Table of Contents

PHP RFC: Deprecate Backtick Operator (V2)

Introduction

PHP contains multiple functions for executing system commands from within a PHP script as detailed in the “Program execution functions” section of the manual (https://www.php.net/manual/en/book.exec.php). However, there is another method that is less known, and which is not immediately obvious in its intent when viewed in source code.

The backtick operator, also known as the execution operator, runs the contents within it as a shell command.

The backtick operator is identical to shell_exec, but does so in a manner that is significantly less intuitive as to its purpose. This RFC is written based on the author's belief that the existence of backticks (as opposed to the named function) should be considered to represent unnecessary cognitive overhead while learning and using the language, while offering little unique benefit to offset this cost.

Proposal

This RFC proposes that the use of the backtick operator emits a E_DEPRECATED warning in PHP 8.0, noting the use of shell_exec and its related family of functions to achieve the same goals. This proposal does not suggest that the backtick operator should be removed with the intent of using it for other functionality.

The grounds for deprecation (and eventually removal) are as follows:

* Alternative functions exist which are more descriptive, easily understood, and more readily searchable (for example, many common Google searches omit the “`” token entirely when searching).

* Backticks are visually easily confused with double or single quotes despite exhibiting radically different behaviour.

* This different behaviour is not subtle, in effect, one parses a string, a fairly simple operation, backticks on the other hand pause execution and takes the control flow completely outside of the PHP environment, executing any commands that it has access to with the full power of the shell. The author posits that this is too close for comfort. An clear example of where this is dangerous behaviour is that “$name” interpolates a string, whereas `$name` executes the contents of the $name variable in the shell, yet at a glance they look very similar. What would be obvious if “shell_exec” instead becomes an easy-to-hide, easy-to-miss statement of immense power.

* It could be considered unintuitive that single quoted strings do not support variable substitution, but single backticks do. This is something that is only covered in the user contributed notes (EN).

* It could be considered unintuitive that backticks already rely on the safe-mode and disabled-function settings for shell_exec, and while this is documented, without viewing the php-src it is not immediately obvious why (AST compilation re-writes to a user function call).

* Certain language keyboards have no native key for backtick (An example provided by Girgias is the French AZERTY keyboard where you need to hold Alt GR + 7 + one or two Spacebar presses).

Arguments Against

* Backticks allow a combination of double-quotes and interpolation without needing to escape the double quotes.

Backward Incompatible Changes

Although the deprecation notice itself will carry no backwards compatibility changes, this RFC is written with the intent that the backtick operator would eventually be removed in a later version.

Should the operator eventually be removed, there would be a BC break that would require code using it to be updated to reflect the alternative mechanisms documented in “Program Execution Functions”, specifically shell_exec which is functionally identical.

For most cases, this should be an easy upgrade route as there is a 1-to-1 replacement between `expression` and shell_exec(“expression”) (Note: As noted in arguments against, inline double quotes must be escaped), and should complete removal eventually become viable, scripts are already available to migrate, such as CS-Fixer with the backtick_to_shell_exec flag, see https://github.com/FriendsOfPHP/PHP-CS-Fixer.

Proposed PHP Version(s)

Use of the execution operator would be deprecated in PHP 8.0 with a mind to remove it in a later version.

RFC Impact

This change is most likely to affect code written in a style that uses PHP in a similar style to BASH or other shells. The impact of this RFC in isolation would be limited to a deprecation notice being issued.

Future Scope

This RFC lays the groundwork for the eventual removal of the backtick / execution operator.

Vote

Voting started 2019-10-31 and will end 2019-11-15. A 2/3 majority is required.

Deprecate backtick operator in PHP 8.0?
Real name Yes No
alcaeus (alcaeus)  
ashnazg (ashnazg)  
brzuchal (brzuchal)  
carusogabriel (carusogabriel)  
chregu (chregu)  
cpriest (cpriest)  
cschneid (cschneid)  
daverandom (daverandom)  
derick (derick)  
duncan3dc (duncan3dc)  
galvao (galvao)  
gasolwu (gasolwu)  
girgias (girgias)  
jbnahan (jbnahan)  
jhdxr (jhdxr)  
kalle (kalle)  
kguest (kguest)  
kocsismate (kocsismate)  
laruence (laruence)  
lcobucci (lcobucci)  
lex (lex)  
marandall (marandall)  
mariano (mariano)  
mbeccati (mbeccati)  
mfonda (mfonda)  
ocramius (ocramius)  
pajoye (pajoye)  
peehaa (peehaa)  
pollita (pollita)  
remi (remi)  
reywob (reywob)  
salathe (salathe)  
stas (stas)  
subjective (subjective)  
svpernova09 (svpernova09)  
thekid (thekid)  
zimt (zimt)  
Final result: 11 26
This poll has been closed.

References

https://wiki.php.net/rfc/deprecate-backtick-operator (never brought to vote)