Re: [PHP-DEV] [RFC] [VOTE] is_literal

technically "wrong")? It seems unlikely to get a function or class name accidentally in a SQL query and even less likely that user input was involved. -- Lauri Kenttä -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: https://www.php.net/unsub.php

Re: [PHP-DEV] [RFC] is_trusted - was is_literal

accidental case where $x is supposed to be a trusted string but is an untrusted integer instead, like the given example. -- Lauri Kenttä -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: https://www.php.net/unsub.php

Re: [PHP-DEV] [RFC] is_literal

eone with prior knowledge can tell what kind of strings get interned by Opcache. Array keys? Object properties? -- Lauri Kenttä -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: https://www.php.net/unsub.php

Re: [PHP-DEV] [RFC] is_literal

. undefined variables or bad array offsets in a non-tested code path. Non-literal string is just one more kind of bug, it can be reported just like all the rest. -- Lauri Kenttä -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: https://www.php.net/unsub.php

Re: [PHP-DEV] [RFC] is_trusted - was is_literal

imagine people using either one without realizing that they can create any character, including \0 or ' or " or non-UTF-8. Better to leave only chr(), one less thing to worry about. Custom padding is a weird edge case, maybe just disallow that too? As you said yourself, it's not easy to pro

Re: [PHP-DEV] [RFC] is_literal

On 2021-06-12 22:21, Craig Francis wrote: On Sat, 12 Jun 2021 at 19:59, Lauri Kenttä wrote: Hi, I wrote the untaint() / make_literal() function, just in case. implode("", array_map(fn($c) => $chars[ord($c)], str_split($s, 1))) https://3v4l.org/EaN9Z#focus=rfc.literals

Re: [PHP-DEV] [RFC] is_literal

Hi, I wrote the untaint() / make_literal() function, just in case. implode("", array_map(fn($c) => $chars[ord($c)], str_split($s, 1))) https://3v4l.org/EaN9Z#focus=rfc.literals Sorry and bye. -- Lauri Kenttä -- PHP Internals - PHP Runtime Development Mailing List To unsub

Re: [PHP-DEV] Regarding array_shift()/array_unshift()

ing both element and shifted array without resorting to by-reference parameters? Spread operator support in assignments would solve this nicely: [$first, ...$rest] = $array; -- Lauri Kenttä -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: https://www.php.net/unsub.php

Re: [PHP-DEV] Stop replacing dots with underscores in query, post and cookie parameters for PHP 8?

different code to support both PHP 7 and 8. Also, now that we're at it, what about the following: i[].x=1 currently produces ['i' => [0 => '1']], losing the x. i[x].y=1[x].z=2 produces ['i' => ['x' => '2']]. Maybe something to be done to address these cases? -- Lauri Kenttä -- P

Re: [PHP-DEV] [RFC] Deprecate left-associative ternary operator

This is unambiguous and should be allowed IMO. -- Lauri Kenttä -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Possible bug in the implementation of php://input streams?

On 2019-01-16 09:59, Rasmus Schultz wrote: We've noticed something odd about the "php://input" stream. If you attempt to rewind() it after reading the stream, rewind() returns true, and ftell() subequently returns 0. However, attempting to read the stream again after that returns nothing.

Re: [PHP-DEV][RFC] mb_str_split

On 2019-01-13 17:29, Legale Legage wrote: There is 2 more 2-bytes width encodings: MBFL_ENCTYPE_MWC2BE (UTF16-BE), MBFL_ENCTYPE_MWC2LE (UTF16-LE). UTF-16 is not a fixed-width 2-byte encoding. Just like UTF-8 is not a fixed-width 1-byte encoding. -- Lauri Kenttä -- PHP Internals - PHP

Re: [PHP-DEV] Proposal: change precision for output functions

and well known. You have to use formatting functions like number_format if you need neatly rounded base-10 output. There are also a lot of libraries for precise base-10 calculations. They will be a lot slower than native binary floating-point calculations, though. Regards, Lauri Kenttä

Re: [PHP-DEV] Inconsistent float to string vs. string to floatcasting

f you receive floats, you can parse them yourself. No need to change ”the other side”. -- Lauri Kenttä -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-DEV] Bug or not: accel_init_interned_string_for_php returns non-interned strings

