> It is surprising how thing that is considered by one to be a security risk, 
> is treated
> as nothing relevant by others. This dichotomy is quite disturbing - in what 
> case
> removing security risk is "no real gain"?

It's questionable that a misconfigured environment is a "security" risk caused 
by language rather than ignorance of the administrator. 

On that matter you could ask why are all the exec/passthru/proc_open etc 
functions/features are allowed by default while every other guide on hardening 
web suggests those to be disabled (added to disable_functions)?
I would bet there have been a lot more (actual) security breaches because of 
unsanitized/unescaped parameters to those.

Just to repeat some other people - there are a lot other things to work on than 


PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to