On Sun, Feb 5, 2012 at 5:45 PM, Michael Stowe <mikegst...@gmail.com> wrote: [snip] > Perhaps another option, if it's a security concern is the ability to turn off > the /e modifier, and have it off by default. This way we can protect our less > experienced programmers, while keeping it available for more advanced use > cases.
I think introducing an option for this will only create problems. Code using /e will be non-portable as it depends on the ini option being enabled. Also this way shared hosting will never disabled the modifier because it doesn't want to break apps. And I think disabling it is especially important for people on shared hosting, who usually are less educated about security than people on dedicated servers. Also: If you really want to use /e you can still call eval() inside preg_replace_callback. This additionally has the benefit of making the code evaluation more explicit. Nikita -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
