ZS>> My point is that with safe_mode, $x = file("/etc/passwd") can probably
ZS>> still be achieved, only perhaps not that easily.  The false sense of
ZS>> security that it gives you may (will) cause administrators to set their
ZS>> servers up in an insecure way.

Here I wonder, why it is impossible to define some set of safe mode
security guidelines, and make all functions conform to it? After all,
mostly everything (except, probably, some extensions like COM when you
never know) is controlled by the engine, why isn't it possible to have it
to adhere to some set of guidelines?
Also, if the guidelines would really be defined and documented, the
sysadmins would know what it actually does and what it does not, not
basing on the word "safe" alone.

Stanislav Malyshev, Zend Products Engineer
[EMAIL PROTECTED]  http://www.zend.com/ +972-3-6139665 ext.115

PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to