> Le 8 oct. 2019 à 12:24, Reindl Harald (privat) <ha...@rhsoft.net> a écrit :
>
>
>
> Am 08.10.19 um 11:00 schrieb Claude Pache:
>> * People trying to deactivate functions executing external programs (such as
>> `shell_exec`) using the "disable_function" ini directive, wondering how to
>> deactivate the backtick operator (since there is no `disable_operator`
>> directive)
>
> would you at least mind to back your claims by a simple test?
>
> Warning: shell_exec() has been disabled for security reasons in
> /mnt/data/www/www.rhsoft.net/test.php on line 1
>
> [harry@srv-rhsoft:/www/www.rhsoft.net]$ cat test.php
> <?php `uname`?>
Hi,
I think you missed my point. I wasn’t claiming that there is any technical
difficulty in disabling the backtick operator. I am claiming that people take
time wondering how to do that, searching for the solution, and discovering that
they just need to disable `shell_exec`.
More generally, people take time in understanding the peculiarities of that
uncommon feature which is the backtick operator. This is a real cost. Another
example that is popping in my mind is: Does the operator supports variable
interpolation (like double-quoted strings) or not (like single-quoted strings).
(Please, don’t lose time in answering that question. The simple answer is: Just
use `shell_exec()` with the type of quotes you mean, and: Tell everybody to
just use `shell_exec()` with the type of quotes they mean.)
—Claude
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php