On Apr 9, 2012, at 9:08 PM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote: >> I would actually suggest that require/include stop supporting remote >> files all together. But that can be a different RFC. >> >> This "security problem" isn't a problem with common sense. > > Requiring/Including remote file is not bad, just like embedded mode > of PHP is not bad.
You can fetch a remote file with curl, socket functions, he'll even file_get_contents. Point is you shouldn't be using require/include for including remote files. It's not the purpose of these functions, and even though "you can" it doesn't mean you should and it's highly discouraged. It's not a core PHP problem. It's programming problem. Where I work we forbid certain things like this for good reason. We also have a code review process. All code is checked by another developer before it gets commited. Even my code, and I'm a manager. This should be done at the very least. Some companies do this and then have a third party audit the code on top of it. > They are bad for security if they are enabled by default or mandatory. Again nothing has changed with this RFC. Luke -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
