Re: [PHP-DEV] [RFC] Optional PHP tags by php.ini and CLI options (Ver. 1.4)
Hi, 2012/5/6 Richard Lynch c...@l-i-e.com: On Wed, April 11, 2012 5:14 pm, Yasuo Ohgaki wrote: I think my RFC confused people on this list due to improper descriptions and too much information. Sorry for the confusion. I revised the RFC so that most important points can be understood at a glance. https://wiki.php.net/rfc/nophptags We all know there are a LOT of bad scripts out there. A *LOT* of bad scripts. With major security holes in them. I do not see your average PHP scripter changing that behavior: It's just so easy to write a PHP script, which is why it's so popular. Now, you are going to open up all the inexperienced scripters to code exposure when they start using this cool new feature of being lazy and not typing that silly ?php tag. And that code being exposed will have major security holes in it. This is just not a good idea... PHP users are used to this. You know short tags and they are optional. Besides, ?php may always be top of scripts and wrong configuration can be detected by simply viewing scripts. LFI is more serious, since it's involves arbitrarily code execution (i.e. fatal security error) and may not be detected by simple code search. It would be much better to have this from security point of view. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] [RFC] Optional PHP tags by php.ini and CLI options (Ver. 1.4)
On Wed, April 11, 2012 5:14 pm, Yasuo Ohgaki wrote: I think my RFC confused people on this list due to improper descriptions and too much information. Sorry for the confusion. I revised the RFC so that most important points can be understood at a glance. https://wiki.php.net/rfc/nophptags We all know there are a LOT of bad scripts out there. A *LOT* of bad scripts. With major security holes in them. I do not see your average PHP scripter changing that behavior: It's just so easy to write a PHP script, which is why it's so popular. Now, you are going to open up all the inexperienced scripters to code exposure when they start using this cool new feature of being lazy and not typing that silly ?php tag. And that code being exposed will have major security holes in it. This is just not a good idea... Instead of random bots attacking random URLs hoping to hit pay dirt for an SQL injection, you will have bots that: Use google to find stuff that looks like raw PHP code. Scape page to look for mysql.*$_POST Attack site. Unless I'm really missing something here, you put a few million people's code at risk, for a feature that has dubious value in the first place. -- brain cancer update: http://richardlynch.blogspot.com/search/label/brain%20tumor Donate: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclickhosted_button_id=FS9NLTNEEKWBE -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php