Re: [PHP-DEV] [RFC] Saner string to number comparisons

2020-07-16 Thread Nikita Popov
On Thu, Jul 16, 2020 at 9:21 AM Brent Roose wrote: > Hey Nikita > > Thanks for the rebase. I just tested this on one of our most largest > projects (after verifying that the warning does show in a dummy test case), > and all is fine. So from my point of view, there is a theoretical chance of > br

Re: [PHP-DEV] [RFC] Saner string to number comparisons

2020-07-16 Thread Nikita Popov
On Wed, Jul 15, 2020 at 5:12 PM Arnold Daniels wrote: > Hi Nikita, > > One of the problems with numeric string comparisons is that it might > interpret a hexadecimal value as scientific notation > > $red = '99'; > $purple = '9900e2'; > $red == $purple; // true > > I suggest only i

Re: [PHP-DEV] [RFC] Saner string to number comparisons

2020-07-16 Thread Brent Roose
Hey Nikita Thanks for the rebase. I just tested this on one of our most largest projects (after verifying that the warning does show in a dummy test case), and all is fine. So from my point of view, there is a theoretical chance of breaking code, but I believe this won't have a large impact, at

Re: [PHP-DEV] [RFC] Saner string to number comparisons

2020-07-15 Thread Arnold Daniels
Hi Nikita, One of the problems with numeric string comparisons is that it might interpret a hexadecimal value as scientific notation $red = '99'; $purple = '9900e2'; $red == $purple; // true I suggest only interpreting a number formatted with a sign ("1e+100") or with decimals ("

Re: [PHP-DEV] [RFC] Saner string to number comparisons

2020-07-15 Thread Nikita Popov
On Wed, Jul 15, 2020 at 10:56 AM Brent Roose wrote: > Hi Nikita > > Yes that would be nice, if it's not too much of a hassle. I'm only able to > test this in one or two large Laravel projects, so it would still be a > limited test. > > Kind regards > Brent > Done! https://github.com/php/php-src/

Re: [PHP-DEV] [RFC] Saner string to number comparisons

2020-07-15 Thread Brent Roose
Hi Nikita Yes that would be nice, if it's not too much of a hassle. I'm only able to test this in one or two large Laravel projects, so it would still be a limited test. Kind regards Brent > On 15 Jul 2020, at 10:53, Nikita Popov wrote: > > On Wed, Jul 15, 2020 at 10:49 AM Brent Roose

Re: [PHP-DEV] [RFC] Saner string to number comparisons

2020-07-15 Thread Nikita Popov
On Wed, Jul 15, 2020 at 10:49 AM Brent Roose wrote: > Hi Nikita > > Is the ini setting available in current 7.4 builds? Is it documented > somewhere? I'd like to test this change in some of our projects. > We did not introduce an ini setting in PHP 7.4, I only used it for my own experiments. The

Re: [PHP-DEV] [RFC] Saner string to number comparisons

2020-07-15 Thread Brent Roose
Hi Nikita Is the ini setting available in current 7.4 builds? Is it documented somewhere? I'd like to test this change in some of our projects. Kind regards Brent > On 15 Jul 2020, at 10:28, Nikita Popov wrote: > > On Tue, Jul 14, 2020 at 11:47 PM Björn Larsson

Re: [PHP-DEV] [RFC] Saner string to number comparisons

2020-07-15 Thread Nikita Popov
On Tue, Jul 14, 2020 at 11:47 PM Björn Larsson wrote: > Den 2020-07-14 kl. 15:48, skrev Nikita Popov: > > On Thu, Jul 2, 2020 at 10:09 AM Nikita Popov > wrote: > > > >> On Mon, Mar 4, 2019 at 6:00 PM Nikita Popov > wrote: > >> > >>> On Wed, Feb 27, 2019 at 10:23 AM Zeev Suraski wrote: > >>> >

