On Wednesday, 26 June 2024 at 14:54, Kamil Tekiela <tekiela246@gmail.com> wrote:

I think the "Deprecate passing E_USER_ERROR to trigger_error()" should
be better explained. Why is using this constant a problem? There is a
link to another RFC, but I can't see an explanation as to why
E_USER_ERROR suffers the same problem as fatal errors do. From an
average Joe's perspective, it looks fine and does the job
Online PHP editor | output for e97TO

Returning control after an E_USER_ERROR seems problematic to me in
the first place, as the condition which lead to the trigger surely
implies the current code is unable to handle the situation.
See: Online PHP editor | output for 7pdvO

But the issues with fatal errors are the same as explained in the
linked RFC, in that destructors (and finally blocks, etc.) are not
called. See: Online PHP editor | output for J5NXF

Using exceptions instead is more robust.
Is this explanation clear enough?
If so, I will incorporate it into the RFC.

Best regards,

Gina P. Banyard

-Mike

Hi All,

I do appreciate that strtok has a kind of bizarre signature/use pattern and potential for confusion due to how subsequent calls work, but to me that sounds like a better result for uses that need the repeated call functionality, would be to introduce a builtin StringTokenizer class that wraps the underlying strtok_r C call and uses internal state to keep track of the string being tokenized.

As a “works the same” solution for grabbing the first segment of a string up to any of the delimiter chars, could the strpbrk function be expanded with a $before_needle arg like strstr has? (strstr matches on an exact substring, not on any pf a list of characters)

Cheers

Stephen

Hi,

On 26.06.24 07:18, Mike Schinkel wrote:

On Jun 25, 2024, at 4:51 PM, Gina P. Banyard <internals@gpb.moe <mailto:internals@gpb.moe>> wrote:

On Tuesday, 25 June 2024 at 19:06, Mike Schinkel <mike@newclarity.net <mailto:mike@newclarity.net>> wrote:

strtok()

strtok() is found 35k times in GitHub:

    Code search results · GitHub
    <Code search results · GitHub;

It is a commonly used as a "left part of string up to a character" in addition to its intended use for tokenizing.

I would prefer not deprecated because of BC breakage, but IF it is deprecated I would suggest adding a one-for-one replacement function for the "left part of string up to a character" use-case; maybe `str_left("abc.txt",".")` returning `"abc"`.

For this exact case of extracting a file name without an extension, you should really just use:
|pathinfo($filepath, PATHINFO_FILENAME);|
But for something more generic, you can just do:
explode($delimiter, $str)[0];

So I really don't see why we would need an "str_left()" function.

Ah, *the dangers of providing a specific example of a broader use-case* is that someone will invariably discredit the specific example instead of focusing on the applicability for the broader use-case.

To wit, here are seven (7) use-cases for which `pathinfo()` is not a viable alternative:

    Online PHP editor | output for RDYFs

Note those seven use-cases are found in around the first 25 results when searching GitHub for "strtok(". I could probably find more if I kept looking:

    Code search results · GitHub
    <Code search results · GitHub;

Regarding explode($delimiter, $str)[0] — unless it is to be special-cased during compilation —it is a really inefficient way to find the substring up to the first character, especially for large strings and/or when in a tight loop where the explode is contained in a called function.

Here is a benchmark (PHP Sandbox - Execute PHP code online through your browser) showing that — on average of the runs I performed — for using `strtok()` to fully process through a 3972 byte file with 359 commas it took right at */90 times/* longer using explode($delimiter, $str)[0] vs. strtok($str,$delimiter). Imagine is the file were 39,720 bytes, or larger, instead.

    Size of file: 3972
    Number of commas: 359
    Time taken for strtok: 0.0034 seconds
    Time taken for explode: 0.3036 seconds
    *Times strtok() faster: 89.1*

Yes the above processes the entire file using explode()[0] each time rather than first using explode(",") once — because of the equivalent of the N+1 problem[1] where the explode() is buried in a function. This illustrates why strtok() is so good for its primary use-case of parsing text files. strtok() is fast and does not use heaps of memory on every token.

