Now that the flamewar has died down a little I'd like to try to have a
civil discussion about this idea - without my admittedly
inflammatory suggestion to kill <?php altogether.
So here is what I am seriously suggesting:
-
The default behavior doesn't change. The parser starts out in HTML mode.
-
If the CLI sees a .phpc file extension, the parser starts out in PHP
mode (no opening <?php is required). It is still possible to shift
into HTML mode after that with ?>. -
If a require/include statement sees a .phpc file extension, the
parser starts out in PHP mode. -
If mod_php and FPM are able to see the path (I'm honestly not sure
if they can or not), they look for .phpc as their indication to start
out in PHP mode. If that's not possible then new options are defined
to allow Apache to be configured to tell mod_php and/or FPM to do the
right thing based on mime types etc.
This way .php continues to behave exactly as it does today, and can
interoperate smoothly with code that uses .phpc. .phpc can require
.php and vice versa. They are friends.
Thoughts?
--
Tom Boutell
P'unk Avenue
215 755 1330
punkave.com
window.punkave.com
I'm +1 on this.
<?php isn't a huge issue, but it is a bit of an annoyance. 'phpc' would help fix that up IMO.
Now that the flamewar has died down a little I'd like to try to have a
civil discussion about this idea - without my admittedly
inflammatory suggestion to kill <?php altogether.So here is what I am seriously suggesting:
The default behavior doesn't change. The parser starts out in HTML mode.
If the CLI sees a .phpc file extension, the parser starts out in PHP
mode (no opening <?php is required). It is still possible to shift
into HTML mode after that with ?>.If a require/include statement sees a .phpc file extension, the
parser starts out in PHP mode.If mod_php and FPM are able to see the path (I'm honestly not sure
if they can or not), they look for .phpc as their indication to start
out in PHP mode. If that's not possible then new options are defined
to allow Apache to be configured to tell mod_php and/or FPM to do the
right thing based on mime types etc.This way .php continues to behave exactly as it does today, and can
interoperate smoothly with code that uses .phpc. .phpc can require
.php and vice versa. They are friends.Thoughts?
--
Tom Boutell
P'unk Avenue
215 755 1330
punkave.com (http://punkave.com)
window.punkave.com (http://window.punkave.com)
Now that the flamewar has died down a little I'd like to try to have a
civil discussion about this idea - without my admittedly
inflammatory suggestion to kill <?php altogether.So here is what I am seriously suggesting:
The default behavior doesn't change. The parser starts out in HTML mode.
If the CLI sees a .phpc file extension, the parser starts out in PHP
mode (no opening <?php is required). It is still possible to shift
into HTML mode after that with ?>.
Why ? What is the benefit ? You don't have to put <?php at the start of a php
file, so you save a few bytes...
Today PHP does not look at file extensions - so why change that behaviour ?
Extra complication with no real benefit.
Thanks for the idea - but no thanks.
--
Tom Boutell
P'unk Avenue
215 755 1330
What country would that be ? On a list like this numbers should start +
--
Alain Williams
Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer.
+44 (0) 787 668 0256 http://www.phcomp.co.uk/
Parliament Hill Computers Ltd. Registration Information: http://www.phcomp.co.uk/contact.php
#include <std_disclaimer.h
Hello, Tom...
Are you seriously that bothered with '<?php' at the top of your classes?
Are you serious when talking changing reguire/include behaviour just to
satisfy your wish?
To be also serious, I would mention the possibility of including URLs.
There is no such thing as file name extension in URLs. Thus your idea
should be forgot. Personally, I really think 1st of April is like
continuing in the internals mailing list...
2012/4/7 Tom Boutell tom@punkave.com
Now that the flamewar has died down a little I'd like to try to have a
civil discussion about this idea - without my admittedly
inflammatory suggestion to kill <?php altogether.So here is what I am seriously suggesting:
The default behavior doesn't change. The parser starts out in HTML mode.
If the CLI sees a .phpc file extension, the parser starts out in PHP
mode (no opening <?php is required). It is still possible to shift
into HTML mode after that with ?>.If a require/include statement sees a .phpc file extension, the
parser starts out in PHP mode.If mod_php and FPM are able to see the path (I'm honestly not sure
if they can or not), they look for .phpc as their indication to start
out in PHP mode. If that's not possible then new options are defined
to allow Apache to be configured to tell mod_php and/or FPM to do the
right thing based on mime types etc.This way .php continues to behave exactly as it does today, and can
interoperate smoothly with code that uses .phpc. .phpc can require
.php and vice versa. They are friends.Thoughts?
--
Tom Boutell
P'unk Avenue
215 755 1330
punkave.com
window.punkave.com
From the viewpoint of someone writing reusable classes, the need to
start with <?php and reprimand anybody who accidentally puts a newline
above it is a silly annoyance they don't experience with other tools.
That said, you are making valid points, I'm not convinced myself that
"file extensions" necessarily should or could be determined in every
context. But it seems the most viable way of addressing the issue - if
a viable way even exists. Partly I want to convince myself that this
either can or can't ever be improved, and move on either way (:
Hello, Tom...
Are you seriously that bothered with '<?php' at the top of your classes? Are
you serious when talking changing reguire/include behaviour just to satisfy
your wish?To be also serious, I would mention the possibility of including URLs. There
is no such thing as file name extension in URLs. Thus your idea should be
forgot. Personally, I really think 1st of April is like continuing in the
internals mailing list...2012/4/7 Tom Boutell tom@punkave.com
Now that the flamewar has died down a little I'd like to try to have a
civil discussion about this idea - without my admittedly
inflammatory suggestion to kill <?php altogether.So here is what I am seriously suggesting:
The default behavior doesn't change. The parser starts out in HTML mode.
If the CLI sees a .phpc file extension, the parser starts out in PHP
mode (no opening <?php is required). It is still possible to shift
into HTML mode after that with ?>.If a require/include statement sees a .phpc file extension, the
parser starts out in PHP mode.If mod_php and FPM are able to see the path (I'm honestly not sure
if they can or not), they look for .phpc as their indication to start
out in PHP mode. If that's not possible then new options are defined
to allow Apache to be configured to tell mod_php and/or FPM to do the
right thing based on mime types etc.This way .php continues to behave exactly as it does today, and can
interoperate smoothly with code that uses .phpc. .phpc can require
.php and vice versa. They are friends.Thoughts?
--
Tom Boutell
P'unk Avenue
215 755 1330
punkave.com
window.punkave.com--
--
Tom Boutell
P'unk Avenue
215 755 1330
punkave.com
window.punkave.com
From the viewpoint of someone writing reusable classes, the need to
start with <?php and reprimand anybody who accidentally puts a newline
above it is a silly annoyance they don't experience with other tools.That said, you are making valid points, I'm not convinced myself that
"file extensions" necessarily should or could be determined in every
context. But it seems the most viable way of addressing the issue - if
a viable way even exists. Partly I want to convince myself that this
either can or can't ever be improved, and move on either way (:
If accidental newlines above the <?php are your only issue surely it makes more sense to have PHP ignore any whitespace before an initial <?php in the file, just like it ignores a carriage return after ?>.
