From: t03 at springtimesoftware dot com
Operating system: Irrelevant
PHP version: 5.2.5
PHP Bug Type: Feature/Change Request
Bug description: PHP needs new function to expand strings
Description:
------------
(Note: This feature request is similar to some existing ones, but provides
much clearer explanation, motivation, and details. I hope it will be
considered on its own and that this proposal gets elevated to the PHP
design team for serious consideration.)
In PHP, string literals that are specified using quotation marks (") or
HEREDOC syntax are implicitly expanded in several ways, including
translation of backslash-escaped characters and substitution of the actual
values of variables, as indicated by leading left brace or dollar signs.
There are many common programming situations where a string contains
backslash sequences or variables that need to be expanded in this way, such
as when the string is read in from a text file.
The most frequent solution adopted by PHP programmers is a simple use of
the eval function. However, this solution represents a large security risk
if the string to be expanded comes from an external and possibly malicious
user, since such a string can contain arbitrary code that will be executed
by the eval function.
There are many safe solutions, including the use of the str_replace
function in a loop to expand each possible variable.
However, all these solutions involve inefficient and error-prone coding
that could be avoided simply by exposing the Zend mechanism used in the
implicit expansion of string literals. The mechanism is already there; it
merely needs to be exposed to the programmer.
Therefore, I hereby request that the PHP team consider adding a new
function to PHP that would expand a given string as is done in the implicit
expansion of string literals, returning the expanded string. I leave it up
to the team to determine the specifics (the name of the function and
possible flags to limit the expansion to certain kinds, such as
backslash-escaped characters and variables).
The PHP team has made many intelligent decisions throughout the history of
the development of PHP, including adding new and useful functions. I hope
they will consider my proposal seriously, forgiving me if I have made
mistakes or overlooked something that I should have been considered.
David Spector
Springtime Software
Reproduce code:
---------------
(Note: this is not a bug report, but a new feature request.)
--
Edit bug report at http://bugs.php.net/?id=43901&edit=1
--
Try a CVS snapshot (PHP 4.4):
http://bugs.php.net/fix.php?id=43901&r=trysnapshot44
Try a CVS snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=43901&r=trysnapshot52
Try a CVS snapshot (PHP 5.3):
http://bugs.php.net/fix.php?id=43901&r=trysnapshot53
Try a CVS snapshot (PHP 6.0):
http://bugs.php.net/fix.php?id=43901&r=trysnapshot60
Fixed in CVS: http://bugs.php.net/fix.php?id=43901&r=fixedcvs
Fixed in release:
http://bugs.php.net/fix.php?id=43901&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=43901&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=43901&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=43901&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=43901&r=support
Expected behavior: http://bugs.php.net/fix.php?id=43901&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=43901&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=43901&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=43901&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=43901&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=43901&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=43901&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=43901&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=43901&r=float
No Zend Extensions: http://bugs.php.net/fix.php?id=43901&r=nozend
MySQL Configuration Error: http://bugs.php.net/fix.php?id=43901&r=mysqlcfg
