Am 03.09.2021 um 17:23 schrieb Nikita Popov <[email protected]>:
> Just to throw it out there: Maybe we should clear the stat cache when
> functions in the exec family are used? Even if we allow disabling the stat
> cache, I think we can easily avoid that particular footgun. And if calls to
> external binaries are involved we likely don't have to worry about stat
> overhead.
While this would make the foot gun a bit smaller it introduces more magic. I'm
not completely against it but it feels dirty.
On top of that: I hope people using exec and friends are properly escaping
parameters. Which in our case is a helper function where a clear_stat_cache()
could easily be added in user land, making it explicit.
Side-note: We should teach people not to use exec style function when normal
PHP functions work :-)
The following works fine:
<?php
touch("foo");
if (is_file('foo'))
echo "Correct\n";
unlink("foo");
if (is_file('foo'))
echo "Incorrect\n";
Sure, it was a contrived example but external programs should IMHO be avoided
if (easily enough) possible.
But going back to the original topic: After thinking about it I'd rather
completely remove the stat cache (after properly evaluating the impact) than
adding a new mode to PHP. At least the behavior would then be a function of the
PHP version, not the PHP version *and* an ini setting.
- Chris
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: https://www.php.net/unsub.php
