Heya,
I was discussing about this RFC with Joe in Room 11 (where we keep him away
from society, for the greater good).
I was wondering why such an API must be implemented in PHP core (which
means C, which means that the usual 15~20 people can fix it if borked,
which is bad) and cannot be just left in userland as it already happens,
for example, with
https://github.com/zendframework/zf2/blob/master/library/Zend/Crypt/Utils.php#L17-L44and
similar libraries that have some decent security policies themselves
(nothing to say about PHP - you guys are doing great!).
Why do we need this in core?
Why can't a user copy-paste those rows (if it's a monkey-patcher) or just
use a library?
I don't trust PHP coders in general, so I'm pretty sure that the example
I've posted before @ https://gist.github.com/Ocramius/8094168 is
quite
obscure to the 99.9% of PHP developers.
Who has been doing it wrong will continue going on and not caring.
Those who are aware of the dangers and do care are most probably already
using these kinds of checks vie an imported library.
So what is pushing towards yet another function in here?
Don't get me wrong: I am all for security, but I don't see a difference
between a php-core implementation and a userland implementation.
Cheers,
Marco Pivetta
http://twitter.com/Ocramius
http://ocramius.github.com/