On Fri, Oct 4, 2019 at 5:45 PM Mark Randall <marand...@php.net> wrote:
> Hi Internals, > > I put forward the following RFC "Deprecate Backtick Operator (V2)" for > discussion. > > https://wiki.php.net/rfc/deprecate-backtickTrying to drag every single > discussion to the meta level is exactly what is causing these unnecessary, > time wasting discussions. This is a small proposal with a limited number of > arguments for and against, and it's unfortunate that your participation in > the discussion has once again -operator-v2 > <https://wiki.php.net/rfc/deprecate-backtick-operator-v2> > > I believe it is at least worth a discussion as to the pros and cons of > deprecating this functionality, especially in light of the existence of > better described and more well-known functions exhibiting identical > behaviour. > > This RFC only covers the issuing a deprecation notice, and its complete > removal would be contained within a separate RFC. > My 2c on this proposal: I think the primary motivation for me here would be the security aspect... On one hand, the existence of the backtick operator in PHP borders on criminal negligence, because it exposes the **single most dangerous** operation in the entire language in a way that looks innocuous, is easy to confuse with a string literal and that the majority of PHP programmers are not aware of. This looks like a great way to slip a nice RCE vulnerability past code review ;) On the other hand, I have seen no evidence of backticks actually causing security issues in practice. I guess it doesn't because it's not a feature you'll end up using accidentally, and it does not seem like attempts at inserting backdoors into open-source projects by 3rd party contributors are common. Is anyone aware of specific security incidents that can be attributed to the backtick operator? Meta: Wow, do we really need to drag every single discussion that contains the word "deprecation" up to the meta level? This is a really simple proposal, with a very limited set of arguments for and against. I hope we can consider the proposal on its merits (or non-merits) rather than turning it into some kind of proxy war. Yes, "it breaks backwards compatibility for questionable benefit" is an argument against this proposal, it is even a *very good* argument against it, but it's also no mandate to shut down the discussion entirely. Nikita
