Stanislav Malyshev schrieb:
>> * the code gets smaller because not so many typechecks in every function
> What do you mean "not so many"? You need one per checked parameter.
There is a difference in complexity between a userlevel type check and a
low level type check.
>> * with type hints byte code optimizer can optimize the code far better
> Do you have any optimizer that can do that? Any plans to make one? Any
> tests showing you can optimize real-life application this way?
How should one have an optimizer for that as long PHP does not have this
feature? Noone would implement one that is capable of doing this not
knowing if the feature ever makes it into PHP.
> That is true, type hints do make static analysis easier - strict
> typing is created exactly for that purpose. However, it only helps if
> all the code is strictly typed - otherwise you just move point of
> failure around. And in any case, type won't help you much form most
> real static analysis purposes, such as security - "string" can hold
> anything.
That is not completely true. If for example 10 functions use type
hinting and other functions not, then you have atleast 10 functions
where you can analyse better.
A "simple" example is:
function decryptID($id)
{
return $id ^ SOME_RUNTIME_CONSTANT;
}
function getUserFromId($id)
{
$sql = "select * from user where id=".decrypt($id);
...
}
To analyse this construct a static code analyser has a lot todo and it
still needs to check every call to getUserFromId() to verify if this is
an actual security hole, because it doesn't know the content of
SOME_RUNTIME_CONSTANT and therefore the return value of decryptID could
be a binary xored string. However a type hint of int in the decryptID()
function would allow the analyser to know that decryptID() always return
int and this would tell it that this is not a security hole. You see in
this example that just partial usage of type hinting can mean the
difference between a false positive and a definitive unexploitability.
Greetings,
Stefan Esser
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
