Since comments comments were called for I thought I might weigh in with my $0.02cdn
When configuring PHP I want a way to protect myself, and my users from themselves when it comes to doing something silly, I've actually seen include($_GET['function']) in running code, though thankfully never on one of my projects. I would like to be able to prevent something like this from happening at the .ini level, wether thats allow_url_fopen or some other setting doesn't really matter. Beyond that, I'm only mildly interested in granularity, and then probably at the user/directory of execution level rather than the particular function level. So something like: allow_users_to_be_foolish(yes/no) -> disable remote file loading in include/require allow_remote_data_retreival(yes/no) -> disable remote file retreival with fopen, file_get_contents, streams, etc. If you're setting this option don't bother installing --with-curl, problem solved. Would suit me fine. Being able to do that in .htaccess or within some other apache based structure would be great, but not really needed. I agree with the previously mentioned "If their aim is that good, they deserve to be shot in the foot" completely paul On 7/28/05, Jason Sweat <[EMAIL PROTECTED]> wrote: > On 7/28/05, Sean Coates <[EMAIL PROTECTED]> wrote: > > >> That won't work, eval() is not a function... > > > > > > Ah yes, you're right... I guess we do need another INI setting. > > > > Or constructs-that-look-like-functions could be governed by > > disable_functions (eval, echo).. that would cause other problems (like a > > disabled "return"), though. > > > > S > > I think Zeev's earlier comment about "If their aim is that good, they > deserve to be shot in the foot" applies equally well to "disabled > "return" " > > Regards, > Jason > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > > -- Paul Reinheimer -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
