From: yohg...@gmail.com [mailto:yohg...@gmail.com] On Behalf Of Yasuo Ohgaki > There were full of embedded PHP pages 10 years ago. > Only template pages require embedded PHP script now.
There are legions of sites that use PHP "on the metal". No framework, no MVC, no CMS, just direct code files mingled with some includes for site layout. It works brilliantly for smaller sites and it is blazing fast. > > There is no compatibility issue for current code. > New code that adopts non-embed scripting will enjoy better security than now. The security argument here is really totally bogus. The idea behind this change has nothing to do with security, and making it won't improve security either. There's been a lot of talk about scripts embedded in images or other uploads, but the truth is that this will have zero impact on such attacks. If the attack used direct execution then the script didn't even check the extension, and an attacker just has to upload a different format and/or use a different extension (and even that only if the server, probably apache, is configured to know the difference). If the attack was via inclusion, same thing, changing the expected syntax of the included file doesn't make it any less vulnerable. So far I'm not seeing a compelling argument for removing <?php from the start of files or eliminating the ability to drop into template mode. Certainly nothing that would justify such a radical language change nor the mess that it will create for the whole rest of the ecosystem. John Crenshaw Priacta, Inc. -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