-Stuart
--
Stuart Dallas
3ft9 Ltd
http://3ft9.com/
Am 07.04.2012 15:43, schrieb Stuart Dallas:
From the viewpoint of someone writing reusable classes, the need to
start with <?php and reprimand anybody who accidentally puts a newline
above it is a silly annoyance they don't experience with other tools.That said, you are making valid points, I'm not convinced myself that
"file extensions" necessarily should or could be determined in every
context. But it seems the most viable way of addressing the issue - if
a viable way even exists. Partly I want to convince myself that this
either can or can't ever be improved, and move on either way (:If accidental newlines above the <?php are your only issue surely it makes more sense to have PHP ignore any whitespace before an initial <?php in the file, just like it ignores a carriage return after ?>.
the main question is why making them and where should php start
and where better stop to hold users hands?
what is the next? making ; optional and change the interpreter
to a gambling-machine because someone comes out whining it does
not work if he makes syntax errors?
April 1st is over so please stop this useless discussion
you are not making valid points
you are proposing DANGEROUS changes!
what happens if PHP 5.4.x will follow your wishes
(what never will happen) and your file without
<?php will be called on a machine with a lower
php-version?
what you also do not realize is that the world is not turning
around your windows machine - in the unix world extensions
are meaningless - the sheabing and execute permissions are
the only things controlling if a zexzfile is executeable
and with which interpreter this happens
and no the world is not turning around you or even around PHP
this is how unix-systems and shells are working and there
is no place for funny execptions in this world
Am 07.04.2012 15:39, schrieb Tom Boutell:
From the viewpoint of someone writing reusable classes, the need to
start with <?php and reprimand anybody who accidentally puts a newline
above it is a silly annoyance they don't experience with other tools.That said, you are making valid points, I'm not convinced myself that
"file extensions" necessarily should or could be determined in every
context. But it seems the most viable way of addressing the issue - if
a viable way even exists. Partly I want to convince myself that this
either can or can't ever be improved, and move on either way (:Hello, Tom...
Are you seriously that bothered with '<?php' at the top of your classes? Are
you serious when talking changing reguire/include behaviour just to satisfy
your wish?To be also serious, I would mention the possibility of including URLs. There
is no such thing as file name extension in URLs. Thus your idea should be
forgot. Personally, I really think 1st of April is like continuing in the
internals mailing list...2012/4/7 Tom Boutell tom@punkave.com
Now that the flamewar has died down a little I'd like to try to have a
civil discussion about this idea - without my admittedly
inflammatory suggestion to kill <?php altogether.So here is what I am seriously suggesting:
The default behavior doesn't change. The parser starts out in HTML mode.
If the CLI sees a .phpc file extension, the parser starts out in PHP
mode (no opening <?php is required). It is still possible to shift
into HTML mode after that with ?>.If a require/include statement sees a .phpc file extension, the
parser starts out in PHP mode.If mod_php and FPM are able to see the path (I'm honestly not sure
if they can or not), they look for .phpc as their indication to start
out in PHP mode. If that's not possible then new options are defined
to allow Apache to be configured to tell mod_php and/or FPM to do the
right thing based on mime types etc.This way .php continues to behave exactly as it does today, and can
interoperate smoothly with code that uses .phpc. .phpc can require
.php and vice versa. They are friends.Thoughts?
--
Tom Boutell
P'unk Avenue
215 755 1330
punkave.com
window.punkave.com--
--
Mit besten Grüßen, Reindl Harald
the lounge interactive design GmbH
A-1060 Vienna, Hofmühlgasse 17
CTO / software-development / cms-solutions
p: +43 (1) 595 3999 33, m: +43 (676) 40 221 40
icq: 154546673, http://www.thelounge.net/
<?php is a simple and effective way to enter "php mode". File
extensions are really irrelevant.
This isn't a sensible idea.
you are not making valid points
you are proposing DANGEROUS changes!what happens if PHP 5.4.x will follow your wishes
(what never will happen) and your file without
<?php will be called on a machine with a lower
php-version?what you also do not realize is that the world is not turning
around your windows machine - in the unix world extensions
are meaningless - the sheabing and execute permissions are
the only things controlling if a zexzfile is executeable
and with which interpreter this happensand no the world is not turning around you or even around PHP
this is how unix-systems and shells are working and there
is no place for funny execptions in this worldAm 07.04.2012 15:39, schrieb Tom Boutell:
From the viewpoint of someone writing reusable classes, the need to
start with <?php and reprimand anybody who accidentally puts a newline
above it is a silly annoyance they don't experience with other tools.That said, you are making valid points, I'm not convinced myself that
"file extensions" necessarily should or could be determined in every
context. But it seems the most viable way of addressing the issue - if
a viable way even exists. Partly I want to convince myself that this
either can or can't ever be improved, and move on either way (:Hello, Tom...
Are you seriously that bothered with '<?php' at the top of your classes? Are
you serious when talking changing reguire/include behaviour just to satisfy
your wish?To be also serious, I would mention the possibility of including URLs. There
is no such thing as file name extension in URLs. Thus your idea should be
forgot. Personally, I really think 1st of April is like continuing in the
internals mailing list...2012/4/7 Tom Boutell tom@punkave.com
Now that the flamewar has died down a little I'd like to try to have a
civil discussion about this idea - without my admittedly
inflammatory suggestion to kill <?php altogether.So here is what I am seriously suggesting:
The default behavior doesn't change. The parser starts out in HTML mode.
If the CLI sees a .phpc file extension, the parser starts out in PHP
mode (no opening <?php is required). It is still possible to shift
into HTML mode after that with ?>.If a require/include statement sees a .phpc file extension, the
parser starts out in PHP mode.If mod_php and FPM are able to see the path (I'm honestly not sure
if they can or not), they look for .phpc as their indication to start
out in PHP mode. If that's not possible then new options are defined
to allow Apache to be configured to tell mod_php and/or FPM to do the
right thing based on mime types etc.This way .php continues to behave exactly as it does today, and can
interoperate smoothly with code that uses .phpc. .phpc can require
.php and vice versa. They are friends.Thoughts?
