> It is surprising how thing that is considered by one to be a security risk, > is treated > as nothing relevant by others. This dichotomy is quite disturbing - in what > case > removing security risk is "no real gain"?
It's questionable that a misconfigured environment is a "security" risk caused by language rather than ignorance of the administrator. On that matter you could ask why are all the exec/passthru/proc_open etc functions/features are allowed by default while every other guide on hardening web suggests those to be disabled (added to disable_functions)? I would bet there have been a lot more (actual) security breaches because of unsanitized/unescaped parameters to those. Just to repeat some other people - there are a lot other things to work on than this. rr -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php