On Fri, May 18, 2007 6:47 pm, Cristian Rodriguez wrote: > 2007/5/18, Greg Beaver <[EMAIL PROTECTED]>: > >> <?php >> include $_GET['dumb']; >> ?> >> > > What about permanently removing this (mis) "feature" ?? , Im yet to > hear any valid reason or example to continue to permit this remote > include thingy, all examples I have seen are bogus and broken.. does > anyone really think there are valid use cases ? (note that Im talking > about include* and require* only ;) )
There are some limited valid uses on an Intranet where a single master source of some high-level include files is maintained on a separate server... That's pretty trivial to work-around with rsync or similar, though, so I don't know that this is a deal-breaker for anybody... There are some folks who might have a valid white-list approach with PCRE for what they include, and pass it around as a variable, however. Especially those who are into highly-dynamic languages, with zillions of include files. I'm not sure how you'd get rid of only $_GET and friends but keep any regular old variables without something like the "taint" model that was proposed and, I think, still being worked on. -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
