Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:69404 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 16762 invoked from network); 28 Sep 2013 10:25:18 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 28 Sep 2013 10:25:18 -0000 Authentication-Results: pb1.pair.com header.from=leight@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=leight@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.212.172 as permitted sender) X-PHP-List-Original-Sender: leight@gmail.com X-Host-Fingerprint: 209.85.212.172 mail-wi0-f172.google.com Received: from [209.85.212.172] ([209.85.212.172:50706] helo=mail-wi0-f172.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id D8/23-27958-D8EA6425 for ; Sat, 28 Sep 2013 06:25:17 -0400 Received: by mail-wi0-f172.google.com with SMTP id hn9so1858990wib.17 for ; Sat, 28 Sep 2013 03:25:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=c9EgPmVYzW/p860EKl7GwZYl55yQWHwT3O5h4ZpdrG8=; b=QaX32fbHHJ9CMsAV3Ol/CZQs6kXtBzci+O4EBGdMHEFaNFvvEeZ94J0dqN752n4Rnv VSWqdbkI2Znsv/F9DHzkzLozH8AYdXDwkpdaOPVyv04Zw7JKTJuz9XOklgMM9gRsrqra 8OGQD9C7WIVwJ4efSVYQOaJx+2+yE4HBhmfc9ktCtzxWsNBu0bJ3R4K4M/QWWGf90siv y6NfGEAgQkIDRYBAlWpPfZPIkMxnCWLGU+G0lvB/0LJ1sFLb2v7xW9KkS+4XEXO98uGL 6qpN7aWlf1iunq4nNMNCPMVJYukbZ1692jQoGx3MFOVqzHaa8OBdBJT8pAW+LU4gQ4JN Cw+Q== MIME-Version: 1.0 X-Received: by 10.180.188.202 with SMTP id gc10mr6194286wic.3.1380363914320; Sat, 28 Sep 2013 03:25:14 -0700 (PDT) Received: by 10.216.184.3 with HTTP; Sat, 28 Sep 2013 03:25:14 -0700 (PDT) Received: by 10.216.184.3 with HTTP; Sat, 28 Sep 2013 03:25:14 -0700 (PDT) In-Reply-To: References: Date: Sat, 28 Sep 2013 11:25:14 +0100 Message-ID: To: Peter Lind Cc: PHP Internals , Yasuo Ohgaki , Tjerk Meesters , Madara Uchiha Content-Type: multipart/alternative; boundary=001a11c262cec6201604e76f0422 Subject: Re: [PHP-DEV] Regenerating session ID automatically when IP address has changed From: leight@gmail.com (Leigh) --001a11c262cec6201604e76f0422 Content-Type: text/plain; charset=ISO-8859-1 On Sep 28, 2013 10:39 AM, "Peter Lind" wrote: > > So you're stuck with two choices: accept that PHP security is lax and that as a result a lot of code will have many attack vectors, or try to change the language itself for the better. The third option of "educate" is a mirage. > PHP provides you with all the tools you need to write secure apps. I could go around writing mysql_query($_REQUEST["blah"]) but I don't. Why? Because I have been educated. We don't have restrictions in the core that prevent me from doing it, and we don't need them either. I agree with you, being secure by default is a worthy objective, but the proposal here shouldn't even be on by default. (remember not everyone is able to control their ini settings and whatnot) Education is not a mirage. People picked up their insecure coding habits from somewhere, and if its from laziness then I don't think they really deserve protecting. If it was from a terrible blog article promoting insecure practices then we need better articles. There's not much we can do to remove the content that's already out there, but there's a lot we can do with providing new, up to date and accurate content. --001a11c262cec6201604e76f0422--