Re: [PHP-DEV] [RFC] Saner string to number comparisons

2020-07-14 Thread Björn Larsson
Den 2020-07-14 kl. 15:48, skrev Nikita Popov: On Thu, Jul 2, 2020 at 10:09 AM Nikita Popov wrote: On Mon, Mar 4, 2019 at 6:00 PM Nikita Popov wrote: On Wed, Feb 27, 2019 at 10:23 AM Zeev Suraski wrote: On Tue, Feb 26, 2019 at 2:27 PM Nikita Popov wrote: Hi internals, I think it is w

Re: [PHP-DEV] [RFC] Saner string to number comparisons

2020-07-14 Thread Nikita Popov
On Thu, Jul 2, 2020 at 10:09 AM Nikita Popov wrote: > On Mon, Mar 4, 2019 at 6:00 PM Nikita Popov wrote: > >> On Wed, Feb 27, 2019 at 10:23 AM Zeev Suraski wrote: >> >>> >>> >>> On Tue, Feb 26, 2019 at 2:27 PM Nikita Popov >>> wrote: >>> Hi internals, I think it is well known th

Re: [PHP-DEV] [RFC] Saner string to number comparisons

2020-07-02 Thread Nikita Popov
On Thu, Jul 2, 2020 at 10:09 AM Nikita Popov wrote: > On Mon, Mar 4, 2019 at 6:00 PM Nikita Popov wrote: > >> On Wed, Feb 27, 2019 at 10:23 AM Zeev Suraski wrote: >> >>> >>> >>> On Tue, Feb 26, 2019 at 2:27 PM Nikita Popov >>> wrote: >>> Hi internals, I think it is well known th

Re: [PHP-DEV] [RFC] Saner string to number comparisons

2020-07-02 Thread Nikita Popov
On Mon, Mar 4, 2019 at 6:00 PM Nikita Popov wrote: > On Wed, Feb 27, 2019 at 10:23 AM Zeev Suraski wrote: > >> >> >> On Tue, Feb 26, 2019 at 2:27 PM Nikita Popov >> wrote: >> >>> Hi internals, >>> >>> I think it is well known that == in PHP is a pretty big footgun. It >>> doesn't >>> have to be

Re: [PHP-DEV] [RFC] Saner string to number comparisons

2019-03-06 Thread Niklas Keller
Am Mo., 4. März 2019 um 18:00 Uhr schrieb Nikita Popov : > > On Wed, Feb 27, 2019 at 10:23 AM Zeev Suraski wrote: > > > > > > > On Tue, Feb 26, 2019 at 2:27 PM Nikita Popov wrote: > > > >> Hi internals, > >> > >> I think it is well known that == in PHP is a pretty big footgun. It > >> doesn't > >

Re: [PHP-DEV] [RFC] Saner string to number comparisons

2019-03-04 Thread Nikita Popov
On Wed, Feb 27, 2019 at 10:23 AM Zeev Suraski wrote: > > > On Tue, Feb 26, 2019 at 2:27 PM Nikita Popov wrote: > >> Hi internals, >> >> I think it is well known that == in PHP is a pretty big footgun. It >> doesn't >> have to be. I think that type juggling comparisons in a language like PHP >> h

Re: [PHP-DEV] [RFC] Saner string to number comparisons

2019-02-27 Thread Gabriel Caruso
Em ter, 26 de fev de 2019 às 09:28, Nikita Popov escreveu: > Hi internals, > > I think it is well known that == in PHP is a pretty big footgun. It doesn't > have to be. I think that type juggling comparisons in a language like PHP > have some merit, it's just that the particular semantics of == i

Re: [PHP-DEV] [RFC] Saner string to number comparisons

2019-02-27 Thread Zeev Suraski
On Tue, Feb 26, 2019 at 2:27 PM Nikita Popov wrote: > Hi internals, > > I think it is well known that == in PHP is a pretty big footgun. It doesn't > have to be. I think that type juggling comparisons in a language like PHP > have some merit, it's just that the particular semantics of == in PHP m

