php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #47306 don't allow non-printable characters in constant names
Submitted: 2009-02-04 16:18 UTC Modified: 2009-02-09 13:20 UTC
From: michael dot buergi at zhdk dot ch Assigned:
Status: Not a bug Package: Feature/Change Request
PHP Version: 5.2.8 OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: michael dot buergi at zhdk dot ch
New email:
PHP Version: OS:

 

 [2009-02-04 16:18 UTC] michael dot buergi at zhdk dot ch 
Description:
------------
current situation:

Since PHP allows the characters 0x7f through 0xff in constant names, you can create constant names that contain non-printable characters - like the non-breaking space (NBSP) chr(160)!

Sadly, any PHP-IDE (p.e. the Zend Studio for Eclipse) or editor that I have checked with recognises NBSP as whitespace. So this seems to be a perfect way to sabotage someones code. Just replace an ordinary space with NBSP and you are screwed.

I pasted a small php script into "reproduce code" that defines a constant and echoes it two times, as it seems. But since there is a NBSP in front of the constant's name, PHP just echoes "?SOME_CONST".
the second echo is completely ignored since it searches for the constant "echo?SOME_CONST". 


Motivation:

Look at the sample script in a PHP editor and you won't find any error.

Only in case you have E_NOTICE reporting turned on (which I don't) you would eventually find the mistake.


change request:

Having non-printable characters in constant names seems to be a bad idea for me. therefore I request that not the whole 0x7f-0xff character range could be used in constant names, but just the sane ones.

And since I'm already here, why not raise the error-level from "notice" to "warning" if a constant's name is not found? You could introduce a php.ini flag that controls this behaviour.


Thank you very much and kind regards
Michael


Reproduce code:
---------------
<?php

error_reporting(E_ALL);

define('SOME_CONST', 'foobar');
echo ?SOME_CONST;
echo?SOME_CONST;

?>

Expected result:
----------------
foobarfoobar

Actual result:
--------------
?SOME_CONST

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-02-06 22:40 UTC] johannes@php.net 
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

You can atually use any characters as constant name and if you can\'t trust your developers you have way bigger issues ...
 [2009-02-09 13:20 UTC] michael dot buergi at zhdk dot ch 
Dear Johannes

Please take the time to read my feature request again and then give some feedback. It has taken me quite some time to post this feature request. So I expect that you take it seriously.

You wrote "...this is not a bug.". Of course not, it's a feature request. Since I read the documentation beforehand. So I didn't need the link that you provided me.

You wrote "You can atually use any characters as constant name". Besides that sentence not being correct in respect to the documentation, this is simply the point of this feature request, isn't it? It's a bad idea being able to use "any character as constant name" - in particular white space characters like NBSP. 

Your wrote "if you can\'t trust your developers you have way bigger issues". Ok, let's forget about that comment on sabotage. It's important to note that most NBSPs in PHP programs are there by mistake - p.e. by copy/pasting from a website or pressing alt-space (instead of just space) on a mac which can happen even to the most trusted developers.

regards
Michael
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Mon Apr 29 19:01:30 2024 UTC