At 17:52 15-10-2002, Dan Hardiker wrote: > > Another -1, because it's a security risk, as your (legacy) sources will > > be sent to the client, > > if you're not aware of this. This may expose passwords, internal > > networks and what not. > >The security risk there is the developer for having sensative information >in a publicly accessable file. The same could be said for putting .php3 >files onto a PHP4 enabled apache installation - which on a default install >of PHP and Apache doesnt parse .php3 files and thus outputs them in the >same manner. > >Dont forget, not all servers have short_open_tag's enabled - your >"security risk" (aka bad coding) is ever present there also.
If you work in a company, which has been with PHP for a number of years, you have to deal with legacy code, that is still working properly, coded by the predecessor of your predecessor and then try moving servers to a new ISP. We missed 1 directory, during that move, that was affected by it - which on the number of files/directories copied/moved/modified etc. is just plain luck. It didn't contain passwords, just a few hardcoded paths, which is again pure luck. It's not a rule that this exposes a security risk, it's the exceptional situations that can cause the most damage. Met vriendelijke groeten / With kind regards, Webmaster IDG.nl Melvyn Sopacua -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php