This leads me to think `strtok()` */should not/* be deprecated given how inefficient string handling in PHP can otherwise be, at least not without a much more efficient object for string parsing.

I'm with Mike on `strtok()` and don't understand why it would be on a
deprecation list.

I see nothing inherently "wrong" or "dangerous" with it: it's one of the
"works an intended" and if you know how to use it, it works perfectly
they way it is designed.

The variations of suggestions in other replies how to handle certain use
cases of `strtok()` already shows there's no clear migration path and
depends on the situation, which is the worst.

Compare this with suggestion like `sha1()` or similar, where the
deprecation is about "the function, but not the functionality", because
SHA1 is available by other means.
But there's no clear alternative to `strtok()`, as it is its own kind.

on deprecating it; if a gotcha with it is not clear (e.g. using it in
different scopes, as this was brought up), I see this rather as a
"documentation problem".

cheers,
- Markus

On Thu, 27 Jun 2024 at 05:57, Gina P. Banyard <internals@gpb.moe> wrote:

On Wednesday, 26 June 2024 at 14:54, Kamil Tekiela <tekiela246@gmail.com> wrote:

> I think the "Deprecate passing E_USER_ERROR to trigger_error()" should
> be better explained. Why is using this constant a problem? There is a
> link to another RFC, but I can't see an explanation as to why
> E_USER_ERROR suffers the same problem as fatal errors do. From an
> average Joe's perspective, it looks fine and does the job
> Online PHP editor | output for e97TO

Returning control after an E_USER_ERROR seems problematic to me in
the first place, as the condition which lead to the trigger surely
implies the current code is unable to handle the situation.
See: Online PHP editor | output for 7pdvO

But the issues with fatal errors are the same as explained in the
linked RFC, in that destructors (and finally blocks, etc.) are not
called. See: Online PHP editor | output for J5NXF

Using exceptions instead is more robust.
Is this explanation clear enough?
If so, I will incorporate it into the RFC.

Best regards,

Gina P. Banyard

Yes, that is a better description.

On Thursday, 27 June 2024 at 11:22, Kamil Tekiela <tekiela246@gmail.com> wrote:

Yes, that is a better description.

I have updated this section of the RFC.

Best regards,

Gina P. Banyard

Hi

On 6/26/24 14:14, Gina P. Banyard wrote:

Regarding explode($delimiter, $str)[0] — unless it is to be special-cased during compilation —it is a really inefficient way to find the substring up to the first character, especially for large strings and/or when in a tight loop where the explode is contained in a called function

Then use a regex: Online PHP editor | output for SGWL5

Or a combination of strpos and substr.

I'd bet that both of these solutions would use less memory, and I would guess the PCRE one should also be better for performance (although not benchmarked) as it is highly specialized in that task.

There are *plenty* of solutions to the specific problem you pose here, and thus many different solutions more or less appropriate.

FWIW: `explode()` also has a third parameter to limit the number of segments to return. If you always want just one, you can set the parameter to `2` to prevent further processing from happening after encountering the first delimiter.

Best regards
Tim Düsterhus

On Jun 27, 2024, at 2:22 AM, Stephen Reay php-lists@koalephant.com wrote:

I do appreciate that strtok has a kind of bizarre signature/use pattern and potential for confusion due to how subsequent calls work, but to me that sounds like a better result for uses that need the repeated call functionality, would be to introduce a builtin StringTokenizer class that wraps the underlying strtok_r C call and uses internal state to keep track of the string being tokenized.

strtok is weird, but it’s not actually dangerous. An OO wrapper doesn’t sound worth it unless it comes with compelling extra features or at least a reusable abstraction in the form of a concrete StrTokTokenizer (or hopefully a less ugly name) implementing a StringTokenizer interface.

Personally I say let strtok be and just admit in the documentation that it’s weird because C.

