> Le 18 mars 2022 à 18:49, Paul Dragoonis <dragoo...@gmail.com> a écrit :
> 
> I think the original goal of this RFC is to make PHP more expressive, and
> less clunky (look at Jav).  This is a good goal and one much desired by the
> community, but I think the approach here isn't the right fit or way to
> achieve it
> 
> Writing code in strings is a DX nightmare, and static analysis challenge.
> 
> PHP is improving onto a more verbose, typed, but exprsssive language, and
> this change would make that harder.
> 
> I'm also thinking if this could become a LCE/RCE vulnerability in a type of
> eval() situation.  Not a huge point but just an observation.
> 
> Happy to re evaluate a new approach to solve the same problem that doesn't
> involve coding inside strings.

Although I agree that code execution in strings is not a great idea, it should 
be noted that this is already possible today, so that this proposal does not 
add a new capability. Indeed, the proposed syntax:

"{$:/* arbitrary expression here */}";

is equivalent to:

$expr = fn($_) => $_;
"{$expr(/* arbitrary expression here */)}";

—Claude
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: https://www.php.net/unsub.php

Reply via email to