On Apr 9, 2012, at 7:44 PM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote: > Hi, > > 2012/4/10 Luke Scott <l...@cywh.com>: >>>>> That said, allowing the skipping of an initial <?php tag at the top of >>>>> the file probably wouldn't be a big deal to implement in code mode. >>>> >>>> >>>> OK. If you can agree to this then I'm good. Perhaps only allow white space >>>> before it (which is ignored - everything else throws a parse error)? >>> >>> Great, that sounds doable. (This would be *allowing* a leading <?php, >>> not *requiring* one. >> >> Great! Then it seems we both agree. >> >> As far as the require/include statement, have we pretty much settled >> on something like this: >> >> include "/foo/bar.php", INC_CODE; >> >> verses: >> >> include_path "/foo/bar.php"; >> > > These syntax does not help removing LFI risk in existing code > and allows novice to write suicide code. > > The only valid reason make mandatory embedded mode to > non mandatory is security. IMHO. > > BTW, although I'll vote opposing voice to have include_path() or > like, include_path() should be include_script(), shouldn't it?
I'm not sure I fully understand your concern. require/include shouldn't be used for anything other than local php files. User input should also not be placed there. What am I missing? Luke -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
