Hi! > Unfortunately, not all users does this and new PHP type hint opens new hole > that security researchers and attackers are interested in.
I am sorry, but you still brought no proof at all that there are any security implications. Without such proof, these claims are baseless, so I intend to ignore them from now until such time as some proof would be provided, and advise others to do the same. > I prefer relaxed int/float type hint a lot, but "numeric" can be > alternative. No, it can't, because it's not a type, it's string regex check, and we should not mix those with types. > It's much easier users to advocate "Use numeric type hint for database > record ID/etc", rather than "Use string type hint for database _and_ > validate > it's content by yourself". The latter is the right thing to do (well, except for the part where string type is not really necessary unless you expect to get something that can't be made string, in which case your code is very messed up by that point). > PHP were weakly typed and too strict type hint creates issue. Weakening > a bit does not harm any, narrowing window to attack. If user needs native There's no attack, and it does harm the design of the language by mixing types with unrelated string regex checks. > int/float strictly, they should/can use "strict" mode also. > > Do you see issues with relaxing? Yes, lots of them. -- Stas Malyshev smalys...@gmail.com -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
