Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:59661
Return-Path: <chrisstocktonaz@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 42547 invoked from network); 10 Apr 2012 17:47:10 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 10 Apr 2012 17:47:10 -0000
Authentication-Results: pb1.pair.com header.from=chrisstocktonaz@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=chrisstocktonaz@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.210.170 as permitted sender)
X-PHP-List-Original-Sender: chrisstocktonaz@gmail.com
X-Host-Fingerprint: 209.85.210.170 mail-iy0-f170.google.com  
Received: from [209.85.210.170] ([209.85.210.170:37427] helo=mail-iy0-f170.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 63/90-38506-D12748F4 for <internals@lists.php.net>; Tue, 10 Apr 2012 13:47:10 -0400
Received: by iaeh11 with SMTP id h11so73437iae.29
        for <internals@lists.php.net>; Tue, 10 Apr 2012 10:47:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=3nJUeFtVUqKaON60dXoytcq7B0P81jg9Lbo7nYt/eHE=;
        b=z287z9C4s99CQ6h0Y4MbWKKLM5qV1fdEJVTTmvLPBowQgC72zZCYcGoAp2ZNFIMIsT
         BL9RoQwXRz16S2YVjhT5nU/5Gde51+GcMj3OXKhnYBfk1fFLbgurWmpW3EPUBHctpEGO
         Kdp896TvQxDPk1S3tsp5OsuHeoBZ69taW6WGfjmJWyj6fPOyB5NYbstqbFJhHu37QoB1
         lC7s2eOgIHKLnIPN7BjiCu2AjudeRe1QDoaSRrESn8XrIelTxHddYwHJC5OYttNrDo6t
         VIxlERmQTiC16bWzBE8r/5Y64Tufp5Rc2lWh/y0Xp5F2LAIpZUoexXk+Iu6MUtTuLBY/
         PeQA==
MIME-Version: 1.0
Received: by 10.50.89.197 with SMTP id bq5mr3418578igb.13.1334080025807; Tue,
 10 Apr 2012 10:47:05 -0700 (PDT)
Received: by 10.42.174.9 with HTTP; Tue, 10 Apr 2012 10:47:05 -0700 (PDT)
In-Reply-To: <CAGa2bXZ6G=Cphjrde3u1Mq3AAw-4yJk3s28vNe+Aybt2nGTumg@mail.gmail.com>
References: <CAGa2bXZ6G=Cphjrde3u1Mq3AAw-4yJk3s28vNe+Aybt2nGTumg@mail.gmail.com>
Date: Tue, 10 Apr 2012 10:47:05 -0700
Message-ID: <CALKFbxu-r2=8EwqKHtvHXrJecrNbCu0iOVzzQ6TOKw6Pw72c7g@mail.gmail.com>
To: Yasuo Ohgaki <yohgaki@ohgaki.net>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: text/plain; charset=ISO-8859-1
Subject: Re: [PHP-DEV] Disabling PHP tags by php.ini and CLI options
From: chrisstocktonaz@gmail.com (Chris Stockton)

Hello,

On Tue, Apr 10, 2012 at 12:59 AM, Yasuo Ohgaki <yohgaki@ohgaki.net> wrote:
> Hi all,
>
> This is the RFC as in the title.
> Although it's not a direct security measure, but it's related
> to critical security problem prevention.
>
> If you are not familiar to how to execute arbitrary PHP code,
> steal data from RDBMS via SQL injection and LFI, it may be
> interesting.
>
> This RFC will not break any existing code. Programmers
> may keep full backward compatibility while getting better
> security.
>
> https://wiki.php.net/rfc/nophptags
>
> Please read and give comments.
> Thank you.
>
> P.S. This RFC is based on April Fool RFC written by Moriyoshi,
> but this is serious RFC.
>

I'm sorry I have read your RFC and do not mean to offend, I appreciate
the effort you spent writing it but I have to say it is really far off
from actually solving the "Problem" you want to fix. I will suggest
you use the tokenizer extension if you really must do what you are
trying to describe.

My vote on this is -1

-Chris