Re: [PHP-DEV] New escaped output operator

Hi Thomas, On Sat, Jun 18, 2016 at 5:23 AM, Thomas Bley wrote: > you can simply add the context to the current output operator: > > > (=strip_tags) > > We need in addition. If we adopt this, we must document clearly that LDAP, SQL, etc are not supported. I like this

Re: [PHP-DEV] New escaped output operator

> e.g. it won't protect you from XSS if you ever place user-controlled data in HTML attributes. As I've found, such an XSS can have a place in the code like this: $xss = "');your_code_here();//"; I think this is more architectural problem, not an escaping problem. This is very special case

Re: [PHP-DEV] Throwing an Error for require expressions in PHP7.x

I'm +1 for this on require. I'd love to see exceptions for all file I/O stuff (no more @fopen()!) but in all likelihood, we'd need a new API for that to keep BC. On Fri, Jun 17, 2016 at 1:32 PM, Niklas Keller wrote: > > > > If something is required, one cannot do without it,

Re: [PHP-DEV] New escaped output operator

Sure you can implement that in userland, but people don't do it or make it too complicated, so you get every day code with unescaped stuff. Regards Thomas Ryan Pallas wrote on 18.06.2016 00:27: > > > On Fri, Jun 17, 2016 at 2:23 PM, Thomas Bley

Re: [PHP-DEV] New escaped output operator

Walter, yes I read, did you read? Niklas wrote: > The escaping should also be aware of the content encoding. I wrote: no we have a php.ini setting The context problem is already answered in the mail from Stas. Regards Thomas Walter Parker wrote on 18.06.2016 00:20: > Thomas, are you

Re: [PHP-DEV] New escaped output operator

Thomas, are you actually reading and understanding what the others are saying? You seem to be answering questions that have not been asked or giving the simple, easy and wrong answer. Walter On Fri, Jun 17, 2016 at 1:37 PM, Thomas Bley wrote: > using the default encoding

Re: [PHP-DEV] New escaped output operator

you can simply add the context to the current output operator: (=strip_tags) Regards Thomas Stanislav Malyshev wrote on 17.06.2016 22:14: > Hi! > >> Most of output code is an output of properties of database entities, and >> only in some cases it's needed to concatenate HTML into string

Re: [PHP-DEV] New escaped output operator

using the default encoding from php.ini's default_charset should be no problem, htmlspecialchars() already does it if the encoding parameter is not provided. Regards Thomas Niklas Keller wrote on 17.06.2016 22:31: > Hi, > > the issue is that things have to be escaped dependent on the context.

Re: [PHP-DEV] Throwing an Error for require expressions in PHP7.x

> > If something is required, one cannot do without it, so there's only one > course of action, namely to bail out. What about gracefully bailing out, like showing that composer dependencies have to be installed? It's just like a method call. Usually you expect a return value, unless there's an

Re: [PHP-DEV] New escaped output operator

Hi, the issue is that things have to be escaped dependent on the context. If you are in a HTML context you need different escaping than you need in a CSS or JS block. The escaping should also be aware of the content encoding. All that makes it difficult for PHP to directly support such an

Re: [PHP-DEV] New escaped output operator

Hi! > Most of output code is an output of properties of database entities, and > only in some cases it's needed to concatenate HTML into string and then > print it with unescaped output. Escaped output operator can be useful. Also > we output data not into the void and not into simple text file,

[PHP-DEV] New escaped output operator

Hello. I was thinking about a presence of escaped output operator in PHP and found this feature request: https://bugs.php.net/bug.php?id=62574. I think this is quite necessary feature. There are a lot of projects which is written without templating engine, and there are frameworks without built-in

Re: [PHP-DEV] Re: Improve GD test suite

I would love to see a native ssim/dssim implementation in PHP… On Fri, Jun 17, 2016 at 6:54 AM, Pierre Joye wrote: > Hi > On Jun 17, 2016 8:18 PM, "Christoph Becker" wrote: > > > > Hi! > > > > I like to suggest to improve the current test suite of the

Re: [PHP-DEV] Throwing an Error for require expressions in PHP7.x

On Fri, Jun 17, 2016 at 6:47 PM, Christoph Becker wrote: > > try { > require $fileName; > } catch (Error $e) { > echo "Oops, maybe deleted? " . $e; > } > functionDefinedInFileName(); If anyone chooses to write this kind of code, then let them

Re: [PHP-DEV] Throwing an Error for require expressions in PHP7.x

On 17/06/2016 17:47, Christoph Becker wrote: If something is required, one cannot do without it, so there's only one course of action, namely to bail out. In my opinion, this is the least surprising way to handle missing required files, especially as it always has been that way (consider the

Re: [PHP-DEV] [RFC] RNG fixes

On 16.06.2016 at 20:55, Fleshgrinder wrote: > Education is a hard problem that the whole world is struggling with. We > will never achieve it. We will especially not achieve convincing people > of legacy software to change. Heck, we cannot even convince anyone here > to change legacy stuff.

