On Apr 9, 2012, at 10:03 PM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote:
> I strongly discourage settingallow_url_include=on, too. Good. > Enabling it only when it is needed is okay. No it's not. There is no reason to do so other than backwards compatibility for very old code. > I think you are concerned about security, Absolutely. > so you could agree to have > option for disabling embedded mode by option, couldn't you? Sure it can be an option. But it can't be the default, at least right away. It's unreasonable. I would prefer an environmental variable to choose the mode though. I'm not opposed to a php.ini option, but some people are (If by embedded mode you mean template mode, and non-embedded mode as "pure code mode"). I still fail to see what this has to do with allow_url_include. > Letting programmers decide what to do Not in all cases. > Programming languages should give freedom to write suicide code > more or less. No, it shouldn't. All that you've said comes down to this: Don't write bad code. Configure your web server properly. The RFC isn't meant to address these issues, and quite frankly it isn't a core PHP issue. It's no different than any language with an eval() statement. Keep in mind an RFC isn't gospel. And it's still being drafted. We need to give Tom a chance to finish it. Luke -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
