Re: [PHP-DEV] [RFC] Name issue - is_literal/is_trusted

[Stephen Reay]

> On 24 Jun 2021, at 17:07, Kamil Tekiela <tekiela...@gmail.com> wrote:
> 
> Hi Stephen,
> 
> I believe the idea was for dynamically generate table names, or numbered 
> tables/columns. E.g. 
> 
> function getTable(string $table){
>     // is_literal check here
> }
> 
> $number = (int) $_GET['tableno'];
> if($number < 0 || $number > 10) {
>     throw new Exception("Invalid number");
> }
> 
> $tablename = 'table_'.$number;
> getTable($tablename);
> 
> The number is concatenated to the table name. 
> 
> —Kamil

Hi Kamil,

Thanks for at least trying to answer this question.

I’m sure someone somewhere does that and thinks its a good idea. I respectfully 
(to you; probably less respectfully to someone if they tell me they do this) 
disagree. I don’t think PHP should necessarily shy away from features because 
they’re potentially dangerous, but I also don’t think it should be adding new 
features/functions that are more dangerous, just to make some weird (IMO 
bad-practice) edge cases easier.

I’d suggest if they insist on that bizarre naming pattern, _and_ want to use a 
literal string check, they could define an array of string numbers that 
represent their table names.

$tbls = [‘0’, ‘1’, ‘2’, ‘3’, ‘4’, ‘5’, ...];

getTable(’table_’ . $tbls[$number]);


Cheers

Stephen
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: https://www.php.net/unsub.php