--
Tom Boutell
P'unk Avenue
215 755 1330
punkave.com
window.punkave.com--
--
Mit besten Grüßen, Reindl Harald
the lounge interactive design GmbH
A-1060 Vienna, Hofmühlgasse 17
CTO / software-development / cms-solutions
p: +43 (1) 595 3999 33, m: +43 (676) 40 221 40
icq: 154546673, http://www.thelounge.net/
and no the world is not turning around you or even around PHP
I will once more suggest you tune down your language on the
mailinglists. It's often rude and offensive. Let this be your last
warning.
cheers,
Derick
Am 07.04.2012 16:07, schrieb Derick Rethans:
and no the world is not turning around you or even around PHP
I will once more suggest you tune down your language on the
mailinglists. It's often rude and offensive. Let this be your last
warning
and what is there exactly rude?
this is simply the truth
or do you believe the world is turning around one person or PHP?
if someone brings proposals which are so less thight
what would you giev as answer? wait until enough people
not care enough abut the impacts start to implement
changes and then wait how to live with them?
i was there too often and nobody gives me back the wasted
lifetime for modify things after changes with zero benefit
and large impact - and what you lear after enough such
changes is that a "in my opinion not so a good idea" will
be ignored if someone loves to make changes
Am 07.04.2012 16:07, schrieb Derick Rethans:
and no the world is not turning around you or even around PHP
I will once more suggest you tune down your language on the
mailinglists. It's often rude and offensive. Let this be your last
warningand what is there exactly rude?
this is simply the truth
or do you believe the world is turning around one person or PHP?
But it is certainly also not resolving around you.
You repeatly call people stupid, or "like a child" or "what terrible
happened in your life" and that is not allowed behaviour here. If you
(or anyone else for that matter) can't refrain from that, you have no
place on this list.
Derick
You repeatly call people stupid, or "like a child" or "what terrible
happened in your life" and that is not allowed behaviour here. If you
(or anyone else for that matter) can't refrain from that, you have no
place on this list.Derick
Couldn't agree more. The behavior exhibited by some people on this list is
disgraceful. This is just the latest example IMO.
Thanks,
Kiall
He's done.
You repeatly call people stupid, or "like a child" or "what terrible
happened in your life" and that is not allowed behaviour here. If you
(or anyone else for that matter) can't refrain from that, you have no
place on this list.Derick
Couldn't agree more. The behavior exhibited by some people on this list is
disgraceful. This is just the latest example IMO.Thanks,
Kiall
While anything even resembling censorship naturally makes me cringe, it is
a reasonable expectation I think that this list be a place where people can
suggest ideas without being called "stupid" and childishly berated.
Bullying, it could be argued, is also a form of censorship.
So despite my instinctive unease, I think booting this guy was the right
call. He was just using this list to bully people and I think we sent a
good message by getting rid of him.
Civility and mutual respect FTW!
(Seriously, Droid?! Not only is it highlighting "FTW" as a misspelling,
but "Droid" as well lol.... /tangent)
--Kris
He's done.
You repeatly call people stupid, or "like a child" or "what terrible
happened in your life" and that is not allowed behaviour here. If you
(or anyone else for that matter) can't refrain from that, you have no
place on this list.Derick
Couldn't agree more. The behavior exhibited by some people on this list
is
disgraceful. This is just the latest example IMO.Thanks,
Kiall
From the viewpoint of someone writing reusable classes, the need to
start with <?php and reprimand anybody who accidentally puts a newline
above it is a silly annoyance they don't experience with other tools.That said, you are making valid points, I'm not convinced myself that
"file extensions" necessarily should or could be determined in every
context. But it seems the most viable way of addressing the issue - if
a viable way even exists. Partly I want to convince myself that this
either can or can't ever be improved, and move on either way (:
That "silly annoyance" doesn't seem to bother anyone who writes command line tools, which require the #! line specifying the command interpreter to be the first bytes in the file, with no leading white space whatsoever. Especially on unix systems (but also on the Mac), the file extension does not affirmatively indicate the file type or whether or not it can be executed.
Also, from a CLI perspective, you don't want extensions in the names of your scripts, because then it causes problems/confusion/extra work if you later decide to change the language the script is written in.
-John
--
John Bafford
http://bafford.com/
That's a good point too.
I think this is a better proposal:
include_code, require_code, and require_code_once would work just like
include, require and require_once, except that the parser would start
out in PHP mode.
.phpc is then just a convention for naming PHP files that start out
with code - a convention that autoloaders should respect, just as they
now respect the .php convention. "The user asked for the Monkey class,
and I see Monkey.phpc is out there; I'll grab that with
require_code_once."
Putting this decision on the autoloader makes more sense because
autoloaders already contain assumptions about file extensions. They
have to in order to do their job of translating a class name to a
particular path somewhere.
Folks who did not care for this functionality could then choose to
entirely ignore it. Class library developers who liked it would make
autoloaders available that honored it, freeing end-user developers
from thinking about it. It becomes self-contained, and people who are
writing old-school .php standalone scripts or pages are entirely
unaffected.
From the viewpoint of someone writing reusable classes, the need to
start with <?php and reprimand anybody who accidentally puts a newline
above it is a silly annoyance they don't experience with other tools.That said, you are making valid points, I'm not convinced myself that
"file extensions" necessarily should or could be determined in every
context. But it seems the most viable way of addressing the issue - if
a viable way even exists. Partly I want to convince myself that this
either can or can't ever be improved, and move on either way (:That "silly annoyance" doesn't seem to bother anyone who writes command line tools, which require the #! line specifying the command interpreter to be the first bytes in the file, with no leading white space whatsoever. Especially on unix systems (but also on the Mac), the file extension does not affirmatively indicate the file type or whether or not it can be executed.
Also, from a CLI perspective, you don't want extensions in the names of your scripts, because then it causes problems/confusion/extra work if you later decide to change the language the script is written in.
-John
--
John Bafford
http://bafford.com/--
--
Tom Boutell
P'unk Avenue
215 755 1330
punkave.com
window.punkave.com
Am 07.04.2012 16:00, schrieb Tom Boutell:
That's a good point too.
I think this is a better proposal:
include_code, require_code, and require_code_once would work just like
include, require and require_once, except that the parser would start
out in PHP mode.
would you please leave this world in peace?
what do you think happens with hundret thousands of existing
include-files out there which are containing only HTML?
why do you simply not realize that you have way too few knowledge
and tchnical education to partly understand the side effects
small changes in a general behavior are having and that the
benefit has to be a REAL LARGE ONE for everybody to accept
the possible damage - which is not the case here
where are your proposals for bash and other unix shells
hwo they have to work if there is a whitespace before
#!/bin/sh? what have you got as answer there?
again: please leave the world in peace with your poorly
thought proposals - and yes this is a really polite answer
compared with the thoughts running through my mind
while reading your stuff
Am 07.04.2012 16:00, schrieb Tom Boutell:
That's a good point too.
I think this is a better proposal:
include_code, require_code, and require_code_once would work just like
include, require and require_once, except that the parser would start
out in PHP mode.would you please leave this world in peace?
...
You may not agree with his proposal (neither do I) but please remain kind &
polite to him. He is not trolling.
--
Alain Williams
Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer.
+44 (0) 787 668 0256 http://www.phcomp.co.uk/
Parliament Hill Computers Ltd. Registration Information: http://www.phcomp.co.uk/contact.php
#include <std_disclaimer.h
would you please leave this world in peace?
what do you think happens with hundret thousands of existing
include-files out there which are containing only HTML?
