On 07/04/12 22:48, Yasuo Ohgaki wrote: > Hi, > > The only valid reason for removing <?php from PHP script would be > security. > > Since the null byte detection for fopen, remote/local script inclusion > became much harder than before. However, it's still possible and very > easy compare to other languages. Script execution is critical security > problem and it's worth to make it better. > > If there is a switch that turns off PHP's template engine nature, PHP > could be more secure than now. > > php.ini > template_mode = on ; INI_ALL On by default > > php -t foo.php # template mode by default > php -T foo.php # template mode off > > People has option to make their code a little secure than now > or stick with current behavior. > > Regards, How does it help security? If any, requiring '<?php' before executable code makes easier to filter out malicious files on apps with uploads in case there's a local inclusion vulnerability somewhere.
-- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