(possible with normal string but would not happen with interned), causing corruption. Is this a bug or just some Zend quirk? -- Lauri Kenttä -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] OBJECT_OPERATOR vs. DOUBLE_COLON

ars/appeared in other places, too. Ah, OK, I stand corrected. Regards, I'm just wondering if T_PAAMAYIM_NEKUDOTAYIM could finally be changed to T_DOUBLE_COLON in, say, PHP 8? Sorry about hijacking this. :) -- Lauri Kenttä -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Re: [RFC] Distrust SHA-1 Certificates

e to SHA-3 of the same length? Just my thoughts. -- Lauri Kenttä -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Re: [Discussion] Dots and spaces in GPC variable names

. You could create all kinds of crazy bloat. -- Lauri Kenttä -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] SHA3 is very slow

6; ++$i) hash("sha3-256", "abc");' user0m2.497s sys 0m0.020s There's a small difference, but I wonder if anybody (except Yasuo) actually cares? -- Lauri Kenttä -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Re: Improving mt_rand() seed

el log has several lines about /dev/urandom not being properly seeded before the system is fully started, so using a CSPRNG is not guaranteed to work so well. -- Lauri Kenttä -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Re: Improving mt_rand() seed

/msg87590.html -- Lauri Kenttä -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Re: Improving mt_rand() seed

On 2017-01-27 17:13, Leigh wrote: On 27 January 2017 at 14:30, Lauri Kenttä <lauri.ken...@gmail.com> wrote: This needs to be thought of as 2^32 possible _streams_ with a period of (2^19937)−1. Offset within the stream is as important as the stream variation itself. This is no

Re: [PHP-DEV] Re: Improving mt_rand() seed

orithm, the bit strength is only 2^32. The remaining 2^28 comes from security through obscurity, which is not a generally valid real security thing. Anyway, a password should be better generated with CSPRNG, not MT, so "hardening" MT is totally irrelevant. -- Lauri Kenttä -- PHP Interna

Re: [PHP-DEV] Re: Improving mt_rand() seed

environment, even on machines without any network. CSPRNG is not required and should not be required. -- Lauri Kenttä -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Re: Improving mt_rand() seed

llback), see [1]. I can send that against master if the approach is accepted here. If you want it in PHP-7.0 or PHP-7.1, please merge it yourself, thank you. [1] https://github.com/Metabolix/php-src/tree/mt_srand_auto-pr -- Lauri Kenttä -- PHP Internals - PHP Runtime Development Mailin

Re: [PHP-DEV] Re: Improving mt_rand() seed

On 2017-01-17 16:18, Lauri Kenttä wrote: On 2017-01-17 02:34, Yasuo Ohgaki wrote: Set state somewhere between MT rand's 2^19937−1 cycle. This is exactly what my patch does. Or, to be honest, my patch provides 2^19936 possible states, which should be more than enough. To get all 2^19937−1

Re: [PHP-DEV] Re: Improving mt_rand() seed

On 2017-01-17 02:34, Yasuo Ohgaki wrote: Set state somewhere between MT rand's 2^19937−1 cycle. This is exactly what my patch does. -- Lauri Kenttä -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Re: Improving mt_rand() seed

On Mon, Jan 16, 2017 at 4:04 PM, Yasuo Ohgaki wrote: We know this kind of seed is guessable. i.e. Our session id is compromised by this kind of code. Maybe you should fix session id instead of (or in addition to) mt_rand. On 2017-01-16 09:16, Yasuo Ohgaki wrote:

Re: [PHP-DEV] Use decent entropy for uniqid($prefix, TRUE)

ll the same tale. So do you have some actual arguments for your version, or is this just ”not invented here”? Also, I must say that I'm neither for nor agains this change in general; I'm discussing only the implementation. -- Lauri Kenttä -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Use decent entropy for uniqid($prefix, TRUE)

produce 0.abcdefgh instead of a.bcdefghi. If you can't fix it, maybe you shouldn't be doing it in the first place... -- Lauri Kenttä -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Use decent entropy for uniqid($prefix, TRUE)

) would cover the general case. random_array([1,2,3], 20) could extend this to arbitrary arrays. -- Lauri Kenttä -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] [RFC] Interval Comparison

is evaluated only once, so the expression will have the same value in both of the comparisons. So if the first part is 1<2, then the other must be 2<3 (and not 3<3). An expression like a < b < c < d can be currently implemented with temporary variables like this: a < ($tmp1 =

