Russell Nelson wrote:
Now, don't tell me that it's not insecure. Everyone here realizes
(and I know this because they've told me) that programmers who are
concerned about security will always check the values passed into
'include'. Why would they need to do that if 'include' wasn't
insecure?
Because it's one of - if not the first of - rules of web-based
scripting, maybe even programming in general. You absolutly can't trust
any input whatsoever and it must be validated. There are examples of
this in every type of language that I care to think of, from buffer
overflows in C/C++, SQL injections in well, just about any language and
of course, system()/exec()/include()/etc in php/.
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php