Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:117756 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 49454 invoked from network); 19 May 2022 08:01:30 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 19 May 2022 08:01:30 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id EDE07180083 for ; Thu, 19 May 2022 02:42:27 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-0.7 required=5.0 tests=BAYES_05,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS15169 209.85.128.0/17 X-Spam-Virus: No X-Envelope-From: Received: from mail-wm1-f54.google.com (mail-wm1-f54.google.com [209.85.128.54]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Thu, 19 May 2022 02:42:27 -0700 (PDT) Received: by mail-wm1-f54.google.com with SMTP id l38-20020a05600c1d2600b00395b809dfbaso2396514wms.2 for ; Thu, 19 May 2022 02:42:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=craigfrancis.co.uk; s=default; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=WXrZdISAiptw0eOuUYzL1tuQcclzKwP5pb7jC/ZGvgc=; b=Q6PQ6ONDfadpWwO1sZOMp0wR8iq1j5eyXORrAEfjKuXyVWw16tELc8AX1+0nzlSkdL VI3+CyGi1gG1CIugXzPv/DUE6hpV97/Iq+/QUbgNSz0yDRmkIcHHqBaJlTmhX9AkGFo8 LFwYYXj01T8JUCx6SufaGwtF+k61Ezp9+vaZw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=WXrZdISAiptw0eOuUYzL1tuQcclzKwP5pb7jC/ZGvgc=; b=J4GwZOMCBQFWB5pvvWalKTyaQCUk6E6fLkK5E3+mqkRgR3ggKXlHQcxCnv31vpeMMz m/+1zK4mIAD48UQ/O4v11cYgUvMo0me+wDIH8Vi3YPHd5svEY5dV8D0DpVc8z6xE9nE3 YwhgyqbBhGtkqqcM/9hXsBDdJfWuA3R6GHN+k76rLn/JdLIno9UEkSizYES1qHEkQofn 78t9hmdxuICrqQrvgQut67w9H+wSRfNKS41gRgp+PtPgKEm558UDEJw0+SS2EnnFMpcj g38U3IunCEM+tkHyzf4vu1DnzXWp6rKG5F6l4xUukA7W/zQFaJisnGI2g6L9jl1VywAX eW3g== X-Gm-Message-State: AOAM5327tByl4yYNtyPqNgOtmshP06GjiMi9ruhrAGC4CU4P/ofqi4n8 x0UvkvI0L9ovhkDVp9r1wYuOVQ== X-Google-Smtp-Source: ABdhPJw9G78qlnGkMh78bsMe/adgzQEP1rZqexWb0Z5fbrSk+1BzgLd1nB0Z0q6DY5JI38I+YsmHIw== X-Received: by 2002:a7b:ce0a:0:b0:394:41e:2517 with SMTP id m10-20020a7bce0a000000b00394041e2517mr3433439wmc.135.1652953346082; Thu, 19 May 2022 02:42:26 -0700 (PDT) Received: from smtpclient.apple ([94.173.138.98]) by smtp.gmail.com with ESMTPSA id h18-20020a05600c415200b00394708a3d7dsm6173024wmm.15.2022.05.19.02.42.25 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 19 May 2022 02:42:25 -0700 (PDT) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.80.82.1.1\)) In-Reply-To: <5b866dcf-cbc7-4441-362b-3fa2c735dd8f@gmx.de> Date: Thu, 19 May 2022 10:42:22 +0100 Cc: PHP internals Content-Transfer-Encoding: quoted-printable Message-ID: <797F9E44-DB89-49C3-8538-913BEE6462DB@craigfrancis.co.uk> References: <62841d87.1c69fb81.82a5.8a18SMTPIN_ADDED_MISSING@mx.google.com> <9272E23F-F962-4023-B62D-7A70EA08E828@craigfrancis.co.uk> <628518bb.1c69fb81.1deb1.1bd5SMTPIN_ADDED_MISSING@mx.google.com> <86A3AC49-1F82-423A-9E66-B334E947E53B@craigfrancis.co.uk> <5b866dcf-cbc7-4441-362b-3fa2c735dd8f@gmx.de> To: "Christoph M. Becker" X-Mailer: Apple Mail (2.3696.80.82.1.1) Subject: Re: [PHP-DEV] Early feedback on encrypted session PR From: craig@craigfrancis.co.uk (Craig Francis) On 18 May 2022, at 18:43, Christoph M. Becker wrote: > On 18.05.2022 at 18:37, Craig Francis wrote: >> I would hope both are very rare, but I'm still writing up reports = about developers doing things like `file_put_contents('/tmp/' . = $_POST['id'], $_POST['message'])`, so I don't have a lot of hope. >=20 > Right. And no amount of magic features implemented by a language or = library will prevent such issues completely. It might not have been the = best idea to make PHP so beginner friendly. True, but some features can catch or help limit the damage from some = mistakes (e.g. CSP), as mistakes can be made by any developer (no one = writes 100% secure code); and `magic_quotes` was not on that list. Also, while I appreciate your sentiment (I feel it all too often), = overall I prefer having loads of beginners that are learning and guided = by the language/tooling, so they eventually become experienced = developers for a popular language :-) Craig