Re: [PHP-DEV] [RFC] Interval Comparison

e dropped and the comparison will go on. -- Lauri Kenttä -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Directly embed small strings in zvals

, so you get 8/6*7 = 9 chars. Not really better than 7 chars, especially considering that all operations on single characters would be slower than usual. -- Lauri Kenttä -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] wordwrap with negative width

at negative width is no longer supported, soon people will discover the easy fix, max($width,0), and you have really gained nothing but more hacks in bad code. -- Lauri Kenttä -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] wordwrap with negative width

change it? It's very easy to imagine a script like this: Here someone tries to calculate $max_width dynamically. The calculation might produce a negative result sometimes. The text would be visible, even if it's not word wrapped. It might not look as expected, but it would be readable. --

Re: [PHP-DEV] [!] Master merged into PHP-7.1

On 2016-10-13 22:32, Davey Shafik wrote: On Thu, Oct 13, 2016 at 12:20 PM, Lauri Kenttä <lauri.ken...@gmail.com> wrote: On 2016-10-13 20:16, Davey Shafik wrote: Can anyone shed some light on: 1) when it was merged 2) who merged it 3) how the dates are messed up 1) and 2)

Re: [PHP-DEV] [!] Master merged into PHP-7.1

P-7.2 into Joe's messed-up branch. I think the normal approach here would be to issue a statement, rename this branch to PHP-7.1-broken-blahblah and restart PHP-7.1 from the last good commit (4b8bdac) with some cherry-picking or re-merging. -- Lauri Kenttä -- PHP Internals - PHP Runtime Developm

Re: [PHP-DEV] Feature Request: inline pseudo-instruction

, and then simply call the function instead of repeatedly including the file. Calling a function is a lot faster than including a file. -- Lauri Kenttä -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] BC break: ReflectionMethod::invoke() expects parameter1to be object, string given

On 2016-08-23 18:45, Alexander Lisachenko wrote: 2016-08-23 18:05 GMT+03:00 Lauri Kenttä <lauri.ken...@gmail.com>: Could you do it without reflection, then? I don't think so. Thus, I think your "use case" is broken by design. FYI: This use case is used by Go! AOP Framewor

Re: [PHP-DEV] BC break: ReflectionMethod::invoke() expects parameter1to be object, string given

the method in Child class at all. If this kind of functionality is generally needed, maybe it could be borrowed from C++: obj_b->A::whoami(); Translated to PHP/Reflection: new ReflectionMethod("B", "A::whoami")->invoke(); -- Lauri Kenttä -- PHP Internals - PHP Runtime D

Re: [PHP-DEV] BC break: ReflectionMethod::invoke() expects parameter1to be object, string given

Levi! I suggest to wait for Julian, though, who wrote: "I'll prepare a patch exposing my ideas soon." Would there be different checks for static and non-static? - For non-static, accept object or null. (Or only a non-null object?) - For static, accept only null (deprecate also objects)

Re: [PHP-DEV] Re: [RFC][DISCUSSION] Argon2 Password Hash

ctions to these cost factors (or anything else for that matter) before putting this up for a vote. Please let me know your thoughts. The whole RFC looks good to me now. Thanks for your work on this! -- Lauri Kenttä -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.p

Re: [PHP-DEV] Re: [RFC: PATCH v1] Implement mt_srand_array

already knows this Zend stuff a bit better... -- Lauri Kenttä -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-DEV] [RFC: PATCH v1] Implement mt_srand_array

--- ext/standard/basic_functions.c | 5 + ext/standard/mt_rand.c | 67 ++- ext/standard/php_math.h| 1 + ext/standard/tests/math/mt_srand_array_basic.phpt | 146 ++

[PHP-DEV] Re: mt_srand with array seed?

On 2016-08-14 17:04, Tom Worster wrote: On 8/14/16, 5:45 AM, "Lauri Kenttä" <lauri.ken...@gmail.com> wrote: On 2016-08-13 18:53, Tom Worster wrote: On 8/12/16 2:48 PM, Lauri Kenttä wrote: On 2016-08-12 21:40, Tom Worster wrote: mt_srand() will work. But what would be in the

[PHP-DEV] Re: mt_srand with array seed?

