was is_literal

On 22 June 2021 10:09:50 BST, Mike Schinkel wrote: >For my inspiration take a look at Trusted Types API in Javascript: > >https://developer.mozilla.org/en-US/docs/Web/API/Trusted_Types_API > There is an extremely important diffe

Re: [PHP-DEV] [RFC] Name issue - is_literal/is_trusted

On Tue, Jun 22, 2021 at 8:11 PM Craig Francis wrote: > > The Function: > - Is a security-based function that prevents Injection Vulnerabilities in > PHP. > - Flags strings written by the developer, including when concatenated. > - Also accepts integer values, which as purely numerical cannot cont

Re: [PHP-DEV] Proposal: clamp

> Greetings internals, > > I present to you a proposal for a new basic math function: clamp. > > The main goal of this function is to contain a number inside a given bound. > And return the number if it is inside of that bound, and if not, and the > number is outside of the given bound, the nearest

Re: [PHP-DEV] Proposal: clamp

Hi Kim > I present to you a proposal for a new basic math function: clamp. > ... > What are your opinions on this function? I for one think this is a good candidate for PHPs standard library. It's simple, unopinionated and standardized in other languages. Even though it's simple to implement in u

Re: [PHP-DEV] Proposal: clamp

Le 23/06/2021 à 10:28, Lynn a écrit : On Wed, Jun 23, 2021 at 3:07 AM Marco Pivetta wrote: The problem is exactly the fact that it is trivial to implement in userland: why not do it there instead? My 2cents: because people won't use it when the barrier is too high to get it. There are a ton

Re: [PHP-DEV] Proposal: clamp

On Wed, Jun 23, 2021 at 3:07 AM Marco Pivetta wrote: > The problem is exactly the fact that it is trivial to implement in > userland: why not do it there instead? > My 2cents: because people won't use it when the barrier is too high to get it. There are a ton of great libraries that have functio

Re: [PHP-DEV] [RFC] is_trusted - was is_literal

Hello Craig, Very well written RFC, good job! Others have said it already, but here are my thoughts. Many moons ago, I was on this way as well and the filter extension came out. As it fits for some projects, the actual gains were very far, to say the least, from what I would have expected. Since