ID: 3284
Updated by: jimw
Reported By: [EMAIL PROTECTED]
Status: Open
Bug Type: Feature/Change Request
Assigned To:
Comments:
refiling against 4.0.
Previous Comments:
---------------------------------------------------------------------------
[2000-01-22 16:00:05] [EMAIL PROTECTED]
This would be super, SUPER useful for everyone: a way to automatically expand (both in
regular code AND in quoted strings):
$|foo [where "|" might be some other special
punctuation character; you decide what
character would work best]
to:
htmlspecialchars($foo)
Here's why. One of the most common bugs in CGI programming -- in PHP or any other
language -- is constructs such as this:
echo "<input type=text name=foo value='$foo'>
<input type=text name=bar value='$bar'>";
In this case, "$foo" will be expanded. However, there's a serious problem here: if
$foo contains any of the special characters (< > & "), those characters will NOT be
escaped, and thus the resulting HTML is broken!
The correct way to do this is the following mess:
echo "<input type=text name=foo value='"
. htmlspecialchars($foo)
. "'><input type=text name=bar value='"
. htmlspecialchars($bar)
. "'>";
This is a big pain in the neck. Basically, it means that the automatic expansion of
variables inside quoted strings is WAY less useful than it would be otherwise.
My proposed syntax extension would make this way, way easier. Here's how you would be
able to write the above example:
echo "<input type=text name=foo value='$|foo'>
<input type=text name=bar value='$|bar'>";
This is MUCH cleaner. Also, this feature would encourage correct code, because
without this feature, many programmers frequently forget to call htmlspecialchars()
because of the convenience of relying on string-expansion.
This extension would also help in other situations, such as these:
// if $name == "A&J Market", some browsers
// will not display what you want:
echo "<p>Company name: $name</p>"; // This is WRONG!
echo "<p>Company name: $|name</p>"; // This would be okay
// if $email == "Joe Smith <[EMAIL PROTECTED]>",
// most browsers will not display what you want:
echo "Reply to $email"; // This is WRONG!
echo "Reply to $|email"; // This would be okay
Also, an example when escaping from HTML mode:
<form>
<!-- this is WRONG: -->
<input type=text name=foo value="<? echo $foo ?>">
<!-- this would be okay: -->
<input type=text name=foo value="<? echo $|foo ?>">
Note that in any context, $|foo would be an r-value, NOT an l-value (that is, you
can't assign to it or pass it by reference). For example, this is illegal:
$|foo = "hi"; // illegal
---------------------------------------------------------------------------
ATTENTION! Do NOT reply to this email!
To reply, use the web interface found at http://bugs.php.net/?id=3284&edit=2
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
