hi list, i just came back from phpconference in frankfurt and had some nice talks there with Ilia and Derick. They told me to send my following thoughts to internals, so that you maybe can find a wise solution for it.
as security gets more and more recognized by many people, they do follow all the security-experts suggestions to turn of the exposure of php to OFF, as otherwise this would help hackers to find vulnerabilities on their server (i.e. if you are running an old php-version, which has security-holes). I was told to do so, too, but actually i have a very good reason to let it turned on: Netcraft. as far as i can see it, Netcraft is collecting its numbers from exactly this exposure. Further i think to remember, that in former times everybody told to turn it on - so that Netcraft can count the server as php-server and in result the statistics are doing well for php. Now have a short look at the statistics, and you will see, that we had a degree in domains of about 1.3 million domains last month . i can imagine that a reason for this may be, that a huge provider turned expose_php to off (but who knows). In any case, this makes me aware of a problem: a decision between security and php's spread? my suggestion would be, to simply shorten the string that gets exposed to "php" - and not show any version numbers (or maybe leave it to the user, say 0 for "no exposure", 1 for "only php" and 2 for "php with version number". what do you think? best regards, -Wolfgang -- PHP-Knotenpunkt Dynamic Web Pages: http://www.dynamicwebpages.de/ Deutschsprachige PHP-Zertifizierungen: http://www.phpzertifizierung.de/ Professionelle Lösungen für dynamisches Webpublishing: http://php-buch.de/ -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
