Hi Internals, We're going back to the original is_literal() proposal.
https://wiki.php.net/rfc/is_literal This means that integers, which we cannot flag if they came from the developer, will not be considered as part of the "literal" definition. This helps us avoid the naming issue, and trying to define a concept that's a bit vague (strings from the developer, or integers from anywhere)... and while I’m still of the belief that integers would help adoption, I can also see the appeal of something that's easier to understand, especially for a supermajority. (My ideal solution would be to have a primary ‘is_literal’ vote, with a secondary question of adding integer support, but I’ve checked and the multiple-question system here is for minor implementation details only e.g. names.) But either way it’s important that we address how Injection Vulnerabilities occur. This simple flagging-and-checking literals system that has been proven to work in other languages, will give libraries an easy way to check that certain sensitive values have only come from the developer. Considering we need a two-thirds majority vote, we do need to keep this straightforward, avoiding any concerns over the variables contents. Thanks for all your feedback so far, and I hope you can continue to show your support for this on here, to show RFC voters this should be added to PHP. Craig
