Stas,
Why would you use eval() as opposed to json_decode() ?
On Tue, May 31, 2011 at 11:25 PM, Stas Malyshev <smalys...@sugarcrm.com> wrote:
> Hi!
>
>> Stas, I didn't understand your point about eval() and security. What did
>> you mean?
>
> I meant if PHP has JSON syntax as native, e.g. you can say something like:
>
> $a = {"a":"b"};
>
> Then the temptation would be to write something like:
>
> // $json_string is {"a":"b"}
> $a = eval($json_string);
>
> just as Javascript programmers sometimes do. That would have the same
> security implications as it has in Javasctipt - somebody could inject
> executable code there, etc. Of course, nobody forces you to do this, but the
> temptation would be there.
>
> Also, with full JSON support it is not entirely clear to me what {"a": "b"}
> would mean - is it an array or an object? In JS, it's definitely an object,
> but in PHP objects are almost never used to store pure state without
> behavior, because we have hashtable arrays, while JS only has vector arrays.
> So here we have some unclear point (which does not happen with [] syntax,
> since with [] it's obvious we're talking about arrays, just as in many other
> languages).
> --
> Stanislav Malyshev, Software Architect
> SugarCRM: http://www.sugarcrm.com/
> (408)454-6900 ext. 227
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
