Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:109195 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 27919 invoked from network); 22 Mar 2020 00:51:51 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 22 Mar 2020 00:51:51 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 1D4461804F3 for ; Sat, 21 Mar 2020 16:15:38 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS15169 209.85.128.0/17 X-Spam-Virus: No X-Envelope-From: Received: from mail-wm1-f43.google.com (mail-wm1-f43.google.com [209.85.128.43]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Sat, 21 Mar 2020 16:15:37 -0700 (PDT) Received: by mail-wm1-f43.google.com with SMTP id d198so4615332wmd.0 for ; Sat, 21 Mar 2020 16:15:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=craigfrancis.co.uk; s=default; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=wm75LQG/ABpQapmsA6AvDcox+yM6Ao1SAQa4BFta218=; b=ZfCemNzovPomQSqr8CylY71oR0OpWdrz2Svstb2EpsPinzMfEFUUtzezmqVz8LuqnA XJ9WPWbjJNxqog+vyYewvmbUml9xpowFsNrPc+ULpqgtO+H3EVlSQcGZ08Gl6Zt6x9yJ U1IDQO5Fn4w0QnkGvA1pVLHYBvexwO64YEcv8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=wm75LQG/ABpQapmsA6AvDcox+yM6Ao1SAQa4BFta218=; b=c5X93AMrVXOegXOJmzWB5vQ8CWRknv/ezj2c6JyyCAeW1gA9HblJrlrq0frbhfZpZK OLg3VxaVikOckUREts0/MsAOoABqCoXerTYvXvGHvekOUWwd3gcbqz2RijAv/RIpfPXm ZVzSA6jQu5/EizuUtOYmbZd4lt0UR6ULFUH8+5vnQsdz2Kf/Vo+TXn4UOhWIEI4/nLDC 3nTWSPwyTr6006np9++UP1PqUhFg37+ZL03jBE58Fqt6V7Ul3v6x20N1VGAVtVdO+GtC nPpuJ0hw/H0w8nwQXrL4eASATxHfK8tZWW8hsVP7abBEjoSxSIfZcGcnlERSFaRNbgR5 YhlA== X-Gm-Message-State: ANhLgQ3oo7KN8h9uIDzlIhjaWuHWprwvYpj16vzjnTco6at03gOSVGzd mzNLsljAv80PLEvYVkNKVOrhWZQJz9IYfryy/gQvlQ== X-Google-Smtp-Source: ADFU+vuLsexJrqMbYaXuqk+HnK6rwFDEstMhkJBj31LK4wXeOjrxYq26KwF+Xh+TVqbPfaEfyvo5+okQH3+jUh4Z1Eo= X-Received: by 2002:a1c:b446:: with SMTP id d67mr17676854wmf.103.1584832535621; Sat, 21 Mar 2020 16:15:35 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: Date: Sat, 21 Mar 2020 23:15:24 +0000 Message-ID: To: Mike Schinkel Cc: PHP internals Content-Type: multipart/alternative; boundary="00000000000050918f05a16594f1" Subject: Re: [PHP-DEV] Are PECL modules preferable? From: craig@craigfrancis.co.uk (Craig Francis) --00000000000050918f05a16594f1 Content-Type: text/plain; charset="UTF-8" On Sat, 21 Mar 2020 at 22:53, Mike Schinkel wrote: > A large number of PHP users have no control over the platform they run on, > so the option to use PECL modules is a non-starter for them. Thanks Mike, Personally I agree, I would say PECL modules are not preferable for "useful features"; simply because I try to keep my systems only using core PHP features where possible (makes server admin easier). --- As you mention working with WordPress, I've seen a couple of developers who have taken examples like: $posts = $wpdb->get_results("SELECT ... WHERE post_type='post'"); Then edited it to something dangerous like: $posts = $wpdb->get_results("SELECT ... WHERE post_type='" . $_GET['type'] . "'"); To guard against this, do you think that WordPress could update their get_results() function to do something like: public function get_results( $query = null, $output = OBJECT ) { if (!is_literal($sql)) { trigger_error('This is an unsafe $query, please use $wpdb->prepare()', E_USER_NOTICE); } Perhaps with a better message; then, over the years, increase the warning level? I think that would be a very useful way of getting developers aware of these dangers. Craig On Sat, 21 Mar 2020 at 22:53, Mike Schinkel wrote: > > On Mar 21, 2020, at 5:59 PM, tyson andre > wrote: > > FROM: Re: [PHP-DEV] [RFC] is_literal() > > > > And if it can be implemented as a PECL module, that would be more > preferable to me than a core module of php. > > If it was in core, having to support that feature may limit > optimizations or implementation changes that could be done in the future. > > Just wanted to address this comment which was made on another thread (I > did not want to hijack that thread.) > > A large number of PHP users have no control over the platform they run on, > so the option to use PECL modules is a non-starter for them. > > Here are several of those managed hosting platforms I speak of. > Collectively they host a large number of WordPress sites, and Pantheon also > host Drupal sites: > > https://pagely.com/ > https://wpvip.com/ > https://wpengine.com/ > https://kinsta.com/ > https://pantheon.io/ > > Given that, if there is an option between a useful feature being added to > core or left in PECL, I would vote 100% of the time for core, since working > with WordPress on a corporate site I can rarely ever use PECL extensions. > > #fwiw > > -Mike > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > > --00000000000050918f05a16594f1--