Nothing happens to them whatsoever. They work exactly the way they did
before. I am introducing separate keywords in this proposal precisely
to avoid creating problems for you. Please read the email you just
replied to.
why do you simply not realize that you have way too few knowledge
and tchnical education to partly understand the side effects
small changes in a general behavior are having
Sigh
See this?
http://php.net/manual/en/book.image.php
That's my doing, fella. I am the original author of the gd library
functions described there and the originator of the PNG file format
project as well. You have probably been using my work in your PHP code
for years, if you have done much image manipulation with PHP (although
there are some fine alternatives as well of course). I also wrote the
original WWW FAQ (circa '94) and have helped promote the open web ever
since.
And do you know how much that matters? Not one little bit. if this
proposal stinks, then it should be politely rejected. But not just
because somebody can't be civil (:
There are no side effects in the new proposal in the latest email you
are replying to, at least not that you have accurately identified yet.
The .phpc extension has completely vanished from use cases like yours
in that proposal. Pay attention to what I wrote and respond
thoughtfully.
benefit has to be a REAL LARGE ONE for everybody to accept
the possible damage - which is not the case herewhere are your proposals for bash and other unix shells
hwo they have to work if there is a whitespace before
#!/bin/sh? what have you got as answer there?again: please leave the world in peace with your poorly
thought proposals - and yes this is a really polite answer
compared with the thoughts running through my mind
while reading your stuff
--
Tom Boutell
P'unk Avenue
215 755 1330
punkave.com
window.punkave.com
Am 07.04.2012 16:23, schrieb Tom Boutell:
why do you simply not realize that you have way too few knowledge
and tchnical education to partly understand the side effects
small changes in a general behavior are havingSigh
See this?
http://php.net/manual/en/book.image.php
That's my doing, fella. I am the original author of the gd library
functions described there and the originator of the PNG file format
project as well. You have probably been using my work in your PHP code
for years, if you have done much image manipulation with PHP (although
there are some fine alternatives as well of course). I also wrote the
original WWW FAQ (circa '94) and have helped promote the open web ever
that leaves the question open what terrible happened in
your life between all that and the proposals last night
which sounded naive like from a child?
don't get me wrong and with all respect for the work
you have done - that's not an excuse for bring out
proposals like you did or even makes them more worse
as if they are coming from a completly newcomer because
you should know it better
said that: writing good libraries and books makes you not
automatically to a good designer for a programming language
that leaves the question open what terrible happened in your life between all that and the proposals last night which sounded naive like from a child?
Don't get me wrong and with all respect for the work you have done - that's not an excuse for bring out proposals like you did or even makes them more worse as if they are coming from a completly newcomer because you should know it better
said that: writing good libraries and books makes you not automatically to a good designer for a programming language
Every single reply from this guy in the last 24 hours has been childishly insulting and immature, and only one has contained anything more than personal attacks. Who moderates this list and enforces the rules? Can we please boot this guy, at least temporarily? He's contributing nothing to the discussion and appears to be truly incapable (both in action and by his own admission) of communicating in a civil way. We don't need this here. There have been multiple requests for him to stop from multiple people and it's not getting any better.
John Crenshaw
Priacta, Inc.
Am 07.04.2012 16:00, schrieb Tom Boutell:
That's a good point too.
I think this is a better proposal:
include_code, require_code, and require_code_once would work just like
include, require and require_once, except that the parser would start
out in PHP mode.
would you please leave this world in peace?
This is a much better proposal than magic-extensions,
and a backwards-compatible one.
You may not like it (I'm not convinced about it), but your
criticism here is wrong.
what do you think happens with hundret thousands of existing
include-files out there which are containing only HTML?
They would obviously continue working as they would be using
the old require code.
Moreover, including a HTML files is bad coding,readfile()works
much better.
why do you simply not realize that you have way too few knowledge
and tchnical education to partly understand the side effects
small changes in a general behavior are having and that the
benefit has to be a REAL LARGE ONE for everybody to accept
the possible damage - which is not the case here
This is a backwards compatible change.
The benefit of not typing '<?php' may not be worth adding those
new require types, they would also break new scripts on old engines.
But it wouldn't have those catastrophic effects that you seem to foresee.
Care to enlighten us poor myopic souls?
where are your proposals for bash and other unix shells
hwo they have to work if there is a whitespace before
#!/bin/sh? what have you got as answer there?
He is only doing a proposal for php, not for bash.
again: please leave the world in peace with your poorly
thought proposals - and yes this is a really polite answer
compared with the thoughts running through my mind
while reading your stuff
Please keep trying, it can still be improved.
From: Tom Boutell [mailto:tom@punkave.com]
That's a good point too.
I think this is a better proposal:
include_code, require_code, and require_code_once would work just like include, require and require_once, except that the parser would start out in PHP mode.
I don't like this, but it's closer. I hate the idea of adding a whole mess of one-off functions just to support a single coding style feature that doesn't seem to have very much support. There are a variety of other ideas that have been floating around that request changes to how the parser handles specific code (different short tags, sandboxing, auto-escaping, etc.).
What if you have just ONE function with a variety of options? Something like:
execute_file('path/to/foo.php', array(
'require'=>true,
'once'=>true,
'begin_code'=>'<?php ',
'shorttags'=>array('<?=','?>'),
'autoescape'=>function($str){return htmlentities($str, ENT_QUOTES | ENT_HTML5, 'UTF-8');},
...
));
This would provide a single consistent hook for any further DSL like features without impacting the behavior of any existing code. Some other options that might make sense:
lint (like command line)
end_code (similar to command line, corresponds with begin_code (also command line))
args (also command line)
Any PHP_INI_ALL directives
John Crenshaw
Priacta, Inc.
I don't like this, but it's closer. I hate the idea of adding a whole mess of one-off functions just to support a single coding style feature that doesn't seem to have very much support. There are a variety of other ideas that have been floating around that request changes to how the parser handles specific code (different short tags, sandboxing, auto-escaping, etc.).
What if you have just ONE function with a variety of options? Something like:
execute_file('path/to/foo.php', array(
'require'=>true,
'once'=>true,
'begin_code'=>'<?php ',
'shorttags'=>array('<?=','?>'),
'autoescape'=>function($str){return htmlentities($str,ENT_QUOTES| ENT_HTML5, 'UTF-8');},
...
));
While there's some elegance with your execute_file (there'd definitely be benefits to one function instead of the four we have now), the extra options would spawn so much Daily WTF material it wouldn't be funny, and I think most people would just stick with include/require/*_once because there'd be a lot less effort in the common case.
This would provide a single consistent hook for any further DSL like features without impacting the behavior of any existing code. Some other options that might make sense:
lint (like command line)
Actually, it'd be pretty cool to be able to lint a file without having to include runkit (there is a runkit_lint($code)) or make an external call to php -l.
end_code (similar to command line, corresponds with begin_code (also command line))
args (also command line)
Any PHP_INI_ALL directivesJohn Crenshaw
Priacta, Inc.
