On 4/9/12 3:53 PM, "Tom Boutell" <t...@punkave.com> wrote: >I see why you want to allow <?php at the top to be optional in 'code >mode,' rather than disallowed in code mode. But your purpose is to >allow legacy code to be autoloaded without knowing in advance whether >it starts with <?php or not. > >But that would probably lead in practice to the use of a single file >extension for old and new class files. > >And that, in turn, would lead to source code being spewed to the >browser for all to see if a perfectly respectable autoloader circa PHP >5.3 runs into one of these new files. > >This is a much more significant security issue than some of those >mentioned previously because perfectly well-written code would display >this behavior if someone unknowingly drops a newer library into, say, >the lib/ folder of a Symfony 1.4 project. Ouch.
So are you saying the starting "<?php" tag should be required in "code mode"? If so, I'm ok with that as long as: - "?>" is forbidden - Text before the opening <?php tag (literal text or white-spaces) is either ignored or throws an error instead of printing to the output buffer. If that's not what you mean, please clarify. Luke > >It would be much better for that autoloader to just ignore the file >because it has a new extension. This way the problem is immediately >apparent: > >"Hey, my class didn't load, something must be up. Oh my PHP is old >and/or this autoloader doesn't know about .phpc files, what are they >anyway... google google... aha, I need PHP 5.x and an updated >autoloader. Grumble. Okay." > >This is a much safer outcome. > >On Mon, Apr 9, 2012 at 6:34 PM, Luke Scott <l...@cywh.com> wrote: >> Tom, >> >> On 4/9/12 3:17 PM, "Tom Boutell" <t...@punkave.com> wrote: >> >>>My original goal was to stop typing <?php in pure code files. That >>>includes at the top. I think it's entirely reasonable to achieve it >>>with an option to the require keywords for this purpose and a naming >>>convention to be followed by autoloaders. Keep in mind how rarely you >>>have to change them. We're talking about code maintained by a >>>relatively small number of very sharp developers. They can handle a >>>few flags (: >>> >>>The prohibition of ?> still seems unnecessary and perhaps divisive, >>>but if it were preferable to the majority to prohibit ?> in a pure >>>code file, I could live with that as long as classic PHP files are >>>also 100% supported and remain the default. I'm trying to craft a >>>broadly acceptable compromise that still achieves the original goal of >>>allowing people to write "just code" in a class file. >> >> >> I think you can you achieve that by making "template mode" default and >>the >> default changeable in the php.ini file. >> >> Something like this: >> >> /* >> Code only, <?php at top optional, no ?>. >> Text before opening <?php silently dropped >> >> */ >> >> require "/path/to/somefile.php", INCLUDE_CODE; >> >> /* >> Works exactly as it is now: <?php and ?> allowed. >> Text betweeen ?>...<?php printed to output buffer. >> */ >> >> >> >> require "/path/to/anotherfile.php", INCLUDE_TEMPLATE; // As it is now >> >> /* >> By default INCLUDE_TEMPLATE >> Can change default mode in php.ini to be INCLUDE_CODE if desired. >> */ >> >> require "/path/to/anotherfile.php"; // As it is now >> >> >> Personally I would like to be able to do something like this in my auto >> loader: >> >> include $file, INCLUDE_CODE & INCLUDE_SILENT; >> >> >> >> That way I can ensure pure code is being inserted and no warnings are >> thrown if the file doesn't exist (class undefined will be thrown >>anyway). >> >> I think it's important to make <?php optional at the top if you're using >> existing or third party libraries that you can't modify. At least then >> you'll be able to maintain backwards compatibility with most code >>written >> since PHP 5. >> >> (We don't need PHP_*. See the output of get_defined_constants() ). >> >> I like where this is going! Hopefully after the RFC has been finalized >> everyone else will agree. >> >> >>> >>>On Mon, Apr 9, 2012 at 6:06 PM, Kris Craig <kris.cr...@gmail.com> wrote: >> >> >> Kris, >> >> >> >>>> >>>> >>>> Bah, right! That damned <?xml tag.... >>>> >>>> I already know what everyone's reaction will be, and it is probably a >>>>REALLY >>>> bad idea, but I feel obligated to at least mention it: Should we >>>>consider >>>> replacing "<?..." with something that doesn't conflict with anything, >>>> perhaps starting in PHP 6? No need to get out the torches and >>>>pitchforks, >>>> everyone! As insane and problematic as that would be (i.e. BC break >>>>with >>>> roughly 1/3 of the internet lol), I felt as though the subject should >>>>at >>>> least be broached. ;P >> >> >> No need. Just keep it as <?php. It's already been well established. We >> should ovoid overcomplicating it. >> >> Luke >> >> > > > >-- >Tom Boutell >P'unk Avenue >215 755 1330 >punkave.com >window.punkave.com > >-- >PHP Internals - PHP Runtime Development Mailing List >To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
