Hi, 2012/4/10 Luke Scott <l...@cywh.com>: > On Apr 9, 2012, at 7:44 PM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote: > >> Hi, >> >> 2012/4/10 Luke Scott <l...@cywh.com>: >>>>>> That said, allowing the skipping of an initial <?php tag at the top of >>>>>> the file probably wouldn't be a big deal to implement in code mode. >>>>> >>>>> >>>>> OK. If you can agree to this then I'm good. Perhaps only allow white space >>>>> before it (which is ignored - everything else throws a parse error)? >>>> >>>> Great, that sounds doable. (This would be *allowing* a leading <?php, >>>> not *requiring* one. >>> >>> Great! Then it seems we both agree. >>> >>> As far as the require/include statement, have we pretty much settled >>> on something like this: >>> >>> include "/foo/bar.php", INC_CODE; >>> >>> verses: >>> >>> include_path "/foo/bar.php"; >>> >> >> These syntax does not help removing LFI risk in existing code >> and allows novice to write suicide code. >> >> The only valid reason make mandatory embedded mode to >> non mandatory is security. IMHO. >> >> BTW, although I'll vote opposing voice to have include_path() or >> like, include_path() should be include_script(), shouldn't it? > > I'm not sure I fully understand your concern. require/include > shouldn't be used for anything other than local php files. User input > should also not be placed there. > > What am I missing?
It's easy to say "write correct code. don't write stupid code", but we cannot enforce it in real world. I'm concerning both arbitrarily script execution and arbitrarily information disclosure. Good example is LFI and SQL injection attack. https://wiki.php.net/rfc/nophptags I added example to make use of SQL injection for script execution today. It may also be used stealing any data in databases, too. SQL injection can be made much easier with LFI. i.e. Blind SQL is not needed with LFI. Regards, P.S. I'm not insisting programming languages should protect it from all of stupid codes. I'm insisting PHP should give freedom to users that controls embed mode for better security. -- Yasuo Ohgaki yohg...@ohgaki.net > > Luke -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