Re: [PHP-DEV] [RFC] Saner string to number comparisons

2019-02-27 Thread Claude Pache
> Le 27 févr. 2019 à 09:06, Kingsquare.nl - Robin Speekenbrink > a écrit : > > As of the 0 == "" bit: I do think that an empty string is widespread > regarded as falsey-string... Thus 0 == "" sould IMHO return true... > 0 == "" evaluating to true has been a footgun for me in the past; someth

Re: [PHP-DEV] [RFC] Saner string to number comparisons

2019-02-27 Thread Arvids Godjuks
ср, 27 февр. 2019 г. в 10:06, Kingsquare.nl - Robin Speekenbrink < ro...@kingsquare.nl>: > Op di 26 feb. 2019 om 13:27 schreef Nikita Popov : > > > Hi internals, > > > > I think it is well known that == in PHP is a pretty big footgun. It > doesn't > > have to be. I think that type juggling compari

Re: [PHP-DEV] [RFC] Saner string to number comparisons

2019-02-27 Thread Kingsquare.nl - Robin Speekenbrink
Op di 26 feb. 2019 om 13:27 schreef Nikita Popov : > Hi internals, > > I think it is well known that == in PHP is a pretty big footgun. It doesn't > have to be. I think that type juggling comparisons in a language like PHP > have some merit, it's just that the particular semantics of == in PHP mak

Re: [PHP-DEV] [RFC] Saner string to number comparisons

2019-02-26 Thread Dmitry Stogov
_ From: Nikita Popov Sent: Tuesday, February 26, 2019 3:27:23 PM To: PHP internals Subject: [PHP-DEV] [RFC] Saner string to number comparisons Hi internals, I think it is well known that == in PHP is a pretty big footgun. It doesn't have to be. I think that type juggling comparisons in a la

Re: [PHP-DEV] [RFC] Saner string to number comparisons

2019-02-26 Thread Rowan Collins
On 26 February 2019 13:26:24 GMT+00:00, Nikita Popov wrote: >I'm mentioning this, because it is a precedent for tweaking the string >to >string numeric comparison rules to prevent unexpected and possibly >security >critical equalities. I think we could add similar special handling for >the >"0eNN

Re: [PHP-DEV] [RFC] Saner string to number comparisons

2019-02-26 Thread Nikita Popov
On Tue, Feb 26, 2019 at 2:06 PM Rowan Collins wrote: > On Tue, 26 Feb 2019 at 12:27, Nikita Popov wrote: > > > I'd like to bring forward an RFC for PHP 8 to change the semantics of == > > and other non-strict comparisons, when used between a number and a > string: > > > > https://wiki.php.net/rf

Re: [PHP-DEV] [RFC] Saner string to number comparisons

2019-02-26 Thread Rowan Collins
On Tue, 26 Feb 2019 at 12:27, Nikita Popov wrote: > I'd like to bring forward an RFC for PHP 8 to change the semantics of == > and other non-strict comparisons, when used between a number and a string: > > https://wiki.php.net/rfc/string_to_number_comparison > Hi Nikita, Thanks for tackling th

Re: [PHP-DEV] [RFC] Saner string to number comparisons

2019-02-26 Thread G. P. B.
On Tue, 26 Feb 2019 at 13:27, Nikita Popov wrote: > Hi internals, > > I think it is well known that == in PHP is a pretty big footgun. It doesn't > have to be. I think that type juggling comparisons in a language like PHP > have some merit, it's just that the particular semantics of == in PHP mak

[PHP-DEV] [RFC] Saner string to number comparisons

2019-02-26 Thread Nikita Popov
Hi internals, I think it is well known that == in PHP is a pretty big footgun. It doesn't have to be. I think that type juggling comparisons in a language like PHP have some merit, it's just that the particular semantics of == in PHP make it so dangerous. The biggest WTF factor is probably that 0