> > I do not see any appealing reason to add yet another set of include > function/ops, even less for ini settings. > > My reasoning is simple. Nothing we can do will prevent one or the > other to shoot himself in each knees, many times. > > While trying to protect them to do include $foo where $foo == > "somereallybadpath", he will pretty much do the same with echo > file_get_contents($foo); > > The history of php magic security issues tell me one thing, we should > leave that to the OS level and reports error the IO layers return, > when it fails >
True. The time where magic $_GET or similar file inclusions was a "common pattern" (should be) gone. Especially since psr0/psr4/composer/... came up I think it would be more worth to include something like this: https://wiki.php.net/rfc/escaper
