Hi, The name "is_trusted" is misleading. Literal is nothing but literal.
<html> <?php eval('$var= '. $_GET['a'] ); if (is_trusted($var)) echo $var; ?> </html> Literals cannot always be trusted. -- Yasuo Ohgaki yohg...@ohgaki.net On Tue, Jun 22, 2021 at 5:25 AM Craig Francis <cr...@craigfrancis.co.uk> wrote: > On Sat, 12 Jun 2021 at 18:00, Craig Francis <cr...@craigfrancis.co.uk> > wrote: > > > I'd like to start the discussion on the is_literal() RFC: > > https://wiki.php.net/rfc/is_literal > > > > > To recap, > > - We have chosen the name is_trusted(), based 18 votes for, vs 3 against. > > - Integers are now included, which will help adoption: > > https://wiki.php.net/rfc/is_literal > > (Joe’s currently updating the implementation to have the new name, but all > the functionality is there). > > I’m glad this RFC has been well received; and thank you for all the > feedback, I really think it‘s benefitting the implementation. > > Craig >