On Wed, Feb 5, 2025, at 14:13, Christoph M. Becker wrote: > Hi all! > > There is some discussion on a recent bug report[1] about filter_input() > and related functionality. The bug report had been closed, because this > functionality has already been added to the general deprecation RFC for > PHP 8.5[2]. Then the OP raised a point regarding the usefulness of > filter_input() to get at the original input, to avoid working with > possibly modified superglobals. > > In my opinion, this topic should be discussed here, and not in a bug > report. So, has anybody thoughts about the filter_input() deprecation? > > [1] <https://github.com/php/php-src/issues/17543> > [2] > <https://wiki.php.net/rfc/deprecations_php_8_5#deprecate_filter_input_filter_input_array_and_filter_has_var> > > Christoph >
Hey Christoph, I don’t know why they are focusing on WordPress specifically, but this function is vital for any software that runs untrusted code (plugins, anything exec’d from /tmp — ie, templates, compiled containers, etc). Gina suggests using psr7 which suffers from the same problem in most frameworks, which allow setting a new request object or mutating it in some way. I’m not sure it should be deprecated and I’d even argue not closing tickets just because they are in the mass-deprecation rfc that hasn’t been voted on yet. — Rob
