Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:57730
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Received-SPF: pass (pb1.pair.com: domain thelounge.net designates 91.118.73.15 as permitted sender)
Message-ID: <4F2EB14A.5080007@thelounge.net>
Date: Sun, 05 Feb 2012 17:41:46 +0100
Organization: the lounge interactive design
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0) Gecko/20120131 Thunderbird/10.0
MIME-Version: 1.0
To: internals@lists.php.net
References: <CAF+90c9qoyzBf+FpBxMdX0FByy5xB+7x3xi3kNxdvWX=_uz=mg@mail.gmail.com> <CAEZPtU7mYOB6RTHPFb8B76bPsZiFki6J5sJCMViGD7vK8Fdiyg@mail.gmail.com> <4F2EAF7D.9080506@thelounge.net> <CAORXhGKBPehGLvZsj9D4Oi2Fo4FnV+esyg_QNkuv3cO7uFn6qw@mail.gmail.com>
In-Reply-To: <CAORXhGKBPehGLvZsj9D4Oi2Fo4FnV+esyg_QNkuv3cO7uFn6qw@mail.gmail.com>
OpenPGP: id=7F780279;
	url=http://arrakis.thelounge.net/gpg/h.reindl_thelounge.net.pub.txt
Content-Type: multipart/signed; micalg=pgp-sha1;
 protocol="application/pgp-signature";
 boundary="------------enig791C8EB11AC247023EF3AD44"
Subject: Re: [PHP-DEV] [RFC] Deprecate and remove /e modifier from preg_replace
From: h.reindl@thelounge.net (Reindl Harald)

--------------enig791C8EB11AC247023EF3AD44
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

i did not see any smiley  and without it is hard to smell

remove /e makes sense over the long because it is
really dangerous to get wrong used with user-input
by pepole C&P reg-expressions from somewehre without exactly
understand what they are doing and that they can trigger
remote-code execution form anonymous requests

the places where i use eval will never see any user-input

these are different worlds

Am 05.02.2012 17:37, schrieb Tom Boutell:
> A sense of humor is important when reading mailing lists frequented by
> extremely clever people (:
>=20
> On Sun, Feb 5, 2012 at 11:34 AM, Reindl Harald <h.reindl@thelounge.net>=
 wrote:
>> what he hell - if you kill eval you would kill the whole
>> work of my life and yes i know that eval is evil and
>> it is only used at one place which is a central and
>> real important to include modules and set parameters
>> dynamically
>>
>> the /e modifier is a total other dimension because it can
>> be used by people not knowing what they are doing exactly
>> by C&P any code snippet
>>
>> eval() is a documentated function
>>
>> Am 05.02.2012 17:21, schrieb Pierre Joye:
>>> I think we should remove eval at the same time then. As the risk is
>>> exactly the same in both situations. Eval is just as evil and can be
>>> avoided as well (or any other similar features, not sure if other ext=
s
>>> allow that).
>>>
>>> Cheers,
>>>
>>> On Sun, Feb 5, 2012 at 3:59 PM, Nikita Popov <nikita.ppv@googlemail.c=
om> wrote:
>>>> Hi internals!
>>>>
>>>> I have written an RFC that proposes to *deprecate* and *remove* the =
/e modifier:
>>>>
>>>> https://wiki.php.net/rfc/remove_preg_replace_eval_modifier
>>>>
>>>> Comments welcome!


--------------enig791C8EB11AC247023EF3AD44
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk8usUoACgkQhmBjz394Ank8OACfbYXifoeao92+AW3PwrQWKaoz
bPYAn0DGY0b3uZ9vezGl7lJaMpbG8BbO
=7UsC
-----END PGP SIGNATURE-----

--------------enig791C8EB11AC247023EF3AD44--