Hi,
The name "is_trusted" is misleading.
Literal is nothing but literal.
<html>
<?php
eval('$var= '. $_GET['a'] );
if (is_trusted($var)) echo $var;
?>
</html>
Literals cannot always be trusted.
--
Yasuo Ohgaki
yohg...@ohgaki.net
On Tue, Jun 22, 2021 at 5:25 AM Craig Francis <cr...@craigfrancis.co.uk>
wrote:
> On Sat, 12 Jun 2021 at 18:00, Craig Francis <cr...@craigfrancis.co.uk>
> wrote:
>
> > I'd like to start the discussion on the is_literal() RFC:
> > https://wiki.php.net/rfc/is_literal
> >
>
>
> To recap,
>
> - We have chosen the name is_trusted(), based 18 votes for, vs 3 against.
>
> - Integers are now included, which will help adoption:
>
> https://wiki.php.net/rfc/is_literal
>
> (Joe’s currently updating the implementation to have the new name, but all
> the functionality is there).
>
> I’m glad this RFC has been well received; and thank you for all the
> feedback, I really think it‘s benefitting the implementation.
>
> Craig
>
