timwolla, 1 year ago

@nunomaduro This is a very odd example you've used there. It doesn't make sense to call json_validate() just to immediately call json_decode(), that's redundant work.

ramsey, 1 year ago

@timwolla @nunomaduro I was wondering the same thing. 😅.

The validate function is primarily for folks who want to validate the JSON string but don’t need to operate on it, e.g. before sending it elsewhere.

I would have done:

$myArray = json_decode($myJson, true) ?: [];

Girgias, 1 year ago

@ramsey @timwolla @nunomaduro AFAIK you may want to actually decode it straight away. But if someone sends a malicious payload the decoding might kill the process by running out of memory because it needs to keep track of everything. Whereas the validate function doesn't have this problem.

The RFC probably highlights this better than my memory.

heiglandreas, 1 year ago

@Girgias And validation and decoding might be done in 2 separate parts of the application. Then nowadays you will have to do the decode once to see whether it works and then later you are doing the decoding again to get the content...

So an example in a validation context might highlight the improvement better.

/cc @ramsey @timwolla @nunomaduro

timwolla, 1 year ago

@Girgias @ramsey @nunomaduro Nuno's pattern still doesn't protect against than, because one can send a valid JSON string that by definition passes json_validate() and that still takes up too many resources during decoding.

So, either validate or decode, but not both in the same function.

edorian, 1 year ago

@ramsey @timwolla I was struggling to find a use case as well.

Looking at the reference section of https://wiki.php.net/rfc/json_validate suggest that frameworks are not interested in the performance side of this already. So it might be a small net positive.

Think I'll build a performance advisory for validate+decode on the same payload anyways and see what real world applications do

wyri, 1 year ago

@edorian @ramsey @timwolla One of my projects receives WebHooks from BIG_CORP, it validates them and tosses them on a queue. (Which while I think about it might not be the best way. Compared to toss on queue up on receiving and dealing with it later.) So validation on getting request, and then decoding once picked up from qeueu is is the current workflow.

edorian, 1 year ago

@wyri @ramsey @timwolla Feels weird to not check schema compliance before queueing messages in.

(Or why check if it's JSON at all if you have to revalidate later)

But yeah, not saying there aren't valid use cases :)

wyri, 1 year ago

@edorian @ramsey @timwolla main reason to queue before validation could be certainty to have the message in case of mid request handling issues.

A queued message can be retried. A failed HTTP request not.

itsjoshbruce, 1 year ago

@nunomaduro @phpc: I haven’t felt this excited since str_contains, str_starts_with, and str_ends_with…so much code deleted because of those.

buercher, 1 year ago

@nunomaduro good functionality, but couldn't this be an option on json_decode
directly? It seems to me the json is processed twice.

itsjoshbruce, 1 year ago

@buercher @nunomaduro: How would you suggest? If processing JSON fails with decode, it returns false or similar.

I’m inferring the implementation is checking the string, not trying and falling to convert the string to something else - array or StdClass.

buercher, 1 year ago

@itsjoshbruce @nunomaduro function json_decode($s,$returnarray = false, $fallback = false)

json_decode($s,true,true)
returns an empty array if json is not valid.

the other case
json_decode($s,false,true)
returns false if json is not valid.

derickr, 1 year ago

@buercher @itsjoshbruce @nunomaduro a single function shouldn't have switchable-by-argument behavioural changes.

itsjoshbruce, 1 year ago (edited 1 year ago)

@derickr @buercher @nunomaduro: json_to_array (or array_from_json) and json_to_object (or object_from_json) would also be awesome.

I can see the incorporation, and agree minimizing switching function behaviors is preferable.

From a performance perspective, I am curious if validate json is trying to convert and failing or doing a regex against the string.

derickr, 1 year ago

@itsjoshbruce @buercher @nunomaduro It's more clever as it doesn't allocate memory or keep data around when no longer needed.

buercher, 1 year ago

@derickr @itsjoshbruce @nunomaduro I could agree, but this is already the case with the first switch in the current function.

shochdoerfer, 1 year ago

@nunomaduro validating JSON strings will never be the same! :)