DavidIQ wrote:gnif wrote:I completely agree with and understand this, except that preg_replace_callback has existed since PHP 4.0.5 which was released 15 years ago, and phpBB3 was released 9 years ago and has gone though multiple versions since, and has ignored all the warnings from PHP 5.5 (3 years ago) onwards that the 'e' modifier is deprecated and should not be used. I stand by my comment that it is abysmal that it has not yet been updated.
Edit: The 'e' modifier has been known for over 10 years now to be dangerous and has been abused time and time again to break into websites through unexpected bugs. It's removal has been planned from the date that preg_replace_callback was added to PHP due to the security implications, and when PHP5 added Closures (anonymous functions) there was no longer any reason to retain the 'e' modifier. Every programmer on the planet should cringe at the idea of methods that parse strings as code, methods such as 'eval' should have never existed in the first place for security, performance and code maintance reasons.
I don't disagree with the fact that it should have been taken care of at some point, but they weren't warnings that were just ignored. I think that, at least in part, warnings about this not coming up in phpBB installations (albeit probably due to some code we've added) and the use of the e modifier with preg_replace not causing any security issues in the lifetime of phpBB 3.x are reasons that likely contributed to just leaving the BBCode parser alone for so long, not because we've been ignoring the warnings.
Either way, this is something that should have been fixed many years ago, deprecation warnings should be taken seriously. Perhaps they were noted, but they should have been given the highest of priorities to fix it, or atleast inform the general public of the need to stop using 'e' modifiers in bbcodes. Bakwards compatibible code could have been added that forum admins could opt into should the new code break mods/extensions. It would have provided a way for hosts to provide later PHP version options to those that requre it, or even encouraged mod/extension developers to update their code for the better performing callback method.
I agree that moving forward with platform breaking code is not acceptible, but in this instance the code that was written and released by phpBB 9 years ago was already outdated. Ignored deprecation warnings just hurts your project and turns people away from it.
For example, my client was ready to move away from phpBB3 due to its performance, even though their forum is one of the largest I have ever encountered. The quickest way to extract higher performance from it was to move to PHP7, but obvioulsy this did not work. Their reaction to the error when they saw it was that phpBB do not keep their code current, or atleast provide a means to be forward compatible.
Moving to phpBB3.3 is never likely to occur on this platform since you have redeveloped the bbcode stuff completely, the forum is too massive and too many clients to risk on a complete rewrite of code that should have just been patched as a point release.
Edit: I just re read your post sorry, "albeit probably due to some code we've added". Quite likely the case as deprecation warnings can be disabled and is often done, but if you are in a dev environment ALL warnings should be enabled to ensure your code completely complies with standards.