On 16.06.2016 at 20:55, Fleshgrinder wrote: > Education is a hard problem that the whole world is struggling with. We > will never achieve it. We will especially not achieve convincing people > of legacy software to change. Heck, we cannot even convince anyone here > to change legacy stuff. Hence, if rand and friends stay, they will > continue to help people to produce insecure software.
Consequently, we should remove rot13() as well, see <http://news.php.net/php.notes/205744>. And we shouldn't stop there as include(_once), require(_once), file_get_contents() and readfile() bear the risk of file inclusion vulnerabilities … ;) In my opinion, our job when designing the language and the core libraries is not to avoid (or remove) features that can be used to produce insecure software, but rather to offer additional features that make it easier to produce secure software, and to document potential issues and hint at better alternatives. random_*() is such an addition, and I don't see an urgent need to get rid of (mt_)rand(). -- Christoph M. Becker -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