-John
--
John Bafford
http://bafford.com/
What if you have just ONE function with a variety of options? Something like:
execute_file('path/to/foo.php', array(
'require'=>true,
'once'=>true,
'begin_code'=>'<?php ',
'shorttags'=>array('<?=','?>'),
'autoescape'=>function($str){return htmlentities($str,ENT_QUOTES| ENT_HTML5, 'UTF-8');},
...
));
While there's some elegance with your execute_file (there'd definitely be benefits to one function instead of the four we have now), the extra options would spawn so much Daily WTF material it wouldn't be funny, and I think most people would just stick with include/require/*_once because there'd be a lot less effort in the common case.
I agree that the free-form tags could lead to much Daily WTF material,
but there's a simplett reason to reject it: The tags are hardcoded in
the lexer.
Making it anything can drop perfomance.
However, they could be possible as booleans, just as many of them are
now in php.ini.
And I like the idea of providing a function for auto escaping <?= echos.
That's a good point too.
I think this is a better proposal:
include_code, require_code, and require_code_once would work just like
include, require and require_once, except that the parser would start
out in PHP mode.
Those might be nice functions to have, but ...
.phpc is then just a convention for naming PHP files that start out
with code - a convention that autoloaders should respect, just as they
now respect the .php convention. "The user asked for the Monkey class,
and I see Monkey.phpc is out there; I'll grab that with
require_code_once."
… I think this isn't quite as simple as you make it out to be. Any autoloader that cared about bc would have to have code like
if(file_exists(.phpc)) require_code() else if(file_exists(.php)) require() else HCF()
There's a reason everyone settled around a single extension, and not the plethora we used to have (php, phtml, php3/php4, others?). Even in the rainbows-and-unicorns world where everyone always has an opcode cache and suitably tuned stat cache, that extra call to file_exists that will likely happen while waiting for files to be renamed and tested still isn't free. Also, I'm willing to bet that in the unlikely event you chose to drop out of PHP mode to dump a block of HTML, the awkwardness of a sudden ?> without a leading <?php would make the discussions about whether or not to have a trailing ?> at the end of files look like hyper-civilized discourse in comparison. (Though, it might be an interesting discussion regarding making the hypothetical require_code only (directly) include files that are pure code, with no <?php ?> tags allowed.)
Personally, I think the cognitive overhead the <?php ?> tags impose is pretty tiny. Yeah, you get weird errors sometimes, but once you understand what's going on, it's easy to fix (and generally easy to spot, if you're using version control). I really can't recall the last time it's happened to me and it took more than ten seconds to identify and fix. It's just one of the weird things about php. Every language has its rough edges, and in comparison, I really don't think this one even ranks in the top ten. There are plenty other parts of PHP that are far more awkward that could use addressing first (but won't, because of the bc break involved; haystack, meet needle).
You could also view <?php at the top of the file as a sort of magic number indicating the file type (such as used in many binary file formats: gifs always start with GIF87a/GIF89a, java class files with 0xCAFEBABE, etc). It's unlikely a file that starts with <?php is anything but.
-John
Putting this decision on the autoloader makes more sense because
autoloaders already contain assumptions about file extensions. They
have to in order to do their job of translating a class name to a
particular path somewhere.Folks who did not care for this functionality could then choose to
entirely ignore it. Class library developers who liked it would make
autoloaders available that honored it, freeing end-user developers
from thinking about it. It becomes self-contained, and people who are
writing old-school .php standalone scripts or pages are entirely
unaffected.From the viewpoint of someone writing reusable classes, the need to
start with <?php and reprimand anybody who accidentally puts a newline
above it is a silly annoyance they don't experience with other tools.That said, you are making valid points, I'm not convinced myself that
"file extensions" necessarily should or could be determined in every
context. But it seems the most viable way of addressing the issue - if
a viable way even exists. Partly I want to convince myself that this
either can or can't ever be improved, and move on either way (:That "silly annoyance" doesn't seem to bother anyone who writes command line tools, which require the #! line specifying the command interpreter to be the first bytes in the file, with no leading white space whatsoever. Especially on unix systems (but also on the Mac), the file extension does not affirmatively indicate the file type or whether or not it can be executed.
Also, from a CLI perspective, you don't want extensions in the names of your scripts, because then it causes problems/confusion/extra work if you later decide to change the language the script is written in.
-John
--
John Bafford
http://bafford.com/--
--
Tom Boutell
P'unk Avenue
215 755 1330
punkave.com
window.punkave.com--
--
John Bafford
http://bafford.com/
That's a good point too.
I think this is a better proposal:
include_code, require_code, and require_code_once would work just like
include, require and require_once, except that the parser would start
out in PHP mode..phpc is then just a convention for naming PHP files that start out
with code - a convention that autoloaders should respect, just as they
now respect the .php convention. "The user asked for the Monkey class,
and I see Monkey.phpc is out there; I'll grab that with
require_code_once."Putting this decision on the autoloader makes more sense because
autoloaders already contain assumptions about file extensions. They
have to in order to do their job of translating a class name to a
particular path somewhere.Folks who did not care for this functionality could then choose to
entirely ignore it. Class library developers who liked it would make
autoloaders available that honored it, freeing end-user developers
from thinking about it. It becomes self-contained, and people who are
writing old-school .php standalone scripts or pages are entirely
unaffected.
Tony I think your idea has some merit. If it were up to me I'd remove
<?php all together. It really is bad practice to mix HTML into code.
But I feel that adding new keywords is not the way to do it.
Personally I'd like to see a php.ini setting to disallow the ending ?>
tag and assume .php files just have PHP code. The starting <?php tag
would be optional. White space would be ignored and non-white space
characters before <?php would throw a fatal error.
Doing it this way would disallow bad practices but still make existing
PHP scripts compatible.
I think that doing that would be quite reasonable. Those who complain
about it likely ignore industry best practices anyway. This option
could be turned off by default at first, made default later, and then
?> be deprecated all together.
So with this option enabled ?> is forbidden, <?php is optional, and
the text before <?php is handled differently - white spaces ignored,
text before throws an error (unless it's a shebang line in cli mode).
Hopefully that made sense. Does this sound good to you?
I'm sorry you had to endure such a nasty troll. I am so sick of self
righteous bullies who think they know it all.
Luke
From the viewpoint of someone writing reusable classes, the need to
start with <?php and reprimand anybody who accidentally puts a newline
above it is a silly annoyance they don't experience with other tools.That said, you are making valid points, I'm not convinced myself that
"file extensions" necessarily should or could be determined in every
context. But it seems the most viable way of addressing the issue - if
a viable way even exists. Partly I want to convince myself that this
either can or can't ever be improved, and move on either way (:That "silly annoyance" doesn't seem to bother anyone who writes command line tools, which require the #! line specifying the command interpreter to be the first bytes in the file, with no leading white space whatsoever. Especially on unix systems (but also on the Mac), the file extension does not affirmatively indicate the file type or whether or not it can be executed.
