Hi! > You're right that turning off eval() isn't a silver bullet, and if you can > get external code running on someone's box there are a lot worse things you > can do.
I think the important point here is not that you can do worse things than eval() but that you can do *anything*. Once you can execute code on remote side, there's no security barriers PHP can provide for you. If PHP engine were coded as an execution engine for hostile code that guarantees security against untrusted code (like, for example, VM supervisors) then it'd be different, but I don't think PHP engine ever provided that guarantee. And with that, I think banning eval() is just provides false sense of security. -- Stas Malyshev smalys...@gmail.com -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
