Hi! >> I'm not sure I follow - which PHP vulnerability you are talking about? > > Local file includes. (LFI)
I'm not sure I understand - where's the vulnerability? > There is a null byte protection for LFI and I really like to the protection. > It's also beneficial to other problems. However, it would not help codes > like "include $_REQUEST['var']" Don't write such code. It's like saying exec() function is a "vulnerability" in libc. You instruct PHP to run code based on user input - that's what PHP will be doing, it's not a "vulnerability" by any definition. -- Stanislav Malyshev, Software Architect SugarCRM: http://www.sugarcrm.com/ (408)454-6900 ext. 227 -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
