Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:16984
Return-Path: <rasmus@lerdorf.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 60559 invoked by uid 1010); 29 Jun 2005 04:39:37 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 60543 invoked from network); 29 Jun 2005 04:39:37 -0000
Received: from unknown (HELO lerdorf.com) (127.0.0.1)
  by localhost with SMTP; 29 Jun 2005 04:39:37 -0000
X-Host-Fingerprint: 204.11.219.139 lerdorf.com Linux 2.4/2.6
Received: from ([204.11.219.139:51186] helo=colo.lerdorf.com)
	by pb1.pair.com (ecelerity 1.2 r(5656M)) with SMTP
	id 34/CA-00424-80622C24 for <internals@lists.php.net>; Wed, 29 Jun 2005 00:39:36 -0400
Received: from [192.168.2.7] ([80.187.146.107])
	(authenticated bits=0)
	by colo.lerdorf.com (8.13.4/8.13.4/Debian-3) with ESMTP id j5T4dJkm002954
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT);
	Tue, 28 Jun 2005 21:39:23 -0700
Message-ID: <42C225F7.1060201@lerdorf.com>
Date: Tue, 28 Jun 2005 21:39:19 -0700
User-Agent: Mozilla Thunderbird 1.0.2 (Macintosh/20050317)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Russell Nelson <nelson@crynwr.com>
CC: internals@lists.php.net
References: <42BDDC82.6020208@ohgaki.net>	<17088.52397.92440.326561@desk.crynwr.com>	<42C0CF76.6090203@lerdorf.com>	<42C0F4DA.4000605@php.net> <17089.18702.450236.614561@desk.crynwr.com>
In-Reply-To: <17089.18702.450236.614561@desk.crynwr.com>
X-Enigmail-Version: 0.91.0.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] allow_url_fopen should be INI_ALL
From: rasmus@lerdorf.com (Rasmus Lerdorf)

Russell Nelson wrote:
> Stefan Esser writes:
>  > I agree with Rasmus. Remote URL Includes are dieing out.
> 
> That's not what Rasmus said.
> 
>  > Most released advisories are SQL Injections nowadays and well maybe
>  > Russells next mail says: mysql_query() considered harmful.
> 
> When the top Google result for 'php security flaw' returns
> mysql_query() instead of include(), I will agree that you are correct.

I am not sure a Google search is a very good barometer here.  I'd like
to think that we are pretty good at staying on top of the security
problems reported in PHP-related applications and as such have a pretty
good idea of what the top problems are.  I rarely see these url_fopen
issues anymore.  Perhaps 2 years ago, but today it really doesn't seem
like it is even in the top 10 PHP security problems.  If you could order
your serach results by date I bet you'd see that a number of these
entries are quite old.

-Rasmus