> All the other languages I looked at have support for full expressions in > their interpolation forms:
Thank you Rowan, I added the comparison of other languages to the RFC. > A large part of that is because the placeholders are positional rather > than named, so you have to keep track of which is which; but by the time > you've got named placeholders, you might as well have variable > interpolation. I feel the same way. PHPStorm has a feature that highlights the given expression when your cursor is placed on a %s placeholder and vice versa. This seems to be the treatment of that symptom. > and in each case, they added *expression* interpolation, not just the > *variable* interpolation supported by Perl and PHP. Also note that the goal of this RFC is not to encourage embedding increasingly complex expressions in strings, but rather to allow simple expressions like string manipulation and constants. Could you now declare all your classes in a string? Yes. Can you create a 20'000 line PHP file? Sure. I don't think most people would support some arbitrary cutoff for LOC either. As Rowan mentioned, most languages allow expressions in strings and yet this is rarely abused in practice. > Wouldn’t this open the door to all kinds of new attacks? No. It's no different from `"$userControllerString"`. Make sure to sanitize user-controlled input. The expression inside the string is parsed at compile-time, something like `"{$: $userControlledString}"` where `$userControlledString = 'doSomethingBad()';` will *not* interpret that string and call that function but rather just result in `"doSomethingBad()"`. Another thing I'd like to mention: All the heavy lifting for full blown expression string interpolation is already there. If you look at the implementation (https://github.com/php/php-src/pull/8256) very few changes are necessary to make this work. Ilija -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: https://www.php.net/unsub.php