hi, On Thu, Feb 5, 2015 at 8:53 AM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote: > Hi all, > > I would like to discuss my "must have it in PHP 7" item. > > PHP RFC: script() and script_once() > https://wiki.php.net/rfc/script_and_script_once > > I have proposed similar RFC before. > Optional PHP tags by php.ini and CLI options > https://wiki.php.net/rfc/nophptags > > Compare to older proposal, it does not have issues like > possible script exposure by accident. > > Please keep in mind that this discussion is not for > "Optional PHP tags by php.ini and CLI options". > > Thank you all.
I do not see any appealing reason to add yet another set of include function/ops, even less for ini settings. My reasoning is simple. Nothing we can do will prevent one or the other to shoot himself in each knees, many times. While trying to protect them to do include $foo where $foo == "somereallybadpath", he will pretty much do the same with echo file_get_contents($foo); The history of php magic security issues tell me one thing, we should leave that to the OS level and reports error the IO layers return, when it fails. Cheers, -- Pierre @pierrejoye | http://www.libgd.org -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
