Russell Nelson wrote: >Derick Rethans writes: > > On Wed, 29 Jun 2005, Sara Golemon wrote: > > > > Only intrinsicly safe if you've read the manual page to know that > > > badstring should have been null terminated. > >Oh, don't get me started on C's null-terminated strings! > > > Stop feeding the troll please. > >Public requests to stop feeding a troll ARE troll food. The only way >to stop a troll is to reply privately to people who respond to him. > >Besides which, I'm not trolling for flames. I'm politely requesting >that you fix a well-known problem in PHP. > > > It seems that you don't understand that the programmers have a bit of responsability. We can't avoid users adding security holes in their scripts, this is not the role of the programming language, all we can do is informing them that this is not good. Just because include/require are often used badly, that's not a reason to disable that function from including remote files.
XSS is a common security hole too, and there is no point disallowing echo and print from printing user's data. PHP have already been too far this way, magic_quotes_gpc is a good example: magic_quotes_gpc just hides a security hole, and newbies are lost when a problem occurs, they have never heard about problems with quotes in the data used in queries. regards -- Etienne Kneuss http://www.colder.ch/ [EMAIL PROTECTED] -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
