On 2021-06-12 22:21, Craig Francis wrote:
On Sat, 12 Jun 2021 at 19:59, Lauri Kenttä <lauri.ken...@gmail.com> wrote:Hi, I wrote the untaint() / make_literal() function, just in case. implode("", array_map(fn($c) => $chars[ord($c)], str_split($s, 1))) https://3v4l.org/EaN9Z#focus=rfc.literals Sorry and bye.Yes, I have a similar example in the RFC (eval).
Oh, the irresponsible use of eval was so overwhelming that I missed the new string literal there. You could add var_export to make it more realistic.
Anyway, the RFC is well motivated and thoroughly thought out. The approach is very simple but fits many use cases, compared to previous alternatives which were complex but more limited in the end. When libraries and PDO start to use this, we can finally get rid of SQL injections and a number of self-made input handling tricks, if only people have learned to read warnings...
So thanks for writing this RFC. I hope it passes. -- Lauri Kenttä