On 2016-08-13 18:53, Tom Worster wrote: On 8/12/16 2:48 PM, Lauri Kenttä wrote: On 2016-08-12 21:40, Tom Worster wrote: mt_srand() will work. But what would be in the array? Integers from which the upper 32 bits, if they exist, are discarded? mt19937ar.c contains init_by_array. Compability

[PHP-DEV] Re: mt_srand with array seed?

widely used implementation. -- Lauri Kenttä -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-DEV] mt_srand with array seed?

Hello, Any thoughts about supporting a longer seed array for mt_srand? Does anyone really need it? Should it be in mt_srand or mt_srand_array? See: https://bugs.php.net/bug.php?id=32145 -- Lauri Kenttä -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http

Re: [PHP-DEV] Re: [RFC][DISCUSSION] Argon2 Password Hash

miliar with Argon2, I only looked shortly at the source files and the Python library [2]. However, care should be taken to use the correct definition for m_cost. [1] https://github.com/P-H-C/phc-winner-argon2/blob/master/src/run.c#L27 [2] http://argon2-cffi.readthedocs.io/en/stable/parameters.html -- Lauri

Re: [PHP-DEV] Re: [RFC][DISCUSSION] Argon2 Password Hash

128 MB or 256 MB. -- Lauri Kenttä -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] RFC Posted for str_begins and str_ends functions

($a, $b, 0, strlen($b)) === 0; } function str_ends($a, $b) { return substr_compare($a, $b, -strlen($b)) === 0; } -- Lauri Kenttä -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] [RFC] New operator for context-dependent escaping

On 2016-07-17 06:49, Marcio Almada wrote: 2 . Is there any rationale why we're using strings separated by '|' to pass context instead of an array? Ex.: Multiple arguments would make the syntax even cleaner: -- Lauri Kenttä -- PHP Internals - PHP Runtime Development Mailing List

Re: [PHP-DEV] base64_decode is buggy, what to fix?

might mean that the data is truncated by accident. - Invalid padding is allowed ("=VVV=", "VV=V=") Any comments? Strict mode at least gets this one right. It's really sad if someone relies on this "feature". -- Lauri Kenttä -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-DEV] base64_decode is buggy, what to fix?

'U' 'VV= =' 'U' (false) 'VVV=V' 'UUU' 'UU' '=*' 'UUU' 'UUU' 'VV=V' 'U' '' 'VV=*' '' '' '===*' 'UUU' 'UUU' 'VVVV' 'UUU' 'UU' 'VVV*'

Re: [PHP-DEV] PHP 7.1 - Address PHPSadness #28?

On 2015-09-17 11:58, Rowan Collins wrote: Interestingly, ... there's no way I know of to detect if a parameter was omitted from your function call rather than passed an explicit null; There is! It's called func_num_args, and it's very ugly. -- Lauri Kenttä -- PHP Internals - PHP Runtime

Re: [PHP-DEV] PHP 7.1 - Address PHPSadness #28?

(especially assigning) non-declared variables. They already did this for JavaScript... -- Lauri Kenttä -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] PHP 7.1 Cryptography Projects

On 2015-08-03 23:54, Scott Arciszewski wrote: $AES = new \PCO\Symmetric('openssl:cipher=AES-128'); It would be great if you could just ask for cipher=AES-128 without explicitly specifying the provider (openssl). -- Lauri Kenttä -- PHP Internals - PHP Runtime Development Mailing List

Re: [PHP-DEV] PHP 7.1 Cryptography Projects

and/or all used settings to solve both of these cases? -- Lauri Kenttä -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] is_digits() and digits type

On 2015-05-12 03:56, Yasuo Ohgaki wrote: - is_numeric() and numeric type for float like string FYI, there's ctype_digit($s) and preg_match('/⁠^[0-⁠9]+$/⁠s', $s); Adding more functions would be only confusing, I think. -- Lauri Kenttä -- PHP Internals - PHP Runtime Development Mailing List

[PHP-DEV] [PATCH] random_int: Fix power of two check.

(x ~x) is always 0. ((x (~x + 1)) != x) works. ((x (x - 1)) != 0) works too. --- ext/standard/random.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ext/standard/random.c b/ext/standard/random.c index 12c2503..4a1adbf 100644 --- a/ext/standard/random.c +++