Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:59507 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 3447 invoked from network); 9 Apr 2012 15:34:35 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 9 Apr 2012 15:34:35 -0000 Authentication-Results: pb1.pair.com smtp.mail=johncrenshaw@priacta.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=johncrenshaw@priacta.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain priacta.com designates 64.95.72.241 as permitted sender) X-PHP-List-Original-Sender: johncrenshaw@priacta.com X-Host-Fingerprint: 64.95.72.241 mxout.myoutlookonline.com Received: from [64.95.72.241] ([64.95.72.241:24352] helo=mxout.myoutlookonline.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 6A/49-56433-A81038F4 for ; Mon, 09 Apr 2012 11:34:35 -0400 Received: from mxout.myoutlookonline.com (localhost [127.0.0.1]) by mxout.myoutlookonline.com (Postfix) with ESMTP id 4A39F8BE6DE; Mon, 9 Apr 2012 11:34:31 -0400 (EDT) X-Virus-Scanned: by SpamTitan at mail.lan Received: from HUB016.mail.lan (unknown [10.110.2.1]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by mxout.myoutlookonline.com (Postfix) with ESMTPS id 01FAF8BE720; Mon, 9 Apr 2012 11:34:31 -0400 (EDT) Received: from MAILR001.mail.lan ([10.110.18.28]) by HUB016.mail.lan ([10.110.17.16]) with mapi; Mon, 9 Apr 2012 11:34:30 -0400 To: Yasuo Ohgaki , Arvids Godjuks CC: PHP Internals , Tom Boutell Date: Mon, 9 Apr 2012 11:34:20 -0400 Thread-Topic: [PHP-DEV] PHP class files without References: <4F80C739.2060404@gmail.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: RE: [PHP-DEV] PHP class files without There were full of embedded PHP pages 10 years ago. > Only template pages require embedded PHP script now. There are legions of sites that use PHP "on the metal". No framework, no MV= C, no CMS, just direct code files mingled with some includes for site layou= t. It works brilliantly for smaller sites and it is blazing fast. > > There is no compatibility issue for current code. > New code that adopts non-embed scripting will enjoy better security than = now. The security argument here is really totally bogus. The idea behind this ch= ange has nothing to do with security, and making it won't improve security = either. There's been a lot of talk about scripts embedded in images or othe= r uploads, but the truth is that this will have zero impact on such attacks= . If the attack used direct execution then the script didn't even check the= extension, and an attacker just has to upload a different format and/or us= e a different extension (and even that only if the server, probably apache,= is configured to know the difference). If the attack was via inclusion, sa= me thing, changing the expected syntax of the included file doesn't make it= any less vulnerable. So far I'm not seeing a compelling argument for removing