Re: [PHP-DEV] Throwing an Error for require expressions in PHP7.x

On 17.06.2016 at 17:44, Niklas Keller wrote: > 2016-06-17 11:46 GMT+02:00 Christoph Becker : > >> On 17.06.2016 at 10:29, Alexander Lisachenko wrote: >> >>> Nikita, Dmitry, ping. What do you think, shouldn't we replace all >> possible >>> places with Fatal Errors with correct

Re: [PHP-DEV] Throwing an Error for require expressions in PHP7.x

2016-06-17 11:46 GMT+02:00 Christoph Becker : > On 17.06.2016 at 10:29, Alexander Lisachenko wrote: > > > Nikita, Dmitry, ping. What do you think, shouldn't we replace all > possible > > places with Fatal Errors with correct throwing of Error exceptions? In > > this concrete

Re: [PHP-DEV] Segmentation fault between 5.5 and 5.6 with remote address in stream socket

Yup, a bad copy/paste. On 17/06/16 16:06, Julien Pauli wrote: You seem to be linking the wrong PHP commit. I'll have a look at it. Julien On Fri, Jun 17, 2016 at 2:58 PM, Ivan Enderlin wrote: Hello internal, I have just opened a new bug,

Re: [PHP-DEV] Segmentation fault between 5.5 and 5.6 with remote address in stream socket

You seem to be linking the wrong PHP commit. I'll have a look at it. Julien On Fri, Jun 17, 2016 at 2:58 PM, Ivan Enderlin wrote: > Hello internal, > > I have just opened a new bug, https://bugs.php.net/72439 (source of the > story

[PHP-DEV] Re: Improve GD test suite

Hi On Jun 17, 2016 8:18 PM, "Christoph Becker" wrote: > > Hi! > > I like to suggest to improve the current test suite of the gd extension. > The main issue I see with the current suite is that many (~ 28) tests > use md5() to verify that a drawn image is correct. However, as

[PHP-DEV] Improve GD test suite

Hi! I like to suggest to improve the current test suite of the gd extension. The main issue I see with the current suite is that many (~ 28) tests use md5() to verify that a drawn image is correct. However, as Pierre mentioned long ago[1], md5() does not work (reliably) for this purpose. An

[PHP-DEV] Segmentation fault between 5.5 and 5.6 with remote address in stream socket

Hello internal, I have just opened a new bug, https://bugs.php.net/72439 (source of the story https://github.com/hoaproject/Websocket/issues/66). It seems to be a regression between 5.5 and 5.6. I quickly suspect https://github.com/php/php-src/commit/4a2e40bb861bc3cf5fb6863e57486ed60316e97c

[PHP-DEV] UGLY Benchmark Results for PHP Master 2016-06-17

Results for project PHP master, build date 2016-06-17 06:29:32+03:00 commit: e2904ff previous commit:fba6f90 revision date: 2016-06-16 20:12:50+01:00 environment:Haswell-EP cpu:Intel(R) Xeon(R) CPU E5-2699 v3 @ 2.30GHz 2x18 cores, stepping 2, LLC 45 MB

Re: [PHP-DEV] [RFC] [VOTE] Replace "Missing argument" warning with "Too few arguments" exception

On 17/06/2016 11:37, Björn Larsson wrote: Den 2016-06-17 kl. 12:15, skrev Rowan Collins: Do we really trust our future selves so little that we are incapable of planning more than 6 months ahead? Well, my interpretation was that postphoning it meant 8.0, which is not 6 months away. Having it

Re: [PHP-DEV] [RFC] [VOTE] Replace "Missing argument" warning with "Too few arguments" exception

On 17/06/16 11:15, Rowan Collins wrote: > Do we really trust our future selves so little that we are incapable of > planning more than 6 months ahead? A practical example of the problems of upgrading is perhaps the time it takes for public services to get updated. Many of my council customers

Re: [PHP-DEV] [RFC] [Accepted] Replace "Missing argument" warning with "Too few arguments" exception