[Resent to the list. Sorry for any previously cc’d dups, macOS Mail keeps guessing the wrong sender address.]

—c (weird just because)

Hi

On 6/27/24 19:09, Chuck Adams wrote:

Personally I say let strtok be and just admit in the documentation that it’s weird because C.

strtok() is not weird because C. It does not rely on the libc strtok() function and did not since at least 1999 (and likely never did): First commit of re-structuring phase one. We have started using auto… · php/php-src@257de2b · GitHub

strtok() is weird, because someone believed that relying on global state was good API design. I find that excusable, because it happened more than a quarter of a century ago.

Best regards
Tim Düsterhus

Hi

On 6/27/24 09:44, Markus Podar wrote:

on deprecating it; if a gotcha with it is not clear (e.g. using it in
different scopes, as this was brought up), I see this rather as a
"documentation problem".

If one can easily use a function incorrectly in a way that is not *immediately* apparent, then I consider the function to be badly designed. In my book this includes all functions that rely on global state, because that will lead to spooky action from a distance sooner rather than later.

Here's an example (Online PHP editor | output for XNl3X):

     <?php

     function processInner($line) {
         $tok = strtok($line, ",");

         while ($tok !== false) {
             echo "Entry=$tok\n";
             $tok = strtok(",");
         }
     }

     function processOuter($csv) {
         $line = strtok($csv, "\n");

         while ($line !== false) {
             processInner($line);
             $line = strtok("\n");
         }
     }

     processOuter("foo,bar,baz\na,b,c\n1,2,3");

Each of the functions individually is "fine" (for an appropriate definition of fine), but combined they are buggy. This becomes worse when the processInner() function is part of a third party library you don't control. Do you check each update of that library to see if it added or removed any strtok() calls anywhere?

Pointing towards the documentation is not an excuse for bad API design.

Best regards
Tim Düsterhus

On Jun 27, 2024, at 11:26 AM, Tim Düsterhus <tim@bastelstu.be> wrote:

Hi

On 6/27/24 19:09, Chuck Adams wrote:

Personally I say let strtok be and just admit in the documentation that it’s weird because C.

strtok() is not weird because C. It does not rely on the libc strtok()
function and did not since at least 1999 (and likely never did):
First commit of re-structuring phase one. We have started using auto… · php/php-src@257de2b · GitHub

Okay, how about “weird because POSIX”? The API gets the blame then, not any implementation.

strtok() is weird, because someone believed that relying on global state
was good API design. I find that excusable, because it happened more
than a quarter of a century ago.

Oh I think strtok is awful, but it also looks like it beats the pants off the alternatives performance-wise. I imagine it’s also completely ignorant about unicode, so yeah…

I guess it should at least be deprecated until being replaced by a userspace version with similar performance.

—c

I have added one more deprecation

Deprecate the second parameter to mysqli_store_result().

If one can easily use a function incorrectly in a way that is not
immediately apparent, then I consider the function to be badly
designed.

Does that philosophy also cover preg_quote()? I’ve lost count of the number of times that I’ve seen it used in Stack Overflow answers without a second parameter (including array_map(‘preg_quote’, $array)) and its returned value used in a regex that has foward slashes as delimiters.

Additionally, it is an unintuitively named function; it doesn’t actually “quote” anything – it \e\s\c\a\p\e\s characters. This makes life unnecessarily harder for devs who are new to PHP who need to find the regex escaping function.

Would it be reasonable to create preg_escape() which also (sometimes unnecessrily) includes the (de facto default delimiter) forward slash in its default list of escaped characters so that preg_quote() could eventually be deprecated? As far as I know this would do no harm, will prevent holes in code, and make PHP more intuitive.

Mick

On Saturday, 29 June 2024 at 22:23, mickmackusa <mickmackusa@gmail.com> wrote:

If one can easily use a function incorrectly in a way that is not
*immediately* apparent, then I consider the function to be badly
designed.

