Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:57732
Return-Path: <derick@php.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 17948 invoked from network); 5 Feb 2012 16:46:22 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 5 Feb 2012 16:46:22 -0000
Authentication-Results: pb1.pair.com header.from=derick@php.net; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=derick@php.net; spf=unknown; sender-id=unknown
Received-SPF: unknown (pb1.pair.com: domain php.net does not designate 82.113.146.227 as permitted sender)
X-PHP-List-Original-Sender: derick@php.net
X-Host-Fingerprint: 82.113.146.227 xdebug.org Linux 2.6
Received: from [82.113.146.227] ([82.113.146.227:47764] helo=xdebug.org)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 6F/C1-09047-B52BE2F4 for <internals@lists.php.net>; Sun, 05 Feb 2012 11:46:21 -0500
Received: from localhost (xdebug.org [127.0.0.1])
	by xdebug.org (Postfix) with ESMTPS id 4A6C8DE14B;
	Sun,  5 Feb 2012 16:46:17 +0000 (GMT)
Date: Sun, 5 Feb 2012 16:46:17 +0000 (GMT)
X-X-Sender: derick@whisky.home.derickrethans.nl
To: Nikita Popov <nikita.ppv@googlemail.com>
cc: PHP internals <internals@lists.php.net>
In-Reply-To: <CAF+90c9qoyzBf+FpBxMdX0FByy5xB+7x3xi3kNxdvWX=_uz=mg@mail.gmail.com>
Message-ID: <alpine.DEB.2.02.1202051644220.12865@whisky.home.derickrethans.nl>
References: <CAF+90c9qoyzBf+FpBxMdX0FByy5xB+7x3xi3kNxdvWX=_uz=mg@mail.gmail.com>
User-Agent: Alpine 2.02 (DEB 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Subject: Re: [PHP-DEV] [RFC] Deprecate and remove /e modifier from
 preg_replace
From: derick@php.net (Derick Rethans)

On Sun, 5 Feb 2012, Nikita Popov wrote:

> I have written an RFC that proposes to *deprecate* and *remove* the /e modifier:
> 
> https://wiki.php.net/rfc/remove_preg_replace_eval_modifier
> 
> Comments welcome!

This RFC makes no sense. It says:

For example the above example can be used to execute arbitrary PHP code 
by passing the string <h1>{${eval($_GET[php_code])}}</h1>. The evaluted 
code in this case would be "<h1>" . 
strtoupper("{${eval($_GET[php_code])}}") . "</h1>" and as such execute 
any PHP code passed in the php_code GET variable.

If you don't sanitize your imput than all sorts of intesting things 
can't happen. You're going to inconvenience a lot of people by removing 
it.

So, definitely against removing features from a language with no real 
win.

cheers,
Derick

-- 
http://derickrethans.nl | http://xdebug.org
Like Xdebug? Consider a donation: http://xdebug.org/donate.php
twitter: @derickr and @xdebug