On Wed, April 11, 2012 12:25 am, Stas Malyshev wrote:
> Hi!
>
>> I'm sure you have seen the same code in JSON hijack countermeasure.
>>
>> while(1){}
>
> I think you misunderstood what I means. What I meant is you can inject
> code without <? the same way you can inject code with <?, so where's
> the
> improvement?
> kill() function would be just an example of code being injected by
> hostile third party (intent on killing your server, presumably). If I
> can inject it with <?, what prevents me from injecting without <? ?Actually, it makes it worse. I can search for '<?php' (no short open tags) or '<?=' and reject without the new feature. Without the new feature, no easy way to detect it contains PHP code. -- brain cancer update: http://richardlynch.blogspot.com/search/label/brain%20tumor Donate: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=FS9NLTNEEKWBE -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