Does that philosophy also cover preg_quote()? I've lost count of the number of times that I've seen it used in Stack Overflow answers without a second parameter (including array_map('preg_quote', $array)) and its returned value used in a regex that has foward slashes as delimiters.

Additionally, it is an unintuitively named function; it doesn't actually "quote" anything -- it \e\s\c\a\p\e\s characters. This makes life unnecessarily harder for devs who are new to PHP who need to find the regex escaping function.

Would it be reasonable to create `preg_escape()` which also (sometimes unnecessrily) includes the (de facto default delimiter) forward slash in its default list of escaped characters so that preg_quote() could eventually be deprecated? As far as I know this would do no harm, will prevent holes in code, and make PHP more intuitive.

It would possibly be reasonable, but this is a seperate discussion to this.
Arguably a lot of functions/methods named "quote" do escaping, so this feels like a more general problem than just ext/pcre.

Moreover, I really don't think people use a forward slash as a defacto default delimiter, I have always use # as this is what the first tutorial about regexes that I read used.

Best regards,
Gina P. Banyard

Hi

On 6/29/24 23:23, mickmackusa wrote:

If one can easily use a function incorrectly in a way that is not
*immediately* apparent, then I consider the function to be badly
designed.

Does that philosophy also cover preg_quote()? I've lost count of the

Yes, it does.

Would it be reasonable to create `preg_escape()` which also (sometimes
unnecessrily) includes the (de facto default delimiter) forward slash in
its default list of escaped characters so that preg_quote() could
eventually be deprecated? As far as I know this would do no harm, will

I'd rather see the delimiter being a required parameter or a well-designed (object-oriented) API, such as the one provided by T-Regx: GitHub - t-regx/T-Regx: Simple library for regular expressions in PHP.

But as Gina said, this is something for another discussion.

Best regards
Tim Düsterhus

Hi Gina,

I’ve read through the complete set of proposals and have the following observations: * While a number of proposals include an impact analysis (thank you!), a significant number of the proposals don’t. It would be appreciated if for those proposals which aren’t removing unused/unusable functionality, some sort of impact analysis was added. * DomDocument and DomEntity properties section: the text seems to contradict itself - the proposal seems to suggest to soft-deprecate something which is already soft deprecated. Some clarification of what the actual proposal is, would be helpful. * xml_set_object() section: the mitigation path for this deprecation is unclear and more so, it is unclear as of which PHP version the mitigation path is available (if there are restrictions). It would be helpful if some example code was added to show the mitigation path more clearly. * CSV escaping section: please make it explicit which functions will be affected by this proposal. * file_put_contents() section: please make the mitigation path explicit (which I presume would be something along the lines of file_put_contents( $filename, implode('', $data) ) ?) Other than that, I join the previously voiced objections to the deprecation of uniqid(), md5(), sha1(), md5_file(), sha1_file(). While I acknowledge that these functions can be used inappropriately for security-sensitive code, which should use alternative methods, these functions have perfectly valid use-cases for non-security-sensitive code and the impact of the BC-break of deprecating and eventually removing these methods can, IMO, not be justified. Keep in mind that while “we” know and understand that deprecations are not errors, end-users often don’t and particularly for open source projects, this means that in practice these deprecations will need to be addressed anyway to reduce the noise of users opening issues about them, which without a clear path to removal of the functions, will, in a lot of cases, mean adding the @ operator to all uses. Regarding the deprecation of using E_USER_ERROR in trigger_error(): there are errors which should never be caught and using trigger_error() with E_USER_ERROR is appropriate for those. The fact that execution can be returned to the code via set_error_handler() returning true sounds to me like a bug which should be fixed, rather than disabling the functionality for userland code to hard exit with an error when deemed appropriate. As for deprecating the E_USER_ERROR constant, this will lead to a lot of guard code needing to be added for calls to error_reporting() as well as in custom error handler functions, when the (open source) code needs to be PHP cross version compatible. In my opinion, this deprecation proposal should be moved to a later major than a deprecation of using E_USER_ERROR in trigger_error(). Either way, these are two pennies. Smile, Juliette

On 2024-07-02 21:52, Juliette Reinders Folmer wrote:

Other than that, I join the previously voiced objections to the deprecation of `uniqid()`, `md5()`, `sha1()`, `md5_file()`, `sha1_file()`.
While I acknowledge that these functions _can_ be used inappropriately for security-sensitive code, which should use alternative methods, these functions have perfectly valid use-cases for non-security-sensitive code and the impact of the BC-break of deprecating and eventually removing these methods can, IMO, not be justified.

