Should explode
on literal-string returns a array<literal-string>
#10935
Replies: 1 comment 6 replies
-
Hi Vincent, Thanks for looking at these things, I really appreciate it. As to In short, I'm trying to avoid the problem of trying to work out which functions should be allowed or not (each function added to the list could have unintended consequences). If you look at the Python LiteralString implementation, it has a fairly long list of methods that preserve LiteralString, and as far as I'm aware, this has been the only complaint against PEP 675 - i.e. it's too complicated, and we don't know that they are all safe, e.g. While string concatenation is nearly always fine (joining trusted strings together, as often happens with HTML and SQL) there is a very small risk with the security guarantees (e.g. a developer could create an array of single character values, and allow user input to create a $url = substr('https://example.com/js/a.js?v=55', 0, $length);
$html = substr('<a href="#">#</a>', 0, $length); i.e. If https://wiki.php.net/rfc/literal_string#string_splitting And that's why I'm trying to avoid any functions from being able to return a That said, if there is a really good case to break this simple rule (concatenation only), I'd be happy to discuss it. Craig |
Beta Was this translation helpful? Give feedback.
-
Hi @craigfrancis
I don't know a good place for such discussion.
Since PHPStan enforcing
literal-string
and you already participated on some topics, I think here can be ok.Since
implode
onarray<literal-string>
returns aliteral-string
.Couldn't we consider that the opposite on
explode
is true ?Currently it's annoying for static analysis that
explode(',', implode(',', $literalString))
lose the literal-string type.I know there is currently nothing about
explode
in theis_literal
RFC https://wiki.php.net/rfc/is_literalbut, unless I misunderstood this one was refused/postponed and is still not implemented in PHP 8.3.
So we should consider that
WDYT about adding
explode
in the RFC ? Then PHPStan could update the DynamicReturnTypeExtension.In the same way, there is the
trim
method which can be consider as the opposite of concatenation.Beta Was this translation helpful? Give feedback.
All reactions