Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:57201 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 42914 invoked from network); 4 Jan 2012 20:15:59 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 4 Jan 2012 20:15:59 -0000 Authentication-Results: pb1.pair.com smtp.mail=h.reindl@thelounge.net; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=h.reindl@thelounge.net; sender-id=pass Received-SPF: pass (pb1.pair.com: domain thelounge.net designates 91.118.73.15 as permitted sender) X-PHP-List-Original-Sender: h.reindl@thelounge.net X-Host-Fingerprint: 91.118.73.15 mail.thelounge.net Received: from [91.118.73.15] ([91.118.73.15:51650] helo=mail.thelounge.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id D4/20-50667-B73B40F4 for ; Wed, 04 Jan 2012 15:15:56 -0500 Received: from srv-rhsoft.rhsoft.net (openvpn-241.thelounge.net [10.0.0.241]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mail.thelounge.net (Postfix) with ESMTPSA id 2DF94A3 for ; Wed, 4 Jan 2012 21:15:52 +0100 (CET) Message-ID: <4F04B377.4040105@thelounge.net> Date: Wed, 04 Jan 2012 21:15:51 +0100 Organization: the lounge interactive design User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:9.0) Gecko/20111222 Thunderbird/9.0 MIME-Version: 1.0 To: internals@lists.php.net References: <4F048A03.4070408@sugarcrm.com> <4F04A172.7080509@sugarcrm.com> <4F04AA8E.6020701@sugarcrm.com> <4F04AD6D.80608@php.net> <4F04B071.8080102@php.net> In-Reply-To: <4F04B071.8080102@php.net> X-Enigmail-Version: 1.3.4 OpenPGP: id=7F780279; url=http://arrakis.thelounge.net/gpg/h.reindl_thelounge.net.pub.txt Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig42F562BD562D8E8F00CD9728" Subject: Re: [PHP-DEV] Re: another fix for max_input_vars. From: h.reindl@thelounge.net (Reindl Harald) --------------enig42F562BD562D8E8F00CD9728 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Am 04.01.2012 21:02, schrieb Rasmus Lerdorf: > But there is a very valid security concern here. People can usually run= > safely with display_errors enabled if their code is well-written.=20 if it is well written there would be nor errors displayed but you miss - in production you MUST NOT dispaly errors > They can check for potential errors and avoid them. This one can't be c= hecked > for and you could easily write a scanner that scoured the Net for sites= > with display_errors enabled by sending a relatively short POST request > to each one and checking for this error. does not matter if display_errors is on DISPLAY it if it is off do NOT there is nothing between every try to make exceptions here is simply a bad style and should not be done - where do you stop? you can't decide - only the admin or developer with ini_set() has to decide and nobody else --------------enig42F562BD562D8E8F00CD9728 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk8Es3cACgkQhmBjz394AnlqLACghBbEBwO9J6Ok51ITW/+uMjzK Uh4Ani2DlmgDG8RDRxhemEvzIPnZSuR7 =GWBU -----END PGP SIGNATURE----- --------------enig42F562BD562D8E8F00CD9728--