> Honestly, I don't see how allowing exec/passthru/proc_open is a security risk. > These are just tools. We're talking about programming language - if you're > running PHP script as user X you should expect that it could do anything that > user > X can do. If you don't trust this script, just don't run it
Depends on how you look at if exec($_GET['param']) is a language responsibility or programmers? On the same level you can then expect that programmer X always uses '<?php' and then in no way this historical alias impacts his ability to use whatever existing or new features or language constructs will be implemented in future. > https://www.php.net/manual/en/language.basic-syntax.phptags.php > > "PHP also allows for short open tag <? (which is discouraged since it is only > available if enabled using the short_open_tag php.ini configuration file > directive, > or if PHP was configured with the --enable-short-tags option)." Which is actually the other way around - enabled by default / disabled if configured via ini. It feels most people who argue about the feature (are not in the burn it with fire and everyone who uses them should just go away) would be fine (enough) if it aligned to what's written in the documentation and then make deliberate decision to enable those. rr -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
