Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:17003
Return-Path: <lists@sebastianmendel.de>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 25312 invoked by uid 1010); 29 Jun 2005 14:18:31 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 25294 invoked from network); 29 Jun 2005 14:18:31 -0000
Received: from unknown (HELO pb1.pair.com) (127.0.0.1)
  by localhost with SMTP; 29 Jun 2005 14:18:31 -0000
X-Host-Fingerprint: 84.148.148.217 p549494D9.dip0.t-ipconnect.de  
Received: from ([84.148.148.217:8827] helo=localhost.localdomain)
	by pb1.pair.com (ecelerity 1.2 r(5656M)) with SMTP
	id 6A/A7-00424-EADA2C24 for <internals@lists.php.net>; Wed, 29 Jun 2005 10:18:23 -0400
Message-ID: <6A.A7.00424.EADA2C24@pb1.pair.com>
To: internals@lists.php.net
Date: Wed, 29 Jun 2005 16:27:17 +0200
User-Agent: Mozilla Thunderbird 1.0+ (Windows/20050622)
MIME-Version: 1.0
References: <42BDDC82.6020208@ohgaki.net>	<17088.52397.92440.326561@desk.crynwr.com>	<42C0CF76.6090203@lerdorf.com> <42C0F4DA.4000605@php.net>	<17089.18702.450236.614561@desk.crynwr.com>	<42C225F7.1060201@lerdorf.com>	<17090.14242.815242.149673@desk.crynwr.com>	<Pine.LNX.4.61.0506290919310.17486@arfg.argcubovn.sv> <3br12t95.fsf@random.internal>
In-Reply-To: <3br12t95.fsf@random.internal>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Posted-By: 84.148.148.217
Subject: Re: [PHP-DEV] allow_url_fopen should be INI_ALL
From: lists@sebastianmendel.de (Sebastian Mendel)

Derrell.Lipman@UnwiredUniverse.com wrote:
> Jani Taskinen <sniper@iki.fi> writes:
> 
>>     Please troll, do you go away if I close my eyes?
> 
> That's not fair.  Russell is providing strong arguments and rebuttals for
> every point.  You may not agree with his points, but what he's doing is not
> trolling.  This discussion seems to have strong backing on both sides of the
> issue.

i agree full!

isnt it possible to add a check to the include*()/require*() statement
that checks the parameter for existence in the superglobal $_REQUEST

if the same value is found in $_REQUEST it could raise a WARNING, and
notice the user about this security-leak.


-- 
Sebastian Mendel

www.sebastianmendel.de
www.sf.net/projects/phpdatetime | www.sf.net/projects/phptimesheet