FAQ

[PHP-INTERNALS] [RFC] Deprecate and remove /e modifier from preg_replace

Derick Rethans
Feb 5, 2012 at 4:46 pm

On Sun, 5 Feb 2012, Nikita Popov wrote:

I have written an RFC that proposes to *deprecate* and *remove* the /e modifier:

https://wiki.php.net/rfc/remove_preg_replace_eval_modifier

Comments welcome!
This RFC makes no sense. It says:

For example the above example can be used to execute arbitrary PHP code
by passing the string <h1>{${eval($_GET[php_code])}}</h1>. The evaluted
code in this case would be "<h1>" .
strtoupper("{${eval($_GET[php_code])}}") . "</h1>" and as such execute
any PHP code passed in the php_code GET variable.

If you don't sanitize your imput than all sorts of intesting things
can't happen. You're going to inconvenience a lot of people by removing
it.

So, definitely against removing features from a language with no real
win.

cheers,
Derick

--
http://derickrethans.nl | http://xdebug.org
Like Xdebug? Consider a donation: http://xdebug.org/donate.php
twitter: @derickr and @xdebug
reply

Search Discussions

Discussion Posts

Previous

Follow ups

Related Discussions