On Wed, April 11, 2012 12:25 am, Stas Malyshev wrote: > Hi! > >> I'm sure you have seen the same code in JSON hijack countermeasure. >> >> while(1){} > > I think you misunderstood what I means. What I meant is you can inject > code without <? the same way you can inject code with <?, so where's > the > improvement? > kill() function would be just an example of code being injected by > hostile third party (intent on killing your server, presumably). If I > can inject it with <?, what prevents me from injecting without <? ?
Actually, it makes it worse. I can search for '<?php' (no short open tags) or '<?=' and reject without the new feature. Without the new feature, no easy way to detect it contains PHP code. -- brain cancer update: http://richardlynch.blogspot.com/search/label/brain%20tumor Donate: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=FS9NLTNEEKWBE -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php