Am 05.02.2012 18:09, schrieb Nikita Popov: > On Sun, Feb 5, 2012 at 5:45 PM, Michael Stowe <mikegst...@gmail.com> wrote: > [snip] >> Perhaps another option, if it's a security concern is the ability to turn >> off the /e modifier, and have it off by default. This way we can protect our >> less experienced programmers, while keeping it available for more advanced >> use cases. > > I think introducing an option for this will only create problems. Code > using /e will be non-portable as it depends on the ini option being > enabled.
yes, and security problematic things hsould only be enbaled active > Also this way shared hosting will never disabled the modifier > because it doesn't want to break apps. the one who cares security will do it > And I think disabling it is especially important for people on shared > hosting, > who usually are less educated about security than people on dedicated servers. but the one on dedicated servers currently have no option to make their setup secure without suhosin > Also: If you really want to use /e you can still call eval() inside > preg_replace_callback. This additionally has the benefit of making the > code evaluation more explicit. the problem is "you can" if it is default off you should do it this way if you like portable apps
signature.asc
Description: OpenPGP digital signature
