On Sat, 21 Mar 2020 at 22:53, Mike Schinkel <m...@newclarity.net> wrote:
> A large number of PHP users have no control over the platform they run on,
> so the option to use PECL modules is a non-starter for them.
Thanks Mike,
Personally I agree, I would say PECL modules are not preferable for "useful
features"; simply because I try to keep my systems only using core PHP
features where possible (makes server admin easier).
---
As you mention working with WordPress, I've seen a couple of developers who
have taken examples like:
$posts = $wpdb->get_results("SELECT ... WHERE post_type='post'");
Then edited it to something dangerous like:
$posts = $wpdb->get_results("SELECT ... WHERE post_type='" .
$_GET['type'] . "'");
To guard against this, do you think that WordPress could update their
get_results() function to do something like:
public function get_results( $query = null, $output = OBJECT ) {
if (!is_literal($sql)) {
trigger_error('This is an unsafe $query, please use
$wpdb->prepare()', E_USER_NOTICE);
}
Perhaps with a better message; then, over the years, increase the warning
level?
I think that would be a very useful way of getting developers aware of
these dangers.
Craig
On Sat, 21 Mar 2020 at 22:53, Mike Schinkel <m...@newclarity.net> wrote:
> > On Mar 21, 2020, at 5:59 PM, tyson andre <tysonandre...@hotmail.com>
> wrote:
> > FROM: Re: [PHP-DEV] [RFC] is_literal()
> >
> > And if it can be implemented as a PECL module, that would be more
> preferable to me than a core module of php.
> > If it was in core, having to support that feature may limit
> optimizations or implementation changes that could be done in the future.
>
> Just wanted to address this comment which was made on another thread (I
> did not want to hijack that thread.)
>
> A large number of PHP users have no control over the platform they run on,
> so the option to use PECL modules is a non-starter for them.
>
> Here are several of those managed hosting platforms I speak of.
> Collectively they host a large number of WordPress sites, and Pantheon also
> host Drupal sites:
>
> https://pagely.com/
> https://wpvip.com/
> https://wpengine.com/
> https://kinsta.com/
> https://pantheon.io/
>
> Given that, if there is an option between a useful feature being added to
> core or left in PECL, I would vote 100% of the time for core, since working
> with WordPress on a corporate site I can rarely ever use PECL extensions.
>
> #fwiw
>
> -Mike
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