On Fri, Jun 17, 2016 at 4:57 PM, Matteo Beccati wrote: > On 16/06/2016 08:18, Pierre Joye wrote: >> Hi Dmitry >> >> I am sorry but I have to ask to wait before merging it. >> >> It is definitely not clear that: >> >> . The rfc was valid to begin with due to the short discussion

Re: [PHP-DEV] [RFC] [VOTE] Replace "Missing argument" warning with "Too few arguments" exception

Den 2016-06-17 kl. 12:15, skrev Rowan Collins: On 17/06/2016 10:49, Björn Larsson wrote: Well one reason I could think of is that things that get postphoned, is not the same thing as meaning it will get done in the future. Again, I am not proposing we indefinitely postpone anything. I am

Re: [PHP-DEV] [RFC] [VOTE] Replace "Missing argument" warning with "Too few arguments" exception

On 17/06/2016 10:49, Björn Larsson wrote: Well one reason I could think of is that things that get postphoned, is not the same thing as meaning it will get done in the future. Again, I am not proposing we indefinitely postpone anything. I am proposing we specifically plan when it is going to

Re: [PHP-DEV] [RFC] [Accepted] Replace "Missing argument" warning with "Too few arguments" exception

On 16/06/2016 08:18, Pierre Joye wrote: > Hi Dmitry > > I am sorry but I have to ask to wait before merging it. > > It is definitely not clear that: > > . The rfc was valid to begin with due to the short discussion time > . This BC is acceptable for 7.x As Dmitry pointed out the change has

Re: [PHP-DEV] [RFC] [VOTE] Replace "Missing argument" warning with "Too few arguments" exception

Den 2016-06-17 kl. 11:19, skrev Rowan Collins: On 17/06/2016 10:08, Björn Larsson wrote: And pardon me, but saying that we can wait until an PHP 8.0 release that we have no clue about when it will happen sounds in my eyes a bit to far off. Going that direction means instead that boiler plate

Re: [PHP-DEV] Throwing an Error for require expressions in PHP7.x

On 17.06.2016 at 10:29, Alexander Lisachenko wrote: > Nikita, Dmitry, ping. What do you think, shouldn't we replace all possible > places with Fatal Errors with correct throwing of Error exceptions? In > this concrete case it's for "require" operator. > > From what I can see Error will give us

Re: [PHP-DEV] Is the "No BC Breaks in Minor Releases" policy enforceable?

Den 2016-06-16 kl. 18:30, skrev Rowan Collins: On 16/06/2016 17:24, Levi Morrison wrote: I also have to say that to the very short timeline to finalize 7.0 should not be paid by breaking BCs in 7.x. We can have a short timeline for 8.0 as well. If we need more drastic BC breaks earlier than

Re: [PHP-DEV] [RFC] [VOTE] Replace "Missing argument" warning with "Too few arguments" exception

On 17/06/2016 10:08, Björn Larsson wrote: And pardon me, but saying that we can wait until an PHP 8.0 release that we have no clue about when it will happen sounds in my eyes a bit to far off. Going that direction means instead that boiler plate code is needed to catch that exact number of

Re: [PHP-DEV] [RFC] [VOTE] Replace "Missing argument" warning with "Too few arguments" exception

Den 2016-06-13 kl. 15:07, skrev Rowan Collins: On 06/06/2016 08:22, Dmitry Stogov wrote: Hi, This mini RFC has been moved to "Voting" state. Voting began on Jun 6 and will close on June 16. You can find the full RFC at: https://wiki.php.net/rfc/too_few_args Hi, The more I think about

Re: [PHP-DEV] Throwing an Error for require expressions in PHP7.x

Nikita, Dmitry, ping. What do you think, shouldn't we replace all possible places with Fatal Errors with correct throwing of Error exceptions? In this concrete case it's for "require" operator. >From what I can see Error will give us more control over the file loading process and make it more

Re: [PHP-DEV] [RFC] Throw Exception on Attempt of Constant Redefinition

On Jun 17, 2016 1:10 PM, "Dmitry Stogov" wrote: > > Got it :( > Then this may be a serious BC break, and it's better to depricate it in 7.1 and throw exception only in 8. Fully agree. Thanks :) > Thanks. Dmitry. > > > > On Thu, Jun 16, 2016 at 8:14 PM +0300, "Stanislav

Re: [PHP-DEV] [RFC] Throw Exception on Attempt of Constant Redefinition

Got it :( Then this may be a serious BC break, and it's better to depricate it in 7.1 and throw exception only in 8. Thanks. Dmitry. On Thu, Jun 16, 2016 at 8:14 PM +0300, "Stanislav Malyshev" > wrote: Hi! > Please review: