Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:69615
Return-Path: <ceceldada@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 49478 invoked from network); 17 Oct 2013 13:00:40 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 17 Oct 2013 13:00:40 -0000
Authentication-Results: pb1.pair.com header.from=ceceldada@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=ceceldada@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.160.52 as permitted sender)
X-PHP-List-Original-Sender: ceceldada@gmail.com
X-Host-Fingerprint: 209.85.160.52 mail-pb0-f52.google.com  
Received: from [209.85.160.52] ([209.85.160.52:40606] helo=mail-pb0-f52.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 35/F7-12663-67FDF525 for <internals@lists.php.net>; Thu, 17 Oct 2013 09:00:38 -0400
Received: by mail-pb0-f52.google.com with SMTP id wz12so2259308pbc.39
        for <internals@lists.php.net>; Thu, 17 Oct 2013 06:00:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:date:message-id:subject:from:to:cc:content-type;
        bh=fxkR/jocNZprb5yDbEYCCaNvammp2osyW59hPF0APRk=;
        b=LcaL6CjRYoPJoRaiPsXdZZem2/EiDjQHSvcDZG/BvSz78+TmfpTxai8gWkS+lQTKCV
         VGYyrntiQpRcTJU906MXBo0RnERFGmQjaLepNsL1gAgYwsuqLVv+9aHPHVZv0bkRsOyD
         tjVnpcSn2kzlEzWfo9f7dNDabczrR7sC49JrO/kd9kn1gX8z2VDvtnuWQ6yArl2AgMRn
         PQq9vbW34SsxcwfGSjtjWS9091kdd29V0AzVG/PrjZyjm2ifq4n86IdAEeJ0NwdeX0DD
         v4ZLh8mXVs/zYmddyKvB9FQHHHSccSRk/Mmeqx36KqrHi7d5J1t9kq4qvb7snEAOlJ7h
         QOtA==
MIME-Version: 1.0
X-Received: by 10.66.4.105 with SMTP id j9mr4964384paj.84.1382014835970; Thu,
 17 Oct 2013 06:00:35 -0700 (PDT)
Received: by 10.68.51.104 with HTTP; Thu, 17 Oct 2013 06:00:35 -0700 (PDT)
Received: by 10.68.51.104 with HTTP; Thu, 17 Oct 2013 06:00:35 -0700 (PDT)
Date: Thu, 17 Oct 2013 10:00:35 -0300
Message-ID: <CAEf4F9Rarmytx9amhvsvjx=WG+PkDsHWWh4PyRx13t7gFu7p-g@mail.gmail.com>
To: Rowan Collins <rowan.collins@gmail.com>
Cc: PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=bcaec5215f4f5f609c04e8ef67b3
Subject: Re: [PHP-DEV] Proposal to deprecate create_function()
From: ceceldada@gmail.com (Marcel Araujo)

--bcaec5215f4f5f609c04e8ef67b3
Content-Type: text/plain; charset=UTF-8

I used this function to create dynamic functions with dynamix names. There
are lot of use. I have sure the clousures are not final replacement.

My two cents
Em 14/10/2013 18:33, "Rowan Collins" <rowan.collins@gmail.com> escreveu:

Hi All,

(First, a quick aside: I'm new here, so let me know if I'm treading on any
toes or failing to do my homework properly. Also, apologies for
long-windedness; it's a personal flaw.)

I would like to propose that create_function() be officially deprecated, to
encourage people to use the much safer and more powerful anonymous
functions we've had since 5.3, and eventually allow this relic to be
removed from the language.

In case any of you aren't familiar with the details, create_function,
according to Zeev's comment in the source "Creates an anonymous function,
and returns its name (funny, eh?)". It does this by wrapping some
boilerplate around two strings provided by the user, and eval()ing the
result to (hopefully) create a function called __lambda_func; it then
renames this to a unique name beginning with a null byte, so that it can't
conflict with any "real" functions, and returns the new name as a string.

Until PHP 5.3, this was the only way to dynamically create a callback
function, and is thus a widely used feature, so it should not be removed in
a hurry. Many projects (e.g. Wordpress) still support PHP 5.2, so cannot
switch over to true anonymous functions yet; but we can hope that most
people will have abandoned 5.2 by the time 5.7 or 5.8 comes around, and
re-evaluate then.

The argument for deprecating it is largely the same as for the /e modifier
in preg_replace - namely that it's a wrapper around eval(), with all the
dangers that brings. In fact, I've seen a few people trying to "fix" uses
of preg_replace using create_function() to create the argument for
preg_replace_callback()!

Specifically:

 * It performs absolutely no checks before eval()ing the string. It is
   therefore trivial for code to end up injected into it, and even be
   run immediately, e.g. create_function('', '} echo "hi"; if (0) {');
   [http://3v4l.org/YtmVT]
 * Since the function body is simply a string, the only way to "close
   over" a variable is to use var_export, serialize, or similar. Even
   string variables need careful escaping.
 * The function name it creates, although guaranteed unique, is
   entirely predictable, and the function exists in the global
   namespace. It's impossible to truly isolate it to a particular scope.
 * The function, once created, is never destroyed, so repeated use of
   create_function "leaks" memory.

A seeming alternative to deprecating it would be to reimplement it in terms
of closures. However, this would be the worst of both worlds: on the one
hand, it would still need to eval() its body argument, so have much the
same security risk; on the other, it would still represent a BC break,
because it would have a different return type. It is, for instance,
possible to reference one "anonymous" function within another, by judicious
use of var_export or similar to inject the null-prefixed string into the
function body; I doubt anyone heavily uses such tricks, but if they did,
create_function() returning a closure object would be more irritating than
it not existing at all.

I mentioned in StackOverflow chat that the documentation still had examples
using create_function, and NikiC went ahead and fixed several, as well as
adding a warning to the top of the documentation page. [
https://github.com/salathe/**phpdoc-en/commit/**
1d57b16e69dfd8d93dd6e4a354d3ed**20bd21494d<https://github.com/salathe/phpdoc-en/commit/1d57b16e69dfd8d93dd6e4a354d3ed20bd21494d>
].

I think it would be sensible to take this a step further and emit an
E_DEPRECATED message if it is used in PHP 5.6, and add to the warning that
it may be removed in a future version of PHP.

If anyone can think of any counter-arguments - and in particular, any uses
of create_function() which can't trivially be replaced with either a true
closure or a direct call to eval() - I would be interested to hear them.

Regards,

-- 
Rowan Collins
[IMSoP]

--bcaec5215f4f5f609c04e8ef67b3--