> It's easy to say "write correct code. don't write stupid code", but > we cannot enforce it in real world. > > I'm concerning both arbitrarily script execution and arbitrarily > information disclosure. Good example is LFI and SQL injection > attack.
Uh yeah there is. I won't employ someone who insists on writing code like this. I dont know anyone who will. I also wont use libraries that have code like this. Not only is it insecure but an improper use of these constructs/functions. All this has nothing to do with Tom's RFC. It has nothing to do with having a <?php tag or not. I would actually suggest that require/include stop supporting remote files all together. But that can be a different RFC. This "security problem" isn't a problem with common sense. Luke -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
