On Sat, 21 Mar 2020 at 22:53, Mike Schinkel <m...@newclarity.net> wrote:
> A large number of PHP users have no control over the platform they run on, > so the option to use PECL modules is a non-starter for them. Thanks Mike, Personally I agree, I would say PECL modules are not preferable for "useful features"; simply because I try to keep my systems only using core PHP features where possible (makes server admin easier). --- As you mention working with WordPress, I've seen a couple of developers who have taken examples like: $posts = $wpdb->get_results("SELECT ... WHERE post_type='post'"); Then edited it to something dangerous like: $posts = $wpdb->get_results("SELECT ... WHERE post_type='" . $_GET['type'] . "'"); To guard against this, do you think that WordPress could update their get_results() function to do something like: public function get_results( $query = null, $output = OBJECT ) { if (!is_literal($sql)) { trigger_error('This is an unsafe $query, please use $wpdb->prepare()', E_USER_NOTICE); } Perhaps with a better message; then, over the years, increase the warning level? I think that would be a very useful way of getting developers aware of these dangers. Craig On Sat, 21 Mar 2020 at 22:53, Mike Schinkel <m...@newclarity.net> wrote: > > On Mar 21, 2020, at 5:59 PM, tyson andre <tysonandre...@hotmail.com> > wrote: > > FROM: Re: [PHP-DEV] [RFC] is_literal() > > > > And if it can be implemented as a PECL module, that would be more > preferable to me than a core module of php. > > If it was in core, having to support that feature may limit > optimizations or implementation changes that could be done in the future. > > Just wanted to address this comment which was made on another thread (I > did not want to hijack that thread.) > > A large number of PHP users have no control over the platform they run on, > so the option to use PECL modules is a non-starter for them. > > Here are several of those managed hosting platforms I speak of. > Collectively they host a large number of WordPress sites, and Pantheon also > host Drupal sites: > > https://pagely.com/ > https://wpvip.com/ > https://wpengine.com/ > https://kinsta.com/ > https://pantheon.io/ > > Given that, if there is an option between a useful feature being added to > core or left in PECL, I would vote 100% of the time for core, since working > with WordPress on a corporate site I can rarely ever use PECL extensions. > > #fwiw > > -Mike > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > >