On 11 February 2015 at 06:59, Paul Dragoonis <[email protected]> wrote:
> On Mon, Feb 9, 2015 at 10:29 PM, Anatol Belski <[email protected]>
> wrote:
>> ext/mssql 17:13
>
> Did you accidentally miss out mssql? it resultes in significant resistance
> to leave core, such as mcrypt and ignoring mathematical numbers, from a
> practical basis I'd like to see mssql kept in core. Who's with me ?
Since it's apparently my week for this, I'll provide the case for the
defence (or why I voted for removal, anyway):
- The API is awful in the exact same ways the ext/mysql API was awful
— it makes it far harder to write secure code than it should be.
- Actually, it's worse than that, because there's no charset-aware
escaping function at all: the only option is addslashes(), which has
interesting security implications if you're using certain charsets.
- It's buggy. Some of the bugs are due to the underlying library
(which is mostly dead); some are in our code, but there are some
fundamental issues — basic data types (nvarchar(128), for example)
aren't supported, field names are truncated, stored procedure calls
are problematic, and probably many more things that I've forgotten.
- The bugs probably aren't going to be fixed. ext/mssql averages about
one to two non-whitespace, non-copyright-year-increment commits a
year. A cursory look at the bug tracker (or my ##php logs) will tell
you that it's not because it's stable and free of bugs.
- There are multiple better options: using ODBC is almost always more
stable, and while PDO_dblib has some of the same problems due to
FreeTDS, at least you're using PDO's better (by which I mostly mean
harder to misuse) API.
In my mind, this is analogous to removing ext/mysql: it's the right
thing to do for our users because it promotes better practices and
gets rid of an extension that has even more technical issues than that
one did.
Finally, Anatol's tally was wrong for this one: it was 17:3 for
removal. That's a pretty strong indicator by itself.
Adam