Hi! > Let's just say that eval() and create_function() are the cornerstone of > PHP-based exploit toolkits. Yes, if the hackers get in there are other > problems with your codebase, but as a defense in depth measure most > applications need neither create_function() nor the eval() language > construct, so they might as well be disabled.
I get defense in depth, but I don't understand what it means in this case. Since you're talking about disabling functions, I assume we're talking about the situation where there's code execution access. From that point, you can execute any code. What is the value of disabling eval() here? You don't need eval, you can run any code you want directly! Am I missing something here? -- Stas Malyshev smalys...@gmail.com -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
