Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:57736 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 24430 invoked from network); 5 Feb 2012 17:07:51 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 5 Feb 2012 17:07:51 -0000 Authentication-Results: pb1.pair.com smtp.mail=johncrenshaw@priacta.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=johncrenshaw@priacta.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain priacta.com designates 64.95.72.244 as permitted sender) X-PHP-List-Original-Sender: johncrenshaw@priacta.com X-Host-Fingerprint: 64.95.72.244 mxout.myoutlookonline.com Received: from [64.95.72.244] ([64.95.72.244:46574] helo=mxout.myoutlookonline.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id F5/03-09047-567BE2F4 for ; Sun, 05 Feb 2012 12:07:49 -0500 Received: from mxout.myoutlookonline.com (localhost [127.0.0.1]) by mxout.myoutlookonline.com (Postfix) with ESMTP id 6BBC3416DC6; Sun, 5 Feb 2012 12:07:46 -0500 (EST) X-Virus-Scanned: by SpamTitan at mail.lan Received: from HUB027.mail.lan (unknown [10.110.2.1]) by mxout.myoutlookonline.com (Postfix) with ESMTP id 120FC416DA6; Sun, 5 Feb 2012 12:07:46 -0500 (EST) Received: from MAILR001.mail.lan ([10.110.18.27]) by HUB027.mail.lan ([10.110.17.27]) with mapi; Sun, 5 Feb 2012 12:07:38 -0500 To: Derick Rethans , Nikita Popov CC: PHP internals Date: Sun, 5 Feb 2012 12:07:30 -0500 Thread-Topic: [PHP-DEV] [RFC] Deprecate and remove /e modifier from preg_replace Thread-Index: AczkJbcVoxwLsLHxSEagF0izS09jCwAAGpIw Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: RE: [PHP-DEV] [RFC] Deprecate and remove /e modifier from preg_replace From: johncrenshaw@priacta.com (John Crenshaw) > -----Original Message----- > From: Derick Rethans [mailto:derick@php.net]=20 > Sent: Sunday, February 05, 2012 11:46 AM > To: Nikita Popov > Cc: PHP internals > Subject: Re: [PHP-DEV] [RFC] Deprecate and remove /e modifier from preg_r= eplace > > On Sun, 5 Feb 2012, Nikita Popov wrote: > > > I have written an RFC that proposes to *deprecate* and *remove* the /e = modifier: > >=20 > > https://wiki.php.net/rfc/remove_preg_replace_eval_modifier > >=20 > > Comments welcome! > > This RFC makes no sense. It says: > > For example the above example can be used to execute arbitrary PHP code b= y passing the string

{${eval($_GET[php_code])}}

. The evaluted code= in this case would be "

" .=20 strtoupper("{${eval($_GET[php_code])}}") . "

" and as such execute any = PHP code passed in the php_code GET variable. > > If you don't sanitize your imput than all sorts of intesting things can't= happen. You're going to inconvenience a lot of people by removing it. > > So, definitely against removing features from a language with no real win= . > > cheers, > Derick Normally I'd totally agree with not removing stuff, but in this case the RF= C makes a critical error which serves to demonstrate exactly how bad the pr= oblem is. The author incorrectly used double quotes in their replace string= , when the only safe solution is to use single quotes. This is a super comm= on mistake with /e, and even many veterans won't notice it (although they'l= l probably notice the use of /e). Removing this would obviously be an inconvenience for some people, but gett= ing your server hacked is also an inconvenience, and hackers don't give you= nice warnings with file and line number. I like the idea of doing _somethi= ng_ here. Deprecate now and remove later sounds fair. John Crenshaw Priacta, Inc.