`md5()`, `sha1_file()` et al. are duplicated by `hash('md5')`, `hash_file('sha1')`, etc. These work in exactly the same way and produce exactly the same output as the dedicated functions and can be used just as appropriately or inappropriately.

Why, except in deference to their age, continue calling out MD5 and SHA1 in particular for special consideration?

`uniqid()` doesn't have such an obvious translation (of the half-dozen alternatives in the RFC, the closest one is the first), but that's because its output isn't very good anyway: it doesn't even guarantee uniqueness.

The biggest effort in replacing it would come if you were relying on the main part[1] of its output being strictly increasing (which would be a mistake because it might not be).

[1] The main part is just a timestamp, extra entropy is provided by a call to random_bytes(4).

> Keep in mind that while "we" know and understand that deprecations are
> not errors, end-users often don't and particularly for open source
> projects, this means that in practice these deprecations will need to be
> addressed anyway to reduce the noise of users opening issues about them,
> which without a clear path to removal of the functions, will, in a lot
> of cases, mean adding the `@` operator to all uses.

Well, that's true of _any_ deprecation. Fortunately for these functions at least, clear paths for their removal are just that - clear.

On Tuesday, 2 July 2024 at 07:49, Marc Bennewitz <marc@mabe.berlin> wrote:

Hi Gina,

On 25.06.24 16:36, Gina P. Banyard wrote:

Hello internals,

It is this time of year again where we proposed a list of deprecations to add in PHP 8.4:
PHP: rfc:deprecations_php_8_4
As a reminder, this list has been compiled over the course of the past year by various different people.

And as usual, each deprecation will be voted in isolation.

We still have a bit of time buffer, so if anyone else has any suggestions, they are free to add them to the RFC.

Some should be non-controversial, others a bit more.
If such, they might warrant their own dedicated RFC, or be dropped from the proposal altogether.

I would like to propose a deprecation of implicit cast to int of numeric strings using bit shift operators.

For the following reasons:
1. In PHP strings are byte arrays and without context it's not possible to know if "123" is actually a number or just three bytes of 0x313234
2. The other bitwise operators `|`, `&`, `~`, `^` already take it as byte array, only the bit shift operators try to be smart here
3. Non numeric strings already fail with "Unsupported operand types: string >> int"
4. This makes working with byte arrays unnecessary hard and forces you to use limited and system depending int's.

Online PHP editor | output for IBUDD

While processing strings as byte arrays using bit shift operators needs a separate RFC, I think, if there is an agreement on deprecating this implicit cast it would already be beneficial to have this sooner than later.

What do you think?

I personally think the scope of this is too large as you have not accounted of all the details.

If you try to do a bitwise operator between a numeric string and an integer the numeric string will be implicitly converted to an int.
However, if you try to use a bitwise operator between an integer and a non-numeric string you also get a TypeError about unsupported operand types: Online PHP editor | output for W582TN

Thus the current bit shift operators follow from the existing semantics, and curtailling them without doing it for the other bitwise operators doesn't make a lot of sense to me.

Moreover, I feel it makes more sense creating dedicated functions for byte array/string bitwise operators and deprecate using the native operators for this and relegate them just for integers.

Best regards,
Gina P. Banyard

On Tuesday, 2 July 2024 at 10:52, Juliette Reinders Folmer <php-internals_nospam@adviesenzo.nl> wrote:

On 25-6-2024 16:36, Gina P. Banyard wrote:

Hello internals,

It is this time of year again where we proposed a list of deprecations to add in PHP 8.4:
PHP: rfc:deprecations_php_8_4
As a reminder, this list has been compiled over the course of the past year by various different people.

