Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:17235
Return-Path: <nelson@crynwr.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 87008 invoked by uid 1010); 12 Jul 2005 04:12:01 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 86993 invoked from network); 12 Jul 2005 04:12:01 -0000
Received: from unknown (HELO crynwr.com) (127.0.0.1)
  by localhost with SMTP; 12 Jul 2005 04:12:01 -0000
X-Host-Fingerprint: 192.203.178.14 ns1.crynwr.com Linux 2.0.3x (1)
Received: from ([192.203.178.14:1824] helo=ns1.crynwr.com)
	by pb1.pair.com (ecelerity 1.2 r(5656M)) with SMTP
	id E9/6D-23681-01343D24 for <internals@lists.php.net>; Tue, 12 Jul 2005 00:12:00 -0400
Received: (qmail 23506 invoked from network); 12 Jul 2005 04:11:53 -0000
Received: from dpc6745223014.direcpc.com (HELO desk.crynwr.com) (67.45.223.14)
	by pdam.crynwr.com with SMTP; 12 Jul 2005 04:11:53 -0000
Received: (qmail 22640 invoked by uid 500); 12 Jul 2005 04:11:14 -0000
Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
	s=dog; d=crynwr.com;
	b=Cwsl4sNkhmh5BVvts4/VwCnWLcpHLH8J1cUneiTjtX13e+qGo4FGfvP4PAGvYELI  ;
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
Message-ID: <17107.17122.416251.96059@desk.crynwr.com>
Date: Tue, 12 Jul 2005 00:11:14 -0400
To: <internals@lists.php.net>
In-Reply-To: <8D.33.29969.33A24C24@pb1.pair.com>
References: <17091.32753.839430.671829@desk.crynwr.com>
	<8D.33.29969.33A24C24@pb1.pair.com>
X-Mailer: VM 7.17 under 21.4 (patch 17) "Jumbo Shrimp" XEmacs Lucid
Subject: RE: [PHP-DEV] Bringing the 'include' discussion to an end
From: nelson@crynwr.com (Russell Nelson)

David Z=C3=BClke writes:
 > I don't care about the thousands of idiots out there who are too
 > dumb to avoid security leaks.

You don't have to be very dumb to create a whopping big security hole.
It should be *hard* to create a security lapse which causes hostile
code to run on your server.  'include' makes it trivial.

 > The discussion is stupid, and it did nothing but waste helluva lot
 > of bandwidth.

Actually ... this discussion established firmly that PHP's insecurity
is designed-in as a _feature_.  Anybody reading the archives will
understand that PHP and security will forever be strangers to each
other.

Sorry, Rasmus, for calling a spade a spade, but it needs to be said
even if you don't like it.

--=20
--My blog is at     blog.russnelson.com         | If you want to find
Crynwr sells support for free software  | PGPok | injustice in economic=

521 Pleasant Valley Rd. | +1 315-323-1241       | affairs, look for the=

Potsdam, NY 13676-3213  |                       | hand of a legislator.=