Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:117375
Return-Path: <dragoonis@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 64309 invoked from network); 18 Mar 2022 16:24:16 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 18 Mar 2022 16:24:16 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 1DCB6180507
	for <internals@lists.php.net>; Fri, 18 Mar 2022 10:49:48 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE,
	RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS,
	T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2
X-Spam-ASN: AS15169 209.85.128.0/17
X-Spam-Virus: No
X-Envelope-From: <dragoonis@gmail.com>
Received: from mail-ed1-f52.google.com (mail-ed1-f52.google.com [209.85.208.52])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Fri, 18 Mar 2022 10:49:47 -0700 (PDT)
Received: by mail-ed1-f52.google.com with SMTP id b24so11093715edu.10
        for <internals@lists.php.net>; Fri, 18 Mar 2022 10:49:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=hSvevYzzzHZiolejYDy/a8wDIacxuDA+aoVnjSe8Ee4=;
        b=nd78eWgexxGxA3imCp+qmTWEXgHe9J+T2F7tGVzLBaED3XdhGojS0o4uxO9iQXMBYo
         Opp2+222Tyby/OugIDcc0bNdJtQq+FWrrRqv26B5nSltcDElj7raQ/zI76BYGeyKgdZf
         LVpNwIY+mjuNVqFrCwgMWhJujkkZX+aWB6KMTYW9gLWZeZdrHOhD+xP5L9N4v/KZyDO3
         nzDFouMmJPjwH064drG5OABfX6FG5oOlj2IUfkFUn4eArWcJ1xqX+wPcuNNbTs8ZLj5j
         9g3DzXuTtfSwztjA5lW2Q3qyKUMCBSAmlv4jNgctd7nS3SKAiy+58ONvsJL2I3vZyYup
         G9ow==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=hSvevYzzzHZiolejYDy/a8wDIacxuDA+aoVnjSe8Ee4=;
        b=bDnic/DyJjqsOcZPNcRrBchR+SLDzfDQydjyebWWewKtSCrMM5YFXQEokqfzEGwC2g
         YBzSn60lkpf6cCtpzNaJT+9jI5HqLbNw+K7eLAEfZFqG2MdkV60TKIgsv+9CVDHBZOjQ
         PvfKSf09BmdBKFoMTCWcY0sdiA850C5TSb3tIvghfkx4f3YdCjAOi+wbuyNHBJ0s03SP
         XgkYbSAA2uYGOnybsNDyyn3vRp808fBeCP1GxYdrLGktExAgb7dDvNQkHvvJeKyf8pC4
         k2eJHcdXJWvbF1wFx6l47YUj1d4EW3UcRozY0im9H/BvRFlyWd9jrF1mUjDE41Zso62s
         M/Sg==
X-Gm-Message-State: AOAM532F8EfcDYenxyLxLfKmEMx+lwygUhmiIJxl4XpBGkVhYdhFuoI3
	TwzSuxEyxDomPhKhQxRrDDVUkwG3CRgyHNl4n/s=
X-Google-Smtp-Source: ABdhPJx795E1vJrSwu9OswmsAn59nkWXw/dlRE2zqtZk7tjW+PudFAVkT9lise+IX53aocjovGH5GhWmPZRNO+fC5ls=
X-Received: by 2002:aa7:cd81:0:b0:410:d64e:aa31 with SMTP id
 x1-20020aa7cd81000000b00410d64eaa31mr10793060edv.167.1647625786271; Fri, 18
 Mar 2022 10:49:46 -0700 (PDT)
MIME-Version: 1.0
References: <CAPyj-LCXYjsjtDr1zPmH6t37pQS7aeGACG6kCex=fnsEJmNmVg@mail.gmail.com>
 <CADyq6sJP9A2UaLs5v8qJutNoekUfA1eM0gCod=9zEXhxctZppA@mail.gmail.com>
 <4AC60E84-B2AD-43F4-9B72-92604FC7BD41@gmail.com> <BN7PR05MB4033507F8061F8EF2288B483DE139@BN7PR05MB4033.namprd05.prod.outlook.com>
 <CAPKYkKzM6b6T+zxcmNsscgd8BFBD8v480+Z9bduEFYRZmhXdUw@mail.gmail.com> <73550eae-370d-115f-e440-4889e42dbc74@processus.org>
In-Reply-To: <73550eae-370d-115f-e440-4889e42dbc74@processus.org>
Date: Fri, 18 Mar 2022 17:49:35 +0000
Message-ID: <CAKxcST-Z5LmarXp93ruCf6PLSc_zdahg8FUfv445OOaUAdphZQ@mail.gmail.com>
To: Pierre <pierre-php@processus.org>
Cc: Chase Peeler <chasepeeler@gmail.com>, Theodore Brown <theodorejb@outlook.com>, 
	Tobias Nyholm <tobias.nyholm@gmail.com>, Ilija Tovilo <tovilo.ilija@gmail.com>, 
	PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="000000000000b6b47905da81c5df"
Subject: Re: [PHP-DEV] [RFC][Under discussion] Arbitrary string interpolation
From: dragoonis@gmail.com (Paul Dragoonis)

