Russell Nelson wrote:
Graphical user interface designers understand the idea of an
'affordance'. An affordance is something whose operation is obvious
simply by looking at it. An uparrow button moves something upwards.
'include' is an affordance. It obviously includes a local file.
To me, it's obvious that include includes a file - I see no obvious
determination that that file is either local or remote in the "include"
statement.
Also, I think it's silly to make include into two functions as you
suggest given that the ability to include a remote file depends on the
fopen wrapper being enabled. If we were to follow this line of logic, we
would have two functions for every current one function which can use
the fopen wrappers.
I think the documentation quite clearly states that /all/ functions that
deal with files may deal with remote files if the fopen wrappers are
enabled and that it's safest to make sure these wrappers are disabled in
the php.ini/config file.
I'm not speaking as somebody who's never seen the misuse of include()
either - I had a server remotly exploited several months back after I
"did a favour for a mate" and let him run some of his dodgy code on the
machine. However, as I mention above, every single function that can use
fopen wrappers can be exploited in this way. Now, if include is at the
top of the currently-exploited-in-this-manner list of these functions,
maybe the documentation needs to start using <blink>* tags to highlight
things a bit more - this is an entirely seperate issue to the function
being broken.
Sadly, the (ab)use of this function and others using fopen are things
I'm seeing are in-line with how I saw people abusing crap perl scripts
5-10 years back when that started to become really popular for web
scripting. It's unfortunate, but there's a lot of muppets out there who
think they can code - it shouldn't be anybodies job to shield them from
the headaches they'll be unleashing upon themselves when that removes
functionality or changes existing functionality for those of us who know
how to use these functions appropriatly - after all, about the first
thing you read in any book about any web scripting is you /do not/
accept unvalidated user input.
* -- sorry, joke :-)
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