And as usual, each deprecation will be voted in isolation.

We still have a bit of time buffer, so if anyone else has any suggestions, they are free to add them to the RFC.

Some should be non-controversial, others a bit more.
If such, they might warrant their own dedicated RFC, or be dropped from the proposal altogether.

Best regards,

Gina P. Banyard

I've read through the complete set of proposals and have the following observations:

* While a number of proposals include an impact analysis (thank you!), a significant number of the proposals don't.

It would be appreciated if for those proposals which aren't removing unused/unusable functionality, some sort of impact analysis was added.

You will need to clarify which ones you are talking about.
These "bulk removal" RFCs are written by various authors over the course of a year, and might not have been looked at for 9+ months.

* DomDocument and DomEntity properties section: the text seems to contradict itself - the proposal seems to suggest to soft-deprecate something which is already soft deprecated. Some clarification of what the actual proposal is, would be helpful.

Those properties have been soft deprecated for a long time, the proposal is to formally deprecate them.
I've clarified this.

* `xml_set_object()` section: the mitigation path for this deprecation is unclear and more so, it is unclear as of which PHP version the mitigation path is available (if there are restrictions). It would be helpful if some example code was added to show the mitigation path more clearly.

The migration path is available since at least PHP 5.3, probably even longer.
Instead of calling xml_set_object() with an object $obj, and e.g. xml_set_default_handler() with a string corresponding to the name of a method of $obj,
you should set the handler with a proper callable, i.e. using [$obj, 'methodOfObj'] as the handler.

* CSV escaping section: please make it explicit which functions will be affected by this proposal.

Done.

* `file_put_contents()` section: please make the mitigation path explicit (which I presume would be something along the lines of `file_put_contents( $filename, implode('', $data) )` ?)

Done.

Other than that, I join the previously voiced objections to the deprecation of `uniqid()`, `md5()`, `sha1()`, `md5_file()`, `sha1_file()`.
While I acknowledge that these functions _can_ be used inappropriately for security-sensitive code, which should use alternative methods, these functions have perfectly valid use-cases for non-security-sensitive code and the impact of the BC-break of deprecating and eventually removing these methods can, IMO, not be justified.

Keep in mind that while "we" know and understand that deprecations are not errors, end-users often don't and particularly for open source projects, this means that in practice these deprecations will need to be addressed anyway to reduce the noise of users opening issues about them, which without a clear path to removal of the functions, will, in a lot of cases, mean adding the `@` operator to all uses.

If I may be a bit cheeky, if we consider that userland does not understand that deprecations are not errors, how can we trust them to use the 5 aforementioned functions correctly?
Especially as there are more appropriate replacements available.

Regarding the deprecation of using `E_USER_ERROR` in `trigger_error()`: there are errors which should never be caught and using `trigger_error()` with `E_USER_ERROR` is appropriate for those.

The fact that execution can be returned to the code via `set_error_handler()` returning `true` sounds to me like a bug which should be fixed, rather than disabling the functionality for userland code to hard exit with an error when deemed appropriate.

In that case, calling exit() with a string will provide you more consistent behaviour, and also run destructors and finally blocks.
The main motivation to remove it is to curtail the usage of the bailout mechanism, as it has various issues explained in the linked RFC.

I have added this to the section.

As for deprecating the `E_USER_ERROR` constant, this will lead to a lot of guard code needing to be added for calls to `error_reporting()` as well as in custom error handler functions, when the (open source) code needs to be PHP cross version compatible.

In my opinion, this deprecation proposal should be moved to a later major than a deprecation of using `E_USER_ERROR` in `trigger_error()`.

I forgot about error_reporting, I moved it out of the RFC and for something to be tackled at a later date.

Best regards,
Gina P. Banyard