> Sure those are important - I was just pointing out that the "security card" > is questionable since the language has more dangerous features > which ask for the user to be careful and responsible about them rather than > making everything foolproof and accident-free.
Honestly, I don't see how allowing exec/passthru/proc_open is a security risk. These are just tools. We're talking about programming language - if you're running PHP script as user X you should expect that it could do anything that user X can do. If you don't trust this script, just don't run it - disabling exec/passthru/proc_open does not change much since PHP is powerful enough to hurt you badly without executing any shell commands. If you think that disabling exec function will protect you from malicious scripts, then you have real security problem related directly to your environment and completely unrelated to PHP (it is OS responsibility to disallow access to part of the system, which should not be accessed by a particular program). > Considering the current RFCs has it really been decided as "don't use it" > (when/where?)? https://www.php.net/manual/en/language.basic-syntax.phptags.php "PHP also allows for short open tag <? (which is discouraged since it is only available if enabled using the short_open_tag php.ini configuration file directive, or if PHP was configured with the --enable-short-tags option)." Regards, Robert Korulczyk -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php