Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:60467
Return-Path: <ceo@l-i-e.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 53399 invoked from network); 5 May 2012 15:55:47 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 5 May 2012 15:55:47 -0000
Authentication-Results: pb1.pair.com smtp.mail=ceo@l-i-e.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=ceo@l-i-e.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain l-i-e.com designates 67.139.134.202 as permitted sender)
X-PHP-List-Original-Sender: ceo@l-i-e.com
X-Host-Fingerprint: 67.139.134.202 o2.hostbaby.com FreeBSD 4.7-5.2 (or MacOS X 10.2-10.3) (2)
Received: from [67.139.134.202] ([67.139.134.202:3724] helo=o2.hostbaby.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id AE/F3-30075-18D45AF4 for <internals@lists.php.net>; Sat, 05 May 2012 11:55:46 -0400
Received: (qmail 98448 invoked by uid 98); 5 May 2012 15:55:45 -0000
Received: from localhost by o2.hostbaby.com (envelope-from <ceo@l-i-e.com>, uid 1013) with qmail-scanner-2.05 
 ( 
 Clear:RC:1(127.0.0.1):. 
 Processed in 0.037108 secs); 05 May 2012 15:55:45 -0000
Received: from localhost (HELO www.l-i-e.com) (127.0.0.1)
  by localhost with SMTP; 5 May 2012 15:55:44 -0000
Received: from webmail
        (SquirrelMail authenticated user ceo@l-i-e.com)
        by www.l-i-e.com with HTTP;
        Sat, 5 May 2012 10:55:45 -0500
Message-ID: <2d366ed2f445f9a48ce1a19e43bca3f2.squirrel@www.l-i-e.com>
In-Reply-To: 
 <CAGa2bXYdfTuXAwQK6i0hk9jZGZsM1KaXsQqMAFsrBKbERTX9_w@mail.gmail.com>
References:
    <CAGa2bXYdfTuXAwQK6i0hk9jZGZsM1KaXsQqMAFsrBKbERTX9_w@mail.gmail.com>
Date: Sat, 5 May 2012 10:55:45 -0500
To: "Yasuo Ohgaki" <yohgaki@ohgaki.net>
Cc: internals@lists.php.net
User-Agent: SquirrelMail/1.4.21 [SVN]
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Subject: Re: [PHP-DEV] [RFC] Optional PHP tags by php.ini and CLI options 
 (Ver. 1.4)
From: ceo@l-i-e.com ("Richard Lynch")

On Wed, April 11, 2012 5:14 pm, Yasuo Ohgaki wrote:
> I think my RFC confused people on this list due to improper
> descriptions
> and too much information. Sorry for the confusion. I revised the RFC
> so
> that most important points can be understood at a glance.
>
> https://wiki.php.net/rfc/nophptags

We all know there are a LOT of bad scripts out there.

A *LOT* of bad scripts.

With major security holes in them.

I do not see your average PHP scripter changing that behavior: It's
just so easy to write a PHP script, which is why it's so popular.

Now, you are going to open up all the inexperienced scripters to code
exposure when they start using this cool new feature of being lazy and
not typing that silly <?php tag.

And that code being exposed will have major security holes in it.

This is just not a good idea...

Instead of random bots attacking random URLs hoping to hit pay dirt
for an SQL injection, you will have bots that:

    Use google to find stuff that looks like raw PHP code.
    Scape page to look for mysql.*$_POST
    Attack site.

Unless I'm really missing something here, you put a few million
people's code at risk, for a feature that has dubious value in the
first place.

-- 
brain cancer update:
http://richardlynch.blogspot.com/search/label/brain%20tumor
Donate:
https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=FS9NLTNEEKWBE