> OK, I checked into this further, and I must apologize: you are correct.
> I suspect that most of us didn't remember that this feature even
> existed...

You don't have to apologize. And indeed... I don't get the idea that
many people know about this. Besides you and maybe one or two others
I haven't heard from anyone else who knows this. And, well... before
last week I didn't know it either ;)



> Anyway, I have now documented this, along with several of its existing
> restrictions. It should show up in the online manual within the next few
> days. 

Thx! And I've fixed my scripts. So everyone happy I guess.


> FWIW, this feature currently (in all versions up to 4.1.1) suffers from
> the following problems:
>
>  o File reading is not subject to open_basedir.
>  o File reading is not subject to safe_mode.
>  o The last character of the filename parameter is replaced with \0
>    after the call to odbc_execute().
>  o This kinda makes it impossible to use a string which begins and
>    ends with single quotes as a parameter replacement.
>
> These are also in the documentation which I added to odbc_execute().
>
> I've submitted patches for the first three problems to the dev team; I
> guess we'll see whether someone gets around to committing them in time
> for 4.2.0. I personally would like to see a cleaner way to do this
> though.

Seems like a good idea... your patches, I mean. I hadn't looked into
it that much, so I didn't know 'bout those prob's. Except ofcourse
that I could indeed simply access any directory on the server (as
long as it's readable for the webserver ofcourse).


-- 

* R&zE:


-- 
-- Renze Munnik
-- DataLink BV
--
-- E: [EMAIL PROTECTED]
-- W: +31 23 5326162
-- F: +31 23 5322144
-- M: +31 6 21811143
--
-- Stationsplein 82
-- 2011 LM  HAARLEM
-- Netherlands
--
-- http://www.datalink.nl
-- 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to