Hi all, On Mon, Mar 16, 2015 at 3:03 PM, Matthew Leverton <lever...@gmail.com> wrote:
> On Mon, Mar 16, 2015 at 12:55 AM, Xinchen Hui <larue...@php.net> wrote: > > That is why I don't see it before (thousand times, too long to read... > > but not in RFC) > > > It's in the RFC: "Whether or not the function being called was > declared in a file that uses strict or weak type checking is > irrelevant. The type checking mode depends on the file where the > function is called." > This is one of the point I most dislike. Caller _must_ satisfy callee requirements. This is simple principle to write a secure code. With this RFC, caller overrides security related setting. This means scripts that are prepared for type safety is "ignored" and it leads security breach. It's just like turning on/off register_globals and allow_url_include by caller. It cannot be right... IMHO. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net
