Re: [PHP-DEV] Optimizing php_html_entities()

Tue, 23 Jun 2015 15:25:56 -0700 

Hi all,

On Wed, Jun 24, 2015 at 6:51 AM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote:

> I got it.
>
> On Wed, Jun 24, 2015 at 6:41 AM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote:
>
>> On Wed, Jun 24, 2015 at 12:21 AM, Anthony Ferrara <ircmax...@gmail.com>
>> wrote:
>>
>>> In addition, this breaks the contract, specifically when using scalar
>>> types. Because you're no longer going to error when the contract is
>>> broken (considering htmlspecialchars is documented as string:string).
>>>
>>
>> What do you mean by "break the contract".
>> "string" parameter is not a requirement/contract.
>> htmlspecialchars/htmlentities
>> just converts param to string. The patch does not change anything as you
>> can
>> see it from the phpt results.
>>
>
> [yohgaki@dev github-php-src]$ cat ../t.php
> <?php
> declare(strict_types=1);
>
> var_dump( htmlspecialchars(123) );
>
> [yohgaki@dev github-php-src]$ ./php-bin ../t.php
>
> Fatal error: Uncaught TypeError: htmlspecialchars() expects parameter 1 to
> be string, integer given in /home/yohgaki/workspace/ext/git/oss/
> php.net/t.php:4
> Stack trace:
> #0 /home/yohgaki/workspace/ext/git/oss/php.net/t.php(4):
> htmlspecialchars(123)
> #1 {main}
>   thrown in /home/yohgaki/workspace/ext/git/oss/php.net/t.php on line 4
>
>
> I think this is massive breakage. It only happens in strict mode, though.
>

IMHO, escape/unescape/encode/decode/conversion function is better to accept
any types.
HTML template may be separated script, but database code etc may not.

Writing code like

<?php
declare(strict_types=1);
$sql = 'SELECT * FROM '. pg_escape_identifier((string)$table). ' WHERE id
'. pg_escpae_literal((string)$id).';';
pg_query($sql);
?>

is better to be avoided. i.e. (string) cast before passing parameter.

Another example. JSON decode convert numeric to int/float

<?php
declare(strict_types=1);
$data = json_decode($json);
$str = mb_convert_kana((string) $data['some_data'], 'AKHV');
?>

Are we going to enforce users to use (string) casts for conversion
functions to switch
strict_types=1?

Regards,

--
Yasuo Ohgaki
yohg...@ohgaki.net

Reply via email to