Hi Davey,
On Sun, Jul 24, 2016 at 3:33 PM, Davey Shafik wrote:
> Just wanted to let you know I voted no because of the BC breaking change to
> the INI options that could easily break many custom session handlers — any
> session handler that stores the sessions in a fixed-width column will be
> br
> For instance:
> // file1.php
> set_escape_handler('e', 'html_entities_encode');
> // file2.php
> set_escape_handler('e', 'my_own_encode');
> // file3.php
>
>
> If file1.php includes file3.php, it should use first implementation.
> If file2.php does that, so will run the second implementation. I
I have written many messages already. I think, the purpose of this operator
is clear.
In this discussion I have come up to understanding what I would like to use.
You suggest very hard and complex solutions:
$escape = new SplEscaper; $escape->support('e', function () { ... });
declare('filter=h
On 24 July 2016 at 06:14, David Rodrigues wrote:
> Now back to topic, this circular dependency too occur with functions.
Yes, but the difference is in the surprise factor.
Two functions having a circular dependency ==> not too astonishing,
and easy to think about.
Reading the value of a variabl
On 23/07/2016 20:23, Michael Morris wrote:
PHP was a template engine at inception. [...] something has gone awry when
people are
writing template engines inside of a template engine.
At its inception, PHP was a handful of scripts including access logging
and a guestbook form. You can take a l
On 24/07/2016 10:42, Michael Vostrikov wrote:
It is a string too, instead of an identifier like in
... IDE will have problem by identify where you have defined it
It should not be identifier or single function name, because in this way we
could not use closures or object methods ($this->escap
On 24/07/2016 10:48, Michael Vostrikov wrote:
Operator is compiled into the following AST:
echo escape_handler_call(first_argument, second_argument);
I'm sorry, but this is now so simple it undermines its own argument for
existing.
There is no default handler for any context, to
prevent '
>
php already uses ?: for ternary operator, so users get a bit confused by using
it for escaping.
>
this allows multiple interpretations:
meaning $a context $b
meaning $a | $b context 'html'
> $b ?>
|> may be used by Pipe Operator rfc, if vote is successful
> if ($context == 'html') {
On 24.07.2016 at 16:55, Thomas Bley wrote:
> In total a good rfc everybody should be happy with.
I'm not happy (to put it mildly) with the RFC as it's now. The RFC
speaks of *operator*, where actually start-tags[1] are meant, to start
with. Using the word operator is rather confusing in this co
>
>
> instead of
>
>
benefits are using static code analyzers, grep " On 24.07.2016 at 16:55, Thomas Bley wrote:
>
>> In total a good rfc everybody should be happy with.
>
> I'm not happy (to put it mildly) with the RFC as it's now. The RFC
> speaks of *operator*, where actually start-tag
> The big difference is:
> With https://github.com/phpmyadmin/phpmyadmin/commit/edffb52884b09562490081c3b8666ef46c296418
https://github.com/phpmyadmin/phpmyadmin/commit/75a55824012406a08c4debf5ddb7ae41c32a7dbc
https://github.com/phpmyadmin/phpmyadmin/commit/aca42efa01917cc0fe8cfdb2927a6399ca1742f2
On 24/07/2016 17:21, Thomas Bley wrote:
instead of
benefits are using static code analyzers, grep "
It's not that difficult to write a static analyser that detects
instances of "
Having function names with single characters is bad taste and only useful for
obfuscating.
And having
On 24.07.2016 at 18:21, Thomas Bley wrote:
>>
>>
>> instead of
>>
>>
>
> benefits are using static code analyzers, grep " Having function names with single characters is bad taste and only useful for
> obfuscating.
Cryptic "operators", however, are not?
> The big difference is:
> With http
> It's not that difficult to write a static analyser that detects
> instances of " Surely the feature gets most of its value from what you *don't* need to
> do - which is why I think it's bizarre that the current version doesn't
> even have a built-in HTML escaper at all.
I think it's no proble
> But you still have to rember to use proper escaping function.
I see no problem if companies make a rule not to deploy code containing " I just wanted to give an explanation why I would vote
> against it.
I'm not sure if it is a good thing to vote against security enhancements.
Regards
Thomas
On 24/07/2016 18:06, Thomas Bley wrote:
It's not that difficult to write a static analyser that detects
instances of "
This argument is only valid if the RFC includes an implementation, not
just a syntax. As currently proposed, not even the syntax would be the
same for all applications, as pa
> Then why is absolutely everything in the current RFC optional and
> configurable to the Nth degree?
It's one handler: set_escape_handler() (N=1)
Currently, every framework has it's own methods for escaping. To get this
together, set_escape_handler() is a good choice, similar to set_error_hand
On 24/07/2016 19:09, Thomas Bley wrote:
Then why is absolutely everything in the current RFC optional and
configurable to the Nth degree?
It's one handler: set_escape_handler() (N=1)
Currently, every framework has it's own methods for escaping. To get this
together, set_escape_handler() is a g
> Frameworks are free to write all sorts of weird shit:
with set_escape_handler(), the "weird shit" is in one place and can be quickly
verified. Now the "weird shit" is spread over all templates.
Normally the problem is not fixing the frameworks, it's most work to fix code
that is using the fram
On 24.07.2016 at 19:21, Thomas Bley wrote:
> I'm not sure if it is a good thing to vote against security enhancements.
Most certainly, it is not. :-)
--
Christoph M. Becker
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
Hi!
What's our stance on updating the bundled SQLite3?
Currently the PHP-5.6 and 7.0 branch have 3.8.10.2, while the PHP-7.1
and master branch have 3.9.2 (sqlite3.h) respectively 3.13.0
(sqlite3.c). The latter would have certainly to be fixed to be
consistent, but I have some doubts regarding st
Hi all,
I would like to ask the default session ID string preference.
Details of guessing an active session ID is described in previous mail.
Please refer it for details.
On Sun, Jul 24, 2016 at 4:57 PM, Yasuo Ohgaki wrote:
> I don't mind pausing vote to have consensus on how many bits for
> se
Dan Ackroyd wrote:
> Yes, but the difference is in the surprise factor.
>
> Two functions having a circular dependency ==> not too astonishing,
> and easy to think about.
>
> Reading the value of a variable having a circular dependency ==> give
> up programming to become a farmer.
Okay, so we can
Hi Christoph,
> -Original Message-
> From: Christoph Becker [mailto:cmbecke...@gmx.de]
> Sent: Monday, July 25, 2016 12:49 AM
> To: internals@lists.php.net
> Subject: [PHP-DEV] Bundled SQLlite3
>
> Hi!
>
> What's our stance on updating the bundled SQLite3?
>
> Currently the PHP-5.6 and
24 matches
Mail list logo
