Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:57737
Return-Path: <nikita.ppv@googlemail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 25825 invoked from network); 5 Feb 2012 17:09:59 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 5 Feb 2012 17:09:59 -0000
Authentication-Results: pb1.pair.com smtp.mail=nikita.ppv@googlemail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=nikita.ppv@googlemail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain googlemail.com designates 209.85.217.170 as permitted sender)
X-PHP-List-Original-Sender: nikita.ppv@googlemail.com
X-Host-Fingerprint: 209.85.217.170 mail-lpp01m020-f170.google.com  
Received: from [209.85.217.170] ([209.85.217.170:42133] helo=mail-lpp01m020-f170.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id D1/53-09047-6E7BE2F4 for <internals@lists.php.net>; Sun, 05 Feb 2012 12:09:58 -0500
Received: by lboj14 with SMTP id j14so893860lbo.29
        for <internals@lists.php.net>; Sun, 05 Feb 2012 09:09:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=googlemail.com; s=gamma;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=8Ff/snWhv+s2ONnNYylsbNCktAZjFQQImAZoAFkQxl4=;
        b=HxQHdOd0Cbs7co7RRc06TViu8kuulSlvWVfFfEQO4XPB0nkgJ/fL7b8QJ0kE8dOOSM
         WvVmOcxO1fZW71xcgs2Q+nlUwyurTInUcwZFjSsJfQWMBdgplpYmmIM3vLLWmVqQIgiQ
         HXy8CurBV6LkHeJkW40evvTyhX7pyvTCSHj4g=
MIME-Version: 1.0
Received: by 10.112.100.164 with SMTP id ez4mr4084949lbb.46.1328461795203;
 Sun, 05 Feb 2012 09:09:55 -0800 (PST)
Received: by 10.152.18.166 with HTTP; Sun, 5 Feb 2012 09:09:55 -0800 (PST)
In-Reply-To: <60BDBA28-4E97-4C60-8E31-E34F7E4831AC@gmail.com>
References: <CAF+90c9qoyzBf+FpBxMdX0FByy5xB+7x3xi3kNxdvWX=_uz=mg@mail.gmail.com>
	<CAEZPtU7mYOB6RTHPFb8B76bPsZiFki6J5sJCMViGD7vK8Fdiyg@mail.gmail.com>
	<4F2EAF7D.9080506@thelounge.net>
	<CAORXhGKBPehGLvZsj9D4Oi2Fo4FnV+esyg_QNkuv3cO7uFn6qw@mail.gmail.com>
	<60BDBA28-4E97-4C60-8E31-E34F7E4831AC@gmail.com>
Date: Sun, 5 Feb 2012 18:09:55 +0100
Message-ID: <CAF+90c-X-CS-rTc=iCkXRQdw3WHWzwRvgJsfJz=TJi10_gAKPg@mail.gmail.com>
To: Michael Stowe <mikegstowe@gmail.com>
Cc: Tom Boutell <tom@punkave.com>, Reindl Harald <h.reindl@thelounge.net>, 
	"internals@lists.php.net" <internals@lists.php.net>
Content-Type: text/plain; charset=ISO-8859-1
Subject: Re: [PHP-DEV] [RFC] Deprecate and remove /e modifier from preg_replace
From: nikita.ppv@googlemail.com (Nikita Popov)

On Sun, Feb 5, 2012 at 5:45 PM, Michael Stowe <mikegstowe@gmail.com> wrote:
[snip]
> Perhaps another option, if it's a security concern is the ability to turn off the /e modifier, and have it off by default. This way we can protect our less experienced programmers, while keeping it available for more advanced use cases.

I think introducing an option for this will only create problems. Code
using /e will be non-portable as it depends on the ini option being
enabled. Also this way shared hosting will never disabled the modifier
because it doesn't want to break apps. And I think disabling it is
especially important for people on shared hosting, who usually are
less educated about security than people on dedicated servers.

Also: If you really want to use /e you can still call eval() inside
preg_replace_callback. This additionally has the benefit of making the
code evaluation more explicit.

Nikita