--000000000000b6b47905da81c5df
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

I think the original goal of this RFC is to make PHP more expressive, and
less clunky (look at Jav).  This is a good goal and one much desired by the
community, but I think the approach here isn't the right fit or way to
achieve it

Writing code in strings is a DX nightmare, and static analysis challenge.

PHP is improving onto a more verbose, typed, but exprsssive language, and
this change would make that harder.

I'm also thinking if this could become a LCE/RCE vulnerability in a type of
eval() situation.  Not a huge point but just an observation.

Happy to re evaluate a new approach to solve the same problem that doesn't
involve coding inside strings.

On Fri, 18 Mar 2022, 14:09 Pierre, <pierre-php@processus.org> wrote:

> Le 18/03/2022 =C3=A0 15:02, Chase Peeler a =C3=A9crit :
> > On Fri, Mar 18, 2022 at 12:49 AM Theodore Brown <theodorejb@outlook.com=
>
> > wrote:
> >
> >> On Thu, Mar 17, 2022 at 5:40 PM Tobias Nyholm <tobias.nyholm@gmail.com=
>
> >> wrote:
> >>
> >>> On Thu, 17 Mar 2022, 23:27 Ilija Tovilo, <tovilo.ilija@gmail.com>
> wrote:
> >>>
> >>>> Hi everyone
> >>>>
> >>>> I'd like to start discussion on a new RFC for arbitrary string
> >>>> interpolation.
> >>>> https://wiki.php.net/rfc/arbitrary_string_interpolation
> >>>>
> >>>> Let me know what you think.
> >>> That is a cool idea.
> >>> But I am not a big fan of having code in strings.
> >>> Wouldn=E2=80=99t this open the door to all kinds of new attacks?
> >> Do you have an example of a new kind of attack this would allow?
> >> The proposal doesn't enable interpolation of strings coming from
> >> a database or user input - it only applies to string literals
> >> directly in PHP code.
> >>
> >> Personally I'm really looking forward to having this functionality.
> >> Just a couple days ago I wanted to call a function in an interpolated
> >> string, and it was really annoying to have to wrap the function in a
> >> closure in order to use it.
> >>
> >> If this RFC is accepted I'd be able to replace code like this:
> >>
> >>      $name =3D "Theodore Brown";
> >>      $strlen =3D fn(string $string): int =3D> strlen($string);
> >>      echo "{$name} has a length of {$strlen($name)}.";
> >>
> >> with
> >>
> >>      $name =3D "Theodore Brown";
> >>      echo "{$name} has a length of {$:strlen($name)}.";
> >>
> >>
> > Out of curiosity, why not:
> > $name =3D "Theodore Brown";
> > echo "{$name} has a length of ".strlen($name).".";
> >
> > or even
> > $name =3D "Theodore Brown";
> > $len =3D strlen($name);
> > echo "{$name} has a length of {$len}.";
>
> I guess it's a matter of taste and convention.
>
> Sometime, it make sense and it's just easier to just use string
> interpolation (for example with multiline templates).
>
> Regards,
>
> --
>
> Pierre
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: https://www.php.net/unsub.php
>
>

--000000000000b6b47905da81c5df--