Zeev Suraski wrote:
I don't know, I think that if you aim that well you should be allowed to shoot yourself in the foot :) If we go that far, then running code from the database through eval() should also not be allowed, because it may have been indirectly written to by remote users. Which boils down to maybe allowing people to disable eval() (yet another ini entry, yay! :)
It can already be done, disable_functions INI directive. However this too can be bypassed ;-), write evil remote code to a local file and then include/require it.
Ilia -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
