Hi! > I have to at least php:// > php://input or php://stdin > allows attacker script execution via POST if it's allowed > by allow_url_include=On.
allow_url_include=On means it's allowed. That's what "on" setting is for. Production setting should always be "off". -- Stas Malyshev smalys...@gmail.com -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php