Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:117436
Return-Path: <tovilo.ilija@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 40194 invoked from network); 27 Mar 2022 15:13:30 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 27 Mar 2022 15:13:30 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id AF7101804AB
	for <internals@lists.php.net>; Sun, 27 Mar 2022 09:41:15 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-0.2 required=5.0 tests=BAYES_40,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,
	RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS,
	T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2
X-Spam-ASN: AS15169 209.85.128.0/17
X-Spam-Virus: No
X-Envelope-From: <tovilo.ilija@gmail.com>
Received: from mail-il1-f179.google.com (mail-il1-f179.google.com [209.85.166.179])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Sun, 27 Mar 2022 09:41:15 -0700 (PDT)
Received: by mail-il1-f179.google.com with SMTP id x9so8415188ilc.3
        for <internals@lists.php.net>; Sun, 27 Mar 2022 09:41:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :content-transfer-encoding;
        bh=rQNrv4N04yPSZnwrhJjpLmkwuakV7Mv2kIyp4M9m0Qw=;
        b=OS+af8tMpjugr3Usx8zBtUyZXob+SzSRcldJf7cIPuBKcTqjfkZJos88tbqq2Bf1zx
         7NhCULRUVcEqI76NGfj4gi8IKZD5nhzmsUVs5wWXHG1TyixUZ7zQFoWoCGhhNbYfZl3T
         zPi7STVvpin0HH2PdrddQFQVLpCus2EL2auq/UiMy8ACLXp0lpmr0aoYg0skKVR3vb0e
         jpAkF7hEi+G8ZW37sHRYTG/Oir+DDYEAZv8vvJrB0J0lU5lhGRoYAb37K4iTbiPt28XS
         4SmTGnns8Z7BQFE8kWQ/viIFFD6OxZ3mAM8WBq0vGTEqwYB5hgtDj/iiuyja6/1eqjIu
         yKag==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:content-transfer-encoding;
        bh=rQNrv4N04yPSZnwrhJjpLmkwuakV7Mv2kIyp4M9m0Qw=;
        b=lTzfnyLQXM7ykwiG6BuM1u58P/aTiHMvC2HTJFIJz5IHySJrxIcwoUTgHQVCc9FDs5
         heU+TiLkYCR4g/drr7CjARuaHuXj+FceJRFerxXCiZQl75TIBDK53O+Rz1fB6S+NJ4CB
         GIuB2SnqnbSvZXXEtSNNKIWLyT4xPhmd2KOcf9KGPz1NRJJYcMUm0bKIFLLmAgD6fgbp
         Xbx5Wf8HG0hnTJk200Wvp91N+jaSUlun17RgPaYSGkhsIppzS4ojGSqqQfg5m5Kc9Z6p
         apr+YD9cUCvc/agh21ggl7MYePZM6X0Ux6pvMJ6+YeZvTpsC9eImavawOT4EjPlU5BTW
         qkIA==
X-Gm-Message-State: AOAM5311AJntDOcUeawqLynuI4LBIo+e65YQyqExw6hPTTDHLf5T1F/f
	1pJlRdvZ4/hzs04oTQ0Oa9LFR0fdxNwQiIvYy/ECHLULflU=
X-Google-Smtp-Source: ABdhPJyv+V5V40vTPFXtKOIFWsALE60bHYoU8dXwu+cncTTIXGUBmf0mOnfz1SoDrZoyxYEcQaCD1CL0OR70loCVpgQ=
X-Received: by 2002:a92:6012:0:b0:2c6:b0d:240e with SMTP id
 u18-20020a926012000000b002c60b0d240emr3675411ilb.177.1648399274428; Sun, 27
 Mar 2022 09:41:14 -0700 (PDT)
MIME-Version: 1.0
References: <CAPyj-LCXYjsjtDr1zPmH6t37pQS7aeGACG6kCex=fnsEJmNmVg@mail.gmail.com>
 <10558027.nUPlyArG6x@arnaud-t490> <b8273a1b-6212-9c43-1d3a-49d1e805a0e2@gmail.com>
In-Reply-To: <b8273a1b-6212-9c43-1d3a-49d1e805a0e2@gmail.com>
Date: Sun, 27 Mar 2022 18:41:03 +0200
Message-ID: <CAPyj-LCxaBpKO4HNM11JU1VUtKmDUcrasFtUrDTRAcmwhnpwOQ@mail.gmail.com>
To: PHP internals <internals@lists.php.net>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Subject: Re: [PHP-DEV] [RFC][Under discussion] Arbitrary string interpolation
From: tovilo.ilija@gmail.com (Ilija Tovilo)

> All the other languages I looked at have support for full expressions in
> their interpolation forms:

Thank you Rowan, I added the comparison of other languages to the RFC.

> A large part of that is because the placeholders are positional rather
> than named, so you have to keep track of which is which; but by the time
> you've got named placeholders, you might as well have variable
> interpolation.

I feel the same way. PHPStorm has a feature that highlights the given
expression when your cursor is placed on a %s placeholder and vice
versa. This seems to be the treatment of that symptom.

> and in each case, they added *expression* interpolation, not just the
> *variable* interpolation supported by Perl and PHP.

Also note that the goal of this RFC is not to encourage embedding
increasingly complex expressions in strings, but rather to allow
simple expressions like string manipulation and constants. Could you
now declare all your classes in a string? Yes. Can you create a 20'000
line PHP file? Sure. I don't think most people would support some
arbitrary cutoff for LOC either. As Rowan mentioned, most languages
allow expressions in strings and yet this is rarely abused in
practice.

> Wouldn=E2=80=99t this open the door to all kinds of new attacks?

No. It's no different from `"$userControllerString"`. Make sure to
sanitize user-controlled input. The expression inside the string is
parsed at compile-time, something like `"{$: $userControlledString}"`
where `$userControlledString =3D 'doSomethingBad()';` will *not*
interpret that string and call that function but rather just result in
`"doSomethingBad()"`.

Another thing I'd like to mention: All the heavy lifting for full
blown expression string interpolation is already there. If you look at
the implementation (https://github.com/php/php-src/pull/8256) very few
changes are necessary to make this work.

Ilija