On Fri, Sep 27, 2002 at 10:50:08AM +0900, Yasuo Ohgaki wrote: > Ilia A. wrote: > >list think of this patch. I merely try to explain why I believe this > >particular patch is not appropriate for standard PHP distribution. > > It will be yet another safe_mode like feature. i.e. > it isn't secure as it sounds. Users with a little knowledge > can access backend with socket function. Therefore, I agree > with Ilia's opinion.
users with a little knowledge can do all manner of unpleasant things with the socket function. not to mention system(), and fopen/read/write/fclose. let us assume that pgsql had an API call PQrestrictdb(list_of_dbs). and i submitted a patch that allowed for a PHP config var to fill that list_of_dbs. would i be running into the same objections? how else would you propose i pass immutable values from apache to pgsql? the concept here is security, and i recognize that part of your purpose is to maintain, and improve the security of php. but with such stalwart objections to modifications like mine, you are making php less secure for those of us who want to use extensions by forcing us to use environment variables which can be overwritten. my apologies if there is a mechanism which exists, and that i'm not aware of. -- [ Jim Mercer [EMAIL PROTECTED] +1 416 410-5633 ] [ I want to live forever, or die trying. ] -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php
