The current text in the migration guide about the deprecation of `libxml_disable_entity_loader()` is misleading and can easily lead to the introduction of XXE vulnerable code.
In select circumstances, when `LIBXML_NOENT` is used, code can still be vulnerable to XXE attacks, even on PHP 8.0.
So I'm proposing to add an appropriate warning and mention the upgrade path in the migration guide.
Includes fixing a typo on the `libxml_disable_entity_loader()` page.
Co-authored-by: jrfnl <jrfnl@users.noreply.github.com>
- People expect this function to work miracles. Add some examples
of why that's not possible. Hat tip to this FAQ for the cipher
comparison: https://chardet.readthedocs.io/en/latest/faq.html
- The strict parameter wasn't really explained at all. I *think*
this is what it actually does.
- General expansion and grammar fixes (I suspect the original
author didn't speak English as a first language, which makes
sense since the mbstring extension originated in Japan).
As of PHP 8.0, `abstract private` methods are allowed in `trait`s. `abstract public` method were previously already supported.
Co-authored-by: jrfnl <jrfnl@users.noreply.github.com>
It is a known issue that spaces are not escaped in shell commands, which can be especially problematic on Windows.
This adds a warning about this behaviour to the function, including a way to solve this in userland code.
Ref: https://bugs.php.net/bug.php?id=43261 (last two comments)
Also see: https://github.com/squizlabs/PHP_CodeSniffer/pull/3214
Co-authored-by: jrfnl <jrfnl@users.noreply.github.com>
Spotted this when using PhpStorm's documentation which incorrectly typehints an Exception - use of this as Exception could cause a TypeError if a non-Exception Throwable is returned.
Co-authored-by: Christoph M. Becker <cmbecker69@gmx.de>
Closes GH-463.
* Tidy up the alias situation
It should look the same as https://www.php.net/manual/en/function.mysqli-set-opt.php
* Add "produce" word
Copied from MySQL manual
* Removed old note
This was changed some time back around PHP 7.3. In PHP 8 all of these warnings have been converted to Errors and the function doesn't return NULL or FALSE anymore.
* Revert Doc Bug #55757
I'm sorry, but this note doesn't belong here. It is absolutely useless to point it out in this particular place. People migrating from mysql_* API have to do a lot more work than ensuring their escaping function works. This might have been added as a comment, but it should not be part of the official doc page.
* Provide more reasonable example
* Remove mysqli_character_set_name from See also
Closes GH-498.