Also, from a CLI perspective, you don't want extensions in the names of your scripts, because then it causes problems/confusion/extra work if you later decide to change the language the script is written in.
-John
--
John Bafford
http://bafford.com/--
--
Tom Boutell
P'unk Avenue
215 755 1330
punkave.com
window.punkave.com
A thoughtful suggestion. But the trouble with a php.ini setting is that you can't tell if it is enabled when writing your class file. That makes it impossible to write portable libraries. The keywords would always be available. And no one has to type them outside of an auto loader (:
Sent from my iPhone
That's a good point too.
I think this is a better proposal:
include_code, require_code, and require_code_once would work just like
include, require and require_once, except that the parser would start
out in PHP mode..phpc is then just a convention for naming PHP files that start out
with code - a convention that autoloaders should respect, just as they
now respect the .php convention. "The user asked for the Monkey class,
and I see Monkey.phpc is out there; I'll grab that with
require_code_once."Putting this decision on the autoloader makes more sense because
autoloaders already contain assumptions about file extensions. They
have to in order to do their job of translating a class name to a
particular path somewhere.Folks who did not care for this functionality could then choose to
entirely ignore it. Class library developers who liked it would make
autoloaders available that honored it, freeing end-user developers
from thinking about it. It becomes self-contained, and people who are
writing old-school .php standalone scripts or pages are entirely
unaffected.Tony I think your idea has some merit. If it were up to me I'd remove
<?php all together. It really is bad practice to mix HTML into code.But I feel that adding new keywords is not the way to do it.
Personally I'd like to see a php.ini setting to disallow the ending ?>
tag and assume .php files just have PHP code. The starting <?php tag
would be optional. White space would be ignored and non-white space
characters before <?php would throw a fatal error.Doing it this way would disallow bad practices but still make existing
PHP scripts compatible.I think that doing that would be quite reasonable. Those who complain
about it likely ignore industry best practices anyway. This option
could be turned off by default at first, made default later, and then
?> be deprecated all together.So with this option enabled ?> is forbidden, <?php is optional, and
the text before <?php is handled differently - white spaces ignored,
text before throws an error (unless it's a shebang line in cli mode).Hopefully that made sense. Does this sound good to you?
I'm sorry you had to endure such a nasty troll. I am so sick of self
righteous bullies who think they know it all.Luke
From the viewpoint of someone writing reusable classes, the need to
start with <?php and reprimand anybody who accidentally puts a newline
above it is a silly annoyance they don't experience with other tools.That said, you are making valid points, I'm not convinced myself that
"file extensions" necessarily should or could be determined in every
context. But it seems the most viable way of addressing the issue - if
a viable way even exists. Partly I want to convince myself that this
either can or can't ever be improved, and move on either way (:That "silly annoyance" doesn't seem to bother anyone who writes command line tools, which require the #! line specifying the command interpreter to be the first bytes in the file, with no leading white space whatsoever. Especially on unix systems (but also on the Mac), the file extension does not affirmatively indicate the file type or whether or not it can be executed.
Also, from a CLI perspective, you don't want extensions in the names of your scripts, because then it causes problems/confusion/extra work if you later decide to change the language the script is written in.
-John
--
John Bafford
http://bafford.com/--
--
Tom Boutell
P'unk Avenue
215 755 1330
punkave.com
window.punkave.com
A thoughtful suggestion. But the trouble with a php.ini setting is that you can't tell if it is enabled when writing your class file. That makes it impossible to write portable libraries. The keywords would always be available. And no one has to type them outside of an auto loader (:
Sent from my iPhone
Why would you need to? With it on or off <?php would work like it did before:
With it off (how it is now):
-
Text before <?php would be printed to the output buffer.
-
?> ends php code and prints text between it and the next <?php tag
or the end of the file.
With it on:
-
<?php is optional and must be first in the file. White spaces before
<?php are ignored and text before throws an error (perhaps white space
should through an error). The shebang line for the cli sapi is the
only exception. -
?> is explicitly forbidden.
If classes start with <?php and leave out the ending ?> this should be
fine. Most classes written with PHP 5+ comparability do this anyway.
The only way I see this not working is for PHP short tags where PHP is
used as a template language. A lot of people decide to use other
template engines though, like Twig. I personally avoid short tags on
large projects and use them only on small quick and dirty projects.
Luke
(Sorry, I keep forgetting to hit reply all)
That's a good point too.
I think this is a better proposal:
include_code, require_code, and require_code_once would work just like
include, require and require_once, except that the parser would start
out in PHP mode..phpc is then just a convention for naming PHP files that start out
with code - a convention that autoloaders should respect, just as they
now respect the .php convention. "The user asked for the Monkey class,
and I see Monkey.phpc is out there; I'll grab that with
require_code_once."Putting this decision on the autoloader makes more sense because
autoloaders already contain assumptions about file extensions. They
have to in order to do their job of translating a class name to a
particular path somewhere.Folks who did not care for this functionality could then choose to
entirely ignore it. Class library developers who liked it would make
autoloaders available that honored it, freeing end-user developers
from thinking about it. It becomes self-contained, and people who are
writing old-school .php standalone scripts or pages are entirely
unaffected.Tony I think your idea has some merit. If it were up to me I'd remove
<?php all together. It really is bad practice to mix HTML into code.But I feel that adding new keywords is not the way to do it.
Personally I'd like to see a php.ini setting to disallow the ending ?>
tag and assume .php files just have PHP code. The starting <?php tag
would be optional. White space would be ignored and non-white space
characters before <?php would throw a fatal error.Doing it this way would disallow bad practices but still make existing
PHP scripts compatible.I think that doing that would be quite reasonable. Those who complain
about it likely ignore industry best practices anyway. This option
could be turned off by default at first, made default later, and then
?> be deprecated all together.So with this option enabled ?> is forbidden, <?php is optional, and
the text before <?php is handled differently - white spaces ignored,
text before throws an error (unless it's a shebang line in cli mode).Hopefully that made sense. Does this sound good to you?
I'm sorry you had to endure such a nasty troll. I am so sick of self
righteous bullies who think they know it all.Luke
From the viewpoint of someone writing reusable classes, the need to
start with <?php and reprimand anybody who accidentally puts a newline
above it is a silly annoyance they don't experience with other tools.That said, you are making valid points, I'm not convinced myself that
"file extensions" necessarily should or could be determined in every
context. But it seems the most viable way of addressing the issue - if
a viable way even exists. Partly I want to convince myself that this
either can or can't ever be improved, and move on either way (:That "silly annoyance" doesn't seem to bother anyone who writes command line tools, which require the #! line specifying the command interpreter to be the first bytes in the file, with no leading white space whatsoever. Especially on unix systems (but also on the Mac), the file extension does not affirmatively indicate the file type or whether or not it can be executed.
Also, from a CLI perspective, you don't want extensions in the names of your scripts, because then it causes problems/confusion/extra work if you later decide to change the language the script is written in.
