On Tue, 6 Jul 2021 at 7:38 am, G. P. B. <george.bany...@gmail.com> wrote:
> Although I think the idea of the feature is useful, > I'm not so sure about the implementation. > [...] > Whereas using a function like concat_literal() which checks that the > inputs are indeed literals provides immediate feedback that the type > constraint is not being violated. Hi George, Thank you for your message. We have provided a userland `literal_concat()` function in the RFC to do exactly what you’re suggesting, while allowing developers to choose to do things like raise exceptions during development/testing, and ignore/log issues when running in production. So you absolutely can use it like that if you want. https://wiki.php.net/rfc/is_literal#support_functions We also agree that a dedicated type would be useful, but as noted by Joe and someniatko, that should come in 8.2 once the function is established (allowing us to potentially build on Intersection Types, and will involve a separate discussion). This is noted under "Future Scope". https://externals.io/message/114835#114847 The only difference is that we decided to allow string concatenation of literals, as we want to provide something that’s usable for everyone immediately, provides the same level of security, and doesn’t require a mass rewriting of existing code. (Which is basically a death sentence for most security-based improvements, as a lot of people won’t have the time/energy to do that. The more automatic security can be, the better, which is why something libraries can implement is ideal). https://wiki.php.net/rfc/is_literal#string_concatenation Excluding concatenation would almost certainly prevent libraries from using this check, simply because developers do use concatenation, which will result in too many invalid errors, requiring them to make substantial/unnecessary changes (i.e. replacing every string concat with `literal_concat()`, or using a special Query Builder for their SQL/HTML/CLI/etc). It’s also worth noting that developers who want to use `strict_types` are probably using static analysis already, where Psalm has just added support for this (thank you Matthew): https://github.com/vimeo/psalm/releases/tag/4.8.0 Thanks, Craig
