Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:16909
Return-Path: <sesser@php.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 49876 invoked by uid 1010); 26 Jun 2005 18:07:23 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 49861 invoked from network); 26 Jun 2005 18:07:23 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 26 Jun 2005 18:07:23 -0000
X-Host-Fingerprint: 81.169.145.165 natsmtp00.rzone.de Solaris 8 (1)
Received: from ([81.169.145.165:35839] helo=natsmtp00.rzone.de)
	by pb1.pair.com (ecelerity 1.2 r(5656M)) with SMTP
	id A8/7F-54439-8DEEEB24 for <internals@lists.php.net>; Sun, 26 Jun 2005 14:07:20 -0400
Received: from [192.168.1.77] (p50873A0A.dip.t-dialin.net [80.135.58.10])
	by post.webmailer.de (8.13.1/8.13.1) with ESMTP id j5QI7Ekk014957;
	Sun, 26 Jun 2005 20:07:15 +0200 (MEST)
Message-ID: <42BEEED1.6010602@php.net>
Date: Sun, 26 Jun 2005 20:07:13 +0200
User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: messju mohr <messju@lammfellpuschen.de>
CC: Matthew Charles Kavanagh <matthew@teh.ath.cx>, internals@lists.php.net
References: <42BDDC82.6020208@ohgaki.net> <01.6A.54439.491DEB24@pb1.pair.com> <20050626164101.GA11586@dune> <42BEE432.6090307@teh.ath.cx> <20050626175638.GB11586@dune>
In-Reply-To: <20050626175638.GB11586@dune>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] Re: allow_url_fopen should be INI_ALL
From: sesser@php.net (Stefan Esser)

> It's not stupid to prevent them from being made. But that's not what
> an admin does. When the admin comes into play, the application is
> already "made" and employed. The admin just prevents it from working as the
> developer and the qa-team intended.

The admin is deciding what is allowed on his system and what not. Any 
application that cannot deal with different setups is simply broken.

Same for register_globals/magic_quotes_gpc. If your application does not 
behave in the same way with any of these features turned on or off, it 
is simply broken.

Stefan
ps: and yes there is a bunch of PHP Applications that rely on 
register_globals=Off and are totally unsecure with register_globals=On. 
This says alot about the code quality.

-- 
--------------------------------------------------------------------------
  Stefan Esser                                               sesser@php.net
  Hardened-PHP Project                         http://www.hardened-php.net/

  GPG-Key                gpg --keyserver pgp.mit.edu --recv-key 0x15ABDA78
  Key fingerprint       7806 58C8 CFA8 CE4A 1C2C  57DD 4AE1 795E 15AB DA78
--------------------------------------------------------------------------