-John
--
John Bafford
http://bafford.com/--
--
Tom Boutell
P'unk Avenue
215 755 1330
punkave.com
window.punkave.com
That's a good point too.
I think this is a better proposal:
...
Tom, sorry! For some reason I thought Tony :). On my phone... Not as
intuitive as my desktop...
Luke
hi Tom,
Now that the flamewar has died down a little I'd like to try to have a
civil discussion about this idea - without my admittedly
inflammatory suggestion to kill <?php altogether.So here is what I am seriously suggesting:
Please put that in a RFC.
Cheers,
Pierre
@pierrejoye | http://blog.thepimp.net | http://www.libgd.org
I will. And thanks for your work maintaining gd- I should have mentioned that earlier.
Sent from my iPhone
hi Tom,
Now that the flamewar has died down a little I'd like to try to have a
civil discussion about this idea - without my admittedly
inflammatory suggestion to kill <?php altogether.So here is what I am seriously suggesting:
Please put that in a RFC.
Cheers,
Pierre
@pierrejoye | http://blog.thepimp.net | http://www.libgd.org
Hi Tom
2012/4/7 Tom Boutell tom@punkave.com:
Now that the flamewar has died down a little I'd like to try to have a
civil discussion about this idea - without my admittedly
inflammatory suggestion to kill <?php altogether.
While I'm +0 on the idea of making <?php optional, here are some thoughts.
So here is what I am seriously suggesting:
The default behavior doesn't change. The parser starts out in HTML mode.
If the CLI sees a .phpc file extension, the parser starts out in PHP
mode (no opening <?php is required). It is still possible to shift
into HTML mode after that with ?>.If a require/include statement sees a .phpc file extension, the
parser starts out in PHP mode.
CLI, or any other SAPI for the matter, doesn't care about the file
extension, as pointed out by several posts. This makes it impossible
to correctly determine the input file for a require/include statement.
The only option that would make sense is a new parser mode, which
could be specified by a CLI parameter, or by an INI option (absolutely
least favorable option, if any even wanna call it that).
A CLI argument is simple and elegant, but does require those 3 extra
keystrokes or so:
C:> php -S bug42.php
While it does create another issue, which is that the mode is not
available to other SAPI's, and I think adding a specialized option for
each SAPI for such things will be bad, but might be a better way to do
at webserver level than php.ini level, but personally I don't like a
dynamic language that have a dynamically changed syntax, which makes
it seem inconsistent.
Hope this was some constructive feedback if you decide to write an RFC about it.
--
regards,
Kalle Sommer Nielsen
kalle@php.net
If the CLI sees a .phpc file extension, the parser starts out in PHP
mode (no opening <?php is required). It is still possible to shift
into HTML mode after that with ?>.If a require/include statement sees a .phpc file extension, the
parser starts out in PHP mode.
I don't think such magic is good. It will rather confuse people. Back when I thought about this my best idea was a flag to include/require which at some point will emit a notice if not set and where in the long run the default changes. But I dropped the idea. Reasons include the fact that the whole environment is being forced to change (IDEs, code checkers, ...) and well most people not only have to type the opening tag but also some file header (license, phpdoc, ...) which makes the benefit smaller. And then there's another thought: The <?php makes it trivial to identify PHP code as such, especially when discussing snippets or such.
My conclusion is that I can see reasons to change this, while in my opinion it's not worth it.
johannes
Hi,
The only valid reason for removing <?php from PHP script would be
security.
Since the null byte detection for fopen, remote/local script inclusion
became much harder than before. However, it's still possible and very
easy compare to other languages. Script execution is critical security
problem and it's worth to make it better.
If there is a switch that turns off PHP's template engine nature, PHP
could be more secure than now.
php.ini
template_mode = on ; INI_ALL On by default
php -t foo.php # template mode by default
php -T foo.php # template mode off
People has option to make their code a little secure than now
or stick with current behavior.
Regards,
--
Yasuo Ohgaki
yohgaki@ohgaki.net
2012/4/7 Tom Boutell tom@punkave.com:
Now that the flamewar has died down a little I'd like to try to have a
civil discussion about this idea - without my admittedly
inflammatory suggestion to kill <?php altogether.So here is what I am seriously suggesting:
The default behavior doesn't change. The parser starts out in HTML mode.
If the CLI sees a .phpc file extension, the parser starts out in PHP
mode (no opening <?php is required). It is still possible to shift
into HTML mode after that with ?>.If a require/include statement sees a .phpc file extension, the
parser starts out in PHP mode.If mod_php and FPM are able to see the path (I'm honestly not sure
if they can or not), they look for .phpc as their indication to start
out in PHP mode. If that's not possible then new options are defined
to allow Apache to be configured to tell mod_php and/or FPM to do the
right thing based on mime types etc.This way .php continues to behave exactly as it does today, and can
interoperate smoothly with code that uses .phpc. .phpc can require
.php and vice versa. They are friends.Thoughts?
--
Tom Boutell
P'unk Avenue
215 755 1330
punkave.com
window.punkave.com
Hi,
The only valid reason for removing <?php from PHP script would be
security.Since the null byte detection for fopen, remote/local script inclusion
became much harder than before. However, it's still possible and very
easy compare to other languages. Script execution is critical security
problem and it's worth to make it better.If there is a switch that turns off PHP's template engine nature, PHP
could be more secure than now.php.ini
template_mode = on ;INI_ALLOn by defaultphp -t foo.php # template mode by default
php -T foo.php # template mode offPeople has option to make their code a little secure than now
or stick with current behavior.Regards,
How does it help security?
If any, requiring '<?php' before executable code makes easier to filter
out malicious files on apps with uploads in case there's a local
inclusion vulnerability somewhere.
2012/4/8 Ángel González keisial@gmail.com:
Hi,
The only valid reason for removing <?php from PHP script would be
security.Since the null byte detection for fopen, remote/local script inclusion
became much harder than before. However, it's still possible and very
easy compare to other languages. Script execution is critical security
problem and it's worth to make it better.If there is a switch that turns off PHP's template engine nature, PHP
could be more secure than now.php.ini
template_mode = on ;INI_ALLOn by defaultphp -t foo.php # template mode by default
php -T foo.php # template mode offPeople has option to make their code a little secure than now
or stick with current behavior.Regards,
How does it help security?
If any, requiring '<?php' before executable code makes easier to filter
out malicious files on apps with uploads in case there's a local
inclusion vulnerability somewhere.
Attackers may inject PHP script almost anything/anywhere since
PHP code may be embed anywhere in a file.
For example, malicious PHP script may be in GIF something like
gif89a ...any data.. <?php exec('rm -rf /') ?>
and all attacker have to do is include/require the data somehow.
Attacker cannot do that this for other languages, since they are
not a embedded language. I know case that attackers may inject
malicious perl/ruby script in data files, but PHP is too easy
compare to these languages.
