FAQ

[PHP-INTERNALS] [RFC] Deprecate and remove /e modifier from preg_replace

Derick Rethans
Feb 5, 2012 at 4:46 pm

On Sun, 5 Feb 2012, Nikita Popov wrote:

I have written an RFC that proposes to *deprecate* and *remove* the /e modifier:

https://wiki.php.net/rfc/remove_preg_replace_eval_modifier

Comments welcome!
This RFC makes no sense. It says:

For example the above example can be used to execute arbitrary PHP code
by passing the string <h1>{${eval($_GET[php_code])}}</h1>. The evaluted
code in this case would be "<h1>" .
strtoupper("{${eval($_GET[php_code])}}") . "</h1>" and as such execute
any PHP code passed in the php_code GET variable.

If you don't sanitize your imput than all sorts of intesting things
can't happen. You're going to inconvenience a lot of people by removing
it.

So, definitely against removing features from a language with no real
win.

cheers,
Derick

--
http://derickrethans.nl | http://xdebug.org
Like Xdebug? Consider a donation: http://xdebug.org/donate.php
twitter: @derickr and @xdebug
reply

Search Discussions

Discussion Posts

Previous

Follow ups

Related Discussions

Discussion Navigation
viewthread | post
posts ‹ prev | 9 of 25 | next ›
Discussion Overview
groupphp-internals @
Notice: Undefined variable: pl_domain_short in /home/whirl/sites/grokbase/root/www/public_html__www/cc/flow/tpc.php on line 1543
categoriesphp
postedFeb 5, '12 at 2:59p
activeMar 4, '12 at 1:45p
posts25
users13
websitephp.net

13 users in discussion

Nikita Popov: 4 posts Reindl Harald: 4 posts Tom Boutell: 4 posts Stas Malyshev: 2 posts Pierre Joye: 2 posts Derick Rethans: 2 posts Gwynne Raskind: 1 post Patrick ALLAERT: 1 post John Crenshaw: 1 post Michael Stowe: 1 post Adam Harvey: 1 post Richard Lynch: 1 post Ferenc Kovacs: 1 post