-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At some point hitherto, Benjamin Scott hath spake thusly: > On Thu, 7 Mar 2002, at 11:15am, [EMAIL PROTECTED] wrote: > > I'm confused as to how this would work. The man page is talking > > about the invocation of a specific method, i.e. the 'import_names()' > > method. > > > > It sounded like things "just happened", when in fact, you must invoke > > this method intentionally. > > For Perl, yes. PHP provides a setting which will do this automatically, > as sort of a "global default". Obviously, having that turned on is going to > be a really bad idea. Which is what the PHP authors were saying. They were > not, contrary to Derek's assertion, condemning the entire language as > insecure.
Ok that's the second time you've said that, and I won't let it slide again. I made no such assertion. What I said was precisely: "There are also some earlier advisories which complain about the design of PHP encouraging the development of insecure code. It seems that writing secure PHP scripts is also very difficult, and there are quite number of advisories for software written in PHP, which are not necessarily the fault of PHP, but perhaps encouraged by the design of PHP. [Ben's rebuttal snipped] ...except that the developers agreed. And they've in fact made design changes to reduce the negative impact of those original design decisions, and in Dec 2001 released an advisory to that effect. Nowhere did I say anything to the effect that the authors, or anyone else for that matter, condemned the whole language. Even I don't condemn the whole language. I simply stated my opinion that it is not yet shown to be mature enough to trust the security of my production network/web servers to it. Even you yourself admitted that three of the advisories I listed in this thread were distinct and legitimate. All three of them were between Jan 1 2002 and Feb 28, 2002. That's three in two months, and that's too many IMO. - -- Derek Martin [EMAIL PROTECTED] - --------------------------------------------- I prefer mail encrypted with PGP/GPG! GnuPG Key ID: 0x81CFE75D Retrieve my public key at http://pgp.mit.edu Learn more about it at http://www.gnupg.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8idAkdjdlQoHP510RApuDAJ45jz4b6b6M9xMrAyUizOjhf9V0JgCgikuZ f7ijyIfPVp5PNRSIqFmFo/Y= =W8vL -----END PGP SIGNATURE----- ***************************************************************** To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *****************************************************************
