rfc:deprecate-backtick-operator-v2

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
rfc:deprecate-backtick-operator-v2 [2019/10/04 15:32]
marandall
rfc:deprecate-backtick-operator-v2 [2019/11/15 12:20] (current)
marandall
Line 3: Line 3:
   * Date: 2019-10-04   * Date: 2019-10-04
   * Author: Mark Randall, marandall@php.net   * Author: Mark Randall, marandall@php.net
-  * Status: Draft+  * Status: Declined
   * First Published at:https://wiki.php.net/rfc/deprecate-backtick-operator-v2   * First Published at:https://wiki.php.net/rfc/deprecate-backtick-operator-v2
   * Target: 8.0   * Target: 8.0
Line 21: Line 21:
 * Alternative functions exist which are more descriptive, easily understood, and more readily searchable (for example, many common Google searches omit the "`" token entirely when searching).  * Alternative functions exist which are more descriptive, easily understood, and more readily searchable (for example, many common Google searches omit the "`" token entirely when searching). 
  
-* Backticks are visually easily confused with single quotes despite exhibiting radically different behaviour. +* Backticks are visually easily confused with double or single quotes despite exhibiting radically different behaviour.  
 + 
 +* This different behaviour is not subtle, in effect, one parses a string, a fairly simple operation, backticks on the other hand pause execution and takes the control flow completely outside of the PHP environment, executing any commands that it has access to with the full power of the shell. The author posits that this is too close for comfort. An clear example of where this is dangerous behaviour is that "$name" interpolates a string, whereas `$name` executes the contents of the $name variable in the shell, yet at a glance they look very similar. What would be obvious if "shell_exec" instead becomes an easy-to-hide, easy-to-miss statement of immense power.
  
 * It could be considered unintuitive that single quoted strings do not support variable substitution, but single backticks do. This is something that is only covered in the user contributed notes (EN). * It could be considered unintuitive that single quoted strings do not support variable substitution, but single backticks do. This is something that is only covered in the user contributed notes (EN).
  
-* It could be considered unintuitive that backticks already rely on the security settings for shell_exec despite not being obviously connected +* It could be considered unintuitive that backticks already rely on the safe-mode and disabled-function settings for shell_exec, and while this is documented, without viewing the php-src it is not immediately obvious why (AST compilation re-writes to a user function call)
  
 +* Certain language keyboards have no native key for backtick (An example provided by Girgias is the French AZERTY keyboard where you need to hold Alt GR + 7 + one or two Spacebar presses).
 +
 +===== Arguments Against =====
 +
 +* Backticks allow a combination of double-quotes and interpolation without needing to escape the double quotes. 
  
 ===== Backward Incompatible Changes ===== ===== Backward Incompatible Changes =====
Line 33: Line 40:
 Should the operator eventually be removed, there would be a BC break that would require code using it to be updated to reflect the alternative mechanisms documented in "Program Execution Functions", specifically shell_exec which is functionally identical.  Should the operator eventually be removed, there would be a BC break that would require code using it to be updated to reflect the alternative mechanisms documented in "Program Execution Functions", specifically shell_exec which is functionally identical. 
  
-For most cases, this should be an easy upgrade route as there is a 1-to-1 replacement between `expression` and shell_exec("expression"), and should complete removal eventually become viable, scripts could be provided (as well as plugins for existing code re-writers) that would make this a trivial operation to upgrade+For most cases, this should be an easy upgrade route as there is a 1-to-1 replacement between `expression` and shell_exec("expression") (Note: As noted in arguments against, inline double quotes must be escaped), and should complete removal eventually become viable, scripts are already available to migrate, such as CS-Fixer with the backtick_to_shell_exec flag, see https://github.com/FriendsOfPHP/PHP-CS-Fixer.
  
 ===== Proposed PHP Version(s) ===== ===== Proposed PHP Version(s) =====
Line 46: Line 53:
  
  
-===== Proposed Voting Choices ===== +===== Vote ===== 
-Yes / No vote to deprecate the backtick operator requiring a 2/3rds majority.+Voting started 2019-10-31 and will end 2019-11-15. A 2/majority is required. 
 + 
 +<doodle title="Deprecate backtick operator in PHP 8.0?" auth="marandall" voteType="single" closed="true"> 
 +   * Yes 
 +   * No 
 +</doodle> 
  
 ===== References ===== ===== References =====
rfc/deprecate-backtick-operator-v2.1570203170.txt.gz · Last modified: 2019/10/04 15:32 by marandall