* Michael Mathews <[EMAIL PROTECTED]> [2006-06-02 12:10]:
> I would also point to PHP's fread() (and friends) functions,
> which take "filenames" in the form of "C:\\blah" or
> "http://foo.com/blah"; and behaves the same.

Yes, which means that any un- (or badly) sanitised user input has
the potential to make a program fetch data from a remote server,
which is particularly dumb when you consider that `require`
offers the same misfeature. Makes exploits so much easier.

No, HTTP is not like opening local files and should not be
treated as such. The failure modes also differ entirely.

The right place to abstract this, if you want to, is at the
networking layer, which could treat local files as a special form
of remote ones, which can be done simply by accepting `file://`
URIs in addition to `http://` and `ftp://`. This way around works
much better for a range of reasons. (I’m too lazy to go into them
right now but will if you ask.)

That doesn’t belong in the language core, though.

*AUTOLOAD=*_;sub _{s/(.*)::(.*)/print$2,(",$\/"," ")[defined wantarray]/e;$1};

Reply via email to