On Sun, 5 Feb 2012, Nikita Popov wrote:
> I have written an RFC that proposes to *deprecate* and *remove* the /e
> modifier:
>
> https://wiki.php.net/rfc/remove_preg_replace_eval_modifier
>
> Comments welcome!
This RFC makes no sense. It says:
For example the above example can be used to execute arbitrary PHP code
by passing the string <h1>{${eval($_GET[php_code])}}</h1>. The evaluted
code in this case would be "<h1>" .
strtoupper("{${eval($_GET[php_code])}}") . "</h1>" and as such execute
any PHP code passed in the php_code GET variable.
If you don't sanitize your imput than all sorts of intesting things
can't happen. You're going to inconvenience a lot of people by removing
it.
So, definitely against removing features from a language with no real
win.
cheers,
Derick
--
http://derickrethans.nl | http://xdebug.org
Like Xdebug? Consider a donation: http://xdebug.org/donate.php
twitter: @derickr and @xdebug
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
