On 18 May 2022, at 18:43, Christoph M. Becker <cmbecke...@gmx.de> wrote:
> On 18.05.2022 at 18:37, Craig Francis wrote:
>> I would hope both are very rare, but I'm still writing up reports about
>> developers doing things like `file_put_contents('/tmp/' . $_POST['id'],
>> $_POST['message'])`, so I don't have a lot of hope.
>
> Right. And no amount of magic features implemented by a language or library
> will prevent such issues completely. It might not have been the best idea to
> make PHP so beginner friendly.
True, but some features can catch or help limit the damage from some mistakes
(e.g. CSP), as mistakes can be made by any developer (no one writes 100% secure
code); and `magic_quotes` was not on that list.
Also, while I appreciate your sentiment (I feel it all too often), overall I
prefer having loads of beginners that are learning and guided by the
language/tooling, so they eventually become experienced developers for a
popular language :-)
Craig
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: https://www.php.net/unsub.php
