On Sun, Feb 5, 2012 at 5:45 PM, Michael Stowe <mikegst...@gmail.com> wrote:
[snip]
> Perhaps another option, if it's a security concern is the ability to turn off 
> the /e modifier, and have it off by default. This way we can protect our less 
> experienced programmers, while keeping it available for more advanced use 
> cases.

I think introducing an option for this will only create problems. Code
using /e will be non-portable as it depends on the ini option being
enabled. Also this way shared hosting will never disabled the modifier
because it doesn't want to break apps. And I think disabling it is
especially important for people on shared hosting, who usually are
less educated about security than people on dedicated servers.

Also: If you really want to use /e you can still call eval() inside
preg_replace_callback. This additionally has the benefit of making the
code evaluation more explicit.

Nikita

-- 
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to