> -----Original Message----- > From: Bishop Bettini [mailto:bis...@php.net] > > That's why I highlighted Robert Korulczyk's case study: only a particular > code path in a particular environment had the problem. > > The status quo enables deployments to fail insecurely. <? $dbpassword = > "secret"; is a trap waiting to spring. I would rather require ten thousand > people secure their environment by running a script, than risk a single person > exposing their credentials for all to steal. > > I challenge everyone who's voted no to consider this balance.
If the initial RFC would have been accepted as is (without the later proposed changes after the lengthy discussion) you would have sprung the same "trap" as in that particular case study - code would be exposed. Argument for "only a particular code path in a particular environment" is somewhat weak because in that case why does even ' .user.ini' feature exists (especially in apache sapi where you can even do engine = 0) as it also can lead to wildly different language behaviour? rr -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
