• Frist (unregistered)


  • Brian Boorman (google)

    < php create_function ($m, 'echo "secnod, because frist is wrong"') ? >

  • Little Bobby Tables (unregistered)

    create_function('invent new regular expression language')

  • Rigrig (unregistered)

    There is a reason for the while loop: after $content is mangled it can match in new and interesting ways (especially as it is unescaping things).

  • LCrawford (unregistered)

    I haven't parsed this, but the while() loop allows for nested PHP markup?

  • Loren Pechtel (google) in reply to Rigrig

    That was my first thought, also--the replacement might add something more that can be replaced.

    What really worries me here is what is the source of whatever's being processed here? Is the client in any way involved?

  • (nodebb)

    Chances are, they're having to loop the regular expression because it's only catching the outermost instance. So if, for instance, you had (and the regex replaced the tags with square-bracketed versions):


    The first iteration would give you:


    The second would give you:


    And so on.

  • siciac (unregistered)

    It is PHP, which doesn’t automatically make it bad

    From the comments:

    As was stated previously, the allocated memory is never released; they are not objects in PHP -- they are just dynamically named global functions -- so they don't have scope and are not subject to garbage collection.

    I agree it's not automation making PHP bad as much as some kind of demonic influence to always do the worst possible thing.

  • Turtle (unregistered) in reply to LCrawford

    It is PHP all the way down. That's what "PHP" stands for.

  • (nodebb) in reply to siciac

    The comment you quoted does not evoke the true horror this feature. This does, quoted from the same manual page:

    Mine ended up in an iteration over ~1 million records and quickly exhasted my 500MB-per-process limit.

    See if you run that code in a loop, every cycle creates a new Anonymous function that consumes memory that can never be reclaimed. The creator of create_function is truly evil, also demented.

  • Lucio Crusca (unregistered) in reply to Loren Pechtel

    Unfortunately yes, the $content parameter was coming straight and not sanitized from a client side editor panel...

  • siciac (unregistered) in reply to CoyneTheDup

    Maybe they thought they could fix it the way this comment suggested:

    function create_lambda($args, $code) {
        static $func;
        if (!isset($func[$args][$code])) {
            $func[$args][$code] = create_function($args, $code);
        return $func[$args][$code];
  • (nodebb) in reply to siciac

    Many many sins in PHP's development were committed with the excuse that a process that exists to serve a single web page wouldn't be running for very long anyway.

  • Little Bobby Tables (unregistered) in reply to Turtle

    I thought it stood for "Pretty Horrible Programs".

  • Turtle (unregistered) in reply to Little Bobby Tables

    You got it almost right. It's "PHP Horrible Programs".

Leave a comment on “A Quick Replacement”

Log In or post as a guest

Replying to comment #496095:

« Return to Article