

PSA: How php enhanced security of unserialize function in version 7 - thrownear

https:&#x2F;&#x2F;www.reddit.com&#x2F;r&#x2F;PHP&#x2F;comments&#x2F;3j88v4&#x2F;something_about_php_7_i_just_saw_in_rlolphp_why&#x2F;<p>This might be a small thing. But I think this is a very good indicator how poorly thought out the features that are being added to the language. I could catch this by a casual glance at the new features. Imagine how many horrors will be hidden deep in it.<p>I am making this post to make people look into the matter and to decide for themselves if they want to subscribe to the hype php&#x27;s marketing machinery is generating for version 7. Also, this shows how the community views these issues. They just don&#x27;t see anything wrong with it.<p>Posts like this that exposes bad things about the langauge are downvoted and posters often banned without a warning from &#x2F;r&#x2F;php.<p>Even civil comments that speak against big names in the community are blindly downvoted and hidden. See this thread [1].<p>So just be warned. The language is as bad as ever. The community, even the best part of it, is still ages behind. Both in thought and in practices.<p>[1] https:&#x2F;&#x2F;www.reddit.com&#x2F;r&#x2F;PHP&#x2F;comments&#x2F;3j4p3u&#x2F;rfc_short_closures_for_71&#x2F;cumnfs6
======
gcb0
meh.

it's opt-in to downgrade security. so typos, wrong data, etc would keep the
good safety.

it's backward compatible.

and above all, if you really cared you would have written at least a decent
use case that actually serialized a single class and submitted to places the
dev look, like the several anonymous forms on the site.

php is the most convenient project to send bugs to. zero logins. but you
choose reddit and hacker news

~~~
thrownear
>it's opt-in to downgrade security. so typos, wrong data, etc would keep the
good safety...

Not sure I follow. Please explain.

>if you really cared you would have written at least a decent us..

And the point is not about fixing this issue. The point is to show that the
php development is still follows the same path that it has been following
since the beginning. The same path that resulted in so many weird behaviors
and pit falls. I don't see any reason why the language can be thought as
'improving'. As claimed by legions of php users. Please note that I don't
consider simply increasing the feature count of the language as 'improving'.

>php is the most convenient project to send bugs to. zero logins. but you
choose reddit and hacker news

I really don't care about improving the language because I don't think it is
possible. It is a lost cause. The only think that can be done is to spread
awareness of its gross inferiority.

