ID: 32295
Comment by: nihujane at gmail dot com
Reported By: daedalon at users dot sourceforge dot net
Status: Open
Bug Type: Feature/Change Request
Operating System: Any
PHP Version: 5.0.3
New Comment:
I agree, good idea.
The most secure way should always be the shortest way too.
Previous Comments:
------------------------------------------------------------------------
[2005-03-14 02:43:51] daedalon at users dot sourceforge dot net
Description:
------------
It's commonly seen that PHP guides and advanced users inform readers
and less experienced PHP coders to use include_once() all the time
instead of include(), which they say should be used only in situations
where including the same file another time would specifically be wanted
or allowed.
However, most of the users first learn about include(); and start using
it. Then they make some small error while coding and their website
becomes a mess, possibly leaking some private information. This is
usually the point where one hears that a more secure way of including
files in PHP is available. This is also the point where one starts
thinking, why is the better way harder one around, and why does the
worse option have a shorter and easier to remember name.
I suggest that include() would be made to act like include_once(),
possibly being in fact an alias for it. For those who really do want to
use an include construct that has the potential for including the same
file again, include_again() should be made available and it should work
like the include() construct has previously done.
Naturally it wouldn't be fair for anyone to make the change right away.
The correct order would be making include_again() construct available
and announce to everyone that it should be used if that is really the
desired functionality; otherwise one can leave his code right intact.
This would also be the point where documentation (book) authors should
be notified, so that all future material would mention about this if
appropriate. Then, after one or more x.x version changes, the change
should be made so that include() is an alias for include_once(), not
include_again(). This way every responsible PHP author using include()
purposefully instead of include_once() would have already made the
changes required, and everyone else would just live happily ever after
being able to use simply include() with the secureness of
include_once().
I think this would be similar to what the PHP community experienced
with the register_globals being changed to default to off. Increased
security with minimum pain for the users, the way PHP has reigned so
far. I do hope my suggestion would come true if not in 5.1 or 5.2, at
least in 6.0, whenever it comes. It would save me and many other users
time that is now being used to learning by mistakes or education why
not use the simple include().
The same should be applied to require_*() constructs too, so that
require() would be an alias to require_once() after the final change,
and before that be an alias to require_again() which would be announced
as being the construct to use when the re-requiring functionality is
desirable.
Reproduce code:
---------------
include("file");
...lots of other code, possibly if clauses and loops...
include("file");
Expected result:
----------------
The abovementioned code should include file only once, because the
cases when the user would actually want file to be included twice are
less common than sharks in Sahara but too many people haven't heard
that include_once() should be used almost always instead of the simpler
to type and pronounce include().
Actual result:
--------------
At the present the code above includes file twice causing common
problems and time spent educating everyone around that the simpler way
is the worse way, always use the function with the more inconvenient
name if you don't specifically mean to include or require file more
than once.
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=32295&edit=1
