Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:52580
Return-Path: <smalyshev@sugarcrm.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 92693 invoked from network); 31 May 2011 21:25:51 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 31 May 2011 21:25:51 -0000
Authentication-Results: pb1.pair.com smtp.mail=smalyshev@sugarcrm.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=smalyshev@sugarcrm.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain sugarcrm.com designates 207.97.245.183 as permitted sender)
X-PHP-List-Original-Sender: smalyshev@sugarcrm.com
X-Host-Fingerprint: 207.97.245.183 smtp183.iad.emailsrvr.com Linux 2.6
Received: from [207.97.245.183] ([207.97.245.183:51699] helo=smtp183.iad.emailsrvr.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id FE/5C-25701-EDC55ED4 for <internals@lists.php.net>; Tue, 31 May 2011 17:25:51 -0400
Received: from localhost (localhost.localdomain [127.0.0.1])
	by smtp58.relay.iad1a.emailsrvr.com (SMTP Server) with ESMTP id 0B1D43082E5;
	Tue, 31 May 2011 17:25:48 -0400 (EDT)
X-Virus-Scanned: OK
Received: by smtp58.relay.iad1a.emailsrvr.com (Authenticated sender: smalyshev-AT-sugarcrm.com) with ESMTPSA id AC16F3081D3;
	Tue, 31 May 2011 17:25:47 -0400 (EDT)
Message-ID: <4DE55CDA.302@sugarcrm.com>
Date: Tue, 31 May 2011 14:25:46 -0700
Organization: SugarCRM
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.17) Gecko/20110414 Thunderbird/3.1.10
MIME-Version: 1.0
To: Rasmus <rasmus@lerdorf.com>
CC: PHP internals <internals@lists.php.net>
References: <4DE5368A.6050603@moonspot.net> <2BFFEAC1-395E-4101-9452-002E63DCFD91@seancoates.com> <4DE55AB7.9050206@lerdorf.com>
In-Reply-To: <4DE55AB7.9050206@lerdorf.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] RFC: Short syntax for Arrays (redux)
From: smalyshev@sugarcrm.com (Stas Malyshev)

Hi!

> Stas, I didn't understand your point about eval() and security. What did
> you mean?

I meant if PHP has JSON syntax as native, e.g. you can say something like:

$a = {"a":"b"};

Then the temptation would be to write something like:

// $json_string is {"a":"b"}
$a = eval($json_string);

just as Javascript programmers sometimes do. That would have the same 
security implications as it has in Javasctipt - somebody could inject 
executable code there, etc. Of course, nobody forces you to do this, but 
the temptation would be there.

Also, with full JSON support it is not entirely clear to me what {"a": 
"b"} would mean - is it an array or an object? In JS, it's definitely an 
object, but in PHP objects are almost never used to store pure state 
without behavior, because we have hashtable arrays, while JS only has 
vector arrays. So here we have some unclear point (which does not happen 
with [] syntax, since with [] it's obvious we're talking about arrays, 
just as in many other languages).
-- 
Stanislav Malyshev, Software Architect
SugarCRM: http://www.sugarcrm.com/
(408)454-6900 ext. 227