> All the other languages I looked at have support for full expressions in
> their interpolation forms:
Thank you Rowan, I added the comparison of other languages to the RFC.
> A large part of that is because the placeholders are positional rather
> than named, so you have to keep track of which is which; but by the time
> you've got named placeholders, you might as well have variable
> interpolation.
I feel the same way. PHPStorm has a feature that highlights the given
expression when your cursor is placed on a %s placeholder and vice
versa. This seems to be the treatment of that symptom.
> and in each case, they added *expression* interpolation, not just the
> *variable* interpolation supported by Perl and PHP.
Also note that the goal of this RFC is not to encourage embedding
increasingly complex expressions in strings, but rather to allow
simple expressions like string manipulation and constants. Could you
now declare all your classes in a string? Yes. Can you create a 20'000
line PHP file? Sure. I don't think most people would support some
arbitrary cutoff for LOC either. As Rowan mentioned, most languages
allow expressions in strings and yet this is rarely abused in
practice.
> Wouldn’t this open the door to all kinds of new attacks?
No. It's no different from `"$userControllerString"`. Make sure to
sanitize user-controlled input. The expression inside the string is
parsed at compile-time, something like `"{$: $userControlledString}"`
where `$userControlledString = 'doSomethingBad()';` will *not*
interpret that string and call that function but rather just result in
`"doSomethingBad()"`.
Another thing I'd like to mention: All the heavy lifting for full
blown expression string interpolation is already there. If you look at
the implementation (https://github.com/php/php-src/pull/8256) very few
changes are necessary to make this work.
Ilija
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: https://www.php.net/unsub.php
