I disagree in two levels.  First, I think that saying "We can't protect 
people from their stupidity, so let's lift all bars" is just plain wrong 
and a bad approach in a real world situation.  Sure, it's true, but we can 
definitely reduce the risks involved in common mistakes that people 
make.  Not bulletproof, but sometimes simply hinting people not to go 
around places where shots are fired is good enough.

On the second level, there are several other reasons not to keep dl() which 
aren't related to security or preventing people from doing the wrong 
things.  These are:
- Slow performance, encourages slow app writing
- Complicates the development of extensions and the engine
- Will not work in thread safe mode

All in all, dl() is simply bad, in just about every level.


At 00:03 07-08-01, George Schlossnagle wrote:
> > In a few words:
> > For a webserver: ban dl()
> > For generic scripting: keep dl()
>What's really the point of protecting people from their stupidity.  If
>you're going to keep it in the generic scripting engine (which I think has
>lots of value), why not keep it in the webserver engine as well. There are
>plenty of php extensions which, imho, operate way to slow to called on a
>busy production site.  Does that mean they should be eliminated?  No, it
>means they should just be used with a 'buyer-beware' mentality.

Zeev Suraski <[EMAIL PROTECTED]>
CTO &  co-founder, Zend Technologies Ltd. http://www.zend.com/

PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to