On 6/28/05, Russell Nelson <[EMAIL PROTECTED]> wrote: > > If you have to read the man page to find out that 'include' will let > some random user from a third-world country execute 'rm -rf /' on your > server, then I propose that the problem is not that users didn't read > the man page. The problem is with include, and it needs to be fixed.
Are you suggesting that someone could wipe out your entire machine by passing a remote script that would system('rm -rf /');? This is not a PHP related problem. If the user is stupid enough to run his webserver as root and not setting proper privileges, he deserves to get his hard drive wiped out. Maybe we should consider Apache insecure as it allows you to run it as root if you like? Or maybe we should blame UN*X systems for having a root account? I sure do expect to have include() using the fopen wrapper. If it was not the case, people would start writing their own implementation of remote include file, opening a HTTP stream and then piping it to include(). IMHO, this thread is pointless. About any feature (good features!) of PHP might be used to hack a system. There is no way around a crapy written software (meaning the PHP script, and *not* the PHP runtime). There is no problems with the include() statement. The only thing missing, is a <blink> tag in the docs ;) Sincerely, Olivier -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php