Regards,
--
Yasuo Ohgaki
8 апреля 2012 г. 8:16 пользователь Yasuo Ohgaki yohgaki@ohgaki.netнаписал:
2012/4/8 Ángel González keisial@gmail.com:
Hi,
The only valid reason for removing <?php from PHP script would be
security.Since the null byte detection for fopen, remote/local script inclusion
became much harder than before. However, it's still possible and very
easy compare to other languages. Script execution is critical security
problem and it's worth to make it better.If there is a switch that turns off PHP's template engine nature, PHP
could be more secure than now.php.ini
template_mode = on ;INI_ALLOn by defaultphp -t foo.php # template mode by default
php -T foo.php # template mode offPeople has option to make their code a little secure than now
or stick with current behavior.Regards,
How does it help security?
If any, requiring '<?php' before executable code makes easier to filter
out malicious files on apps with uploads in case there's a local
inclusion vulnerability somewhere.Attackers may inject PHP script almost anything/anywhere since
PHP code may be embed anywhere in a file.For example, malicious PHP script may be in GIF something like
gif89a ...any data.. <?php exec('rm -rf /') ?>
and all attacker have to do is include/require the data somehow.
Attacker cannot do that this for other languages, since they are
not a embedded language. I know case that attackers may inject
malicious perl/ruby script in data files, but PHP is too easy
compare to these languages.Regards,
--
Yasuo Ohgaki--
Improperly configured WEB server is not the reason to change the most basic
part of the language that will break every damn application out there.
Hi,
2012/4/9 Arvids Godjuks arvids.godjuks@gmail.com:
8 апреля 2012 г. 8:16 пользователь Yasuo Ohgaki yohgaki@ohgaki.netнаписал:
2012/4/8 Ángel González keisial@gmail.com:
Hi,
The only valid reason for removing <?php from PHP script would be
security.Since the null byte detection for fopen, remote/local script inclusion
became much harder than before. However, it's still possible and very
easy compare to other languages. Script execution is critical security
problem and it's worth to make it better.If there is a switch that turns off PHP's template engine nature, PHP
could be more secure than now.php.ini
template_mode = on ;INI_ALLOn by defaultphp -t foo.php # template mode by default
php -T foo.php # template mode offPeople has option to make their code a little secure than now
or stick with current behavior.Regards,
How does it help security?
If any, requiring '<?php' before executable code makes easier to filter
out malicious files on apps with uploads in case there's a local
inclusion vulnerability somewhere.Attackers may inject PHP script almost anything/anywhere since
PHP code may be embed anywhere in a file.For example, malicious PHP script may be in GIF something like
gif89a ...any data.. <?php exec('rm -rf /') ?>
and all attacker have to do is include/require the data somehow.
Attacker cannot do that this for other languages, since they are
not a embedded language. I know case that attackers may inject
malicious perl/ruby script in data files, but PHP is too easy
compare to these languages.Regards,
--
Yasuo Ohgaki--
Improperly configured WEB server is not the reason to change the most basic
part of the language that will break every damn application out there.
This is not an configuration issue, but a security vulnerability that
can simply closed by disabling embed mode.
As I mentioned already, injecting malformed PHP scripts into files
is too easy compare to other languages. This could be improved
by simple modification and we can maintain compatibility with it.
I don't see anything wrong here.
Yet another PHP script injection example.
There are many applications that store user inputs in $_SESSION.
Attacker can inject PHP script into $_SESSION, then locally include
it. This is easy since attacker knew their session ID and path to
session file is can be guessed easily. All attacker has to do is
finding a vulnerable include()/require() to attack.
Regards,
--
Yasuo Ohgaki
Vulnerabilities in include/require should be fixed there, IMHO, not by
limiting the feature set of the language.
Hi,
2012/4/9 Arvids Godjuks arvids.godjuks@gmail.com:
8 апреля 2012 г. 8:16 пользователь Yasuo Ohgaki yohgaki@ohgaki.netнаписал:
2012/4/8 Ángel González keisial@gmail.com:
Hi,
The only valid reason for removing <?php from PHP script would be
security.Since the null byte detection for fopen, remote/local script inclusion
became much harder than before. However, it's still possible and very
easy compare to other languages. Script execution is critical security
problem and it's worth to make it better.If there is a switch that turns off PHP's template engine nature, PHP
could be more secure than now.php.ini
template_mode = on ;INI_ALLOn by defaultphp -t foo.php # template mode by default
php -T foo.php # template mode offPeople has option to make their code a little secure than now
or stick with current behavior.Regards,
How does it help security?
If any, requiring '<?php' before executable code makes easier to filter
out malicious files on apps with uploads in case there's a local
inclusion vulnerability somewhere.Attackers may inject PHP script almost anything/anywhere since
PHP code may be embed anywhere in a file.For example, malicious PHP script may be in GIF something like
gif89a ...any data.. <?php exec('rm -rf /') ?>
and all attacker have to do is include/require the data somehow.
Attacker cannot do that this for other languages, since they are
not a embedded language. I know case that attackers may inject
malicious perl/ruby script in data files, but PHP is too easy
compare to these languages.Regards,
--
Yasuo Ohgaki--
Improperly configured WEB server is not the reason to change the most basic
part of the language that will break every damn application out there.This is not an configuration issue, but a security vulnerability that
can simply closed by disabling embed mode.As I mentioned already, injecting malformed PHP scripts into files
is too easy compare to other languages. This could be improved
by simple modification and we can maintain compatibility with it.I don't see anything wrong here.
Yet another PHP script injection example.
There are many applications that store user inputs in $_SESSION.
Attacker can inject PHP script into $_SESSION, then locally include
it. This is easy since attacker knew their session ID and path to
session file is can be guessed easily. All attacker has to do is
finding a vulnerable include()/require() to attack.Regards,
--
Yasuo Ohgaki--
--
Tom Boutell
P'unk Avenue
215 755 1330
punkave.com
window.punkave.com
Hi,
2012/4/9 Tom Boutell tom@punkave.com:
Vulnerabilities in include/require should be fixed there, IMHO, not by
limiting the feature set of the language.
I'm not insisting to remove embed feature, but give a option
for programmers/administrators for better security.
If one is comfortable with current behavior, they can keep
using embed feature by default. Others who care security
may disable embed feature by optional php.ini setting or CLI
option.
Half of Morihoshi's RFC was joke, but it's a serious proposal
for people who persist better security. IMHO.
Regards,
--
Yasuo Ohgaki
yohgaki@ohgaki.net
Hi,
2012/4/9 Arvids Godjuks arvids.godjuks@gmail.com:
8 апреля 2012 г. 8:16 пользователь Yasuo Ohgaki yohgaki@ohgaki.netнаписал:
2012/4/8 Ángel González keisial@gmail.com:
Hi,
The only valid reason for removing <?php from PHP script would be
security.Since the null byte detection for fopen, remote/local script inclusion
became much harder than before. However, it's still possible and very
easy compare to other languages. Script execution is critical security
problem and it's worth to make it better.If there is a switch that turns off PHP's template engine nature, PHP
could be more secure than now.php.ini
template_mode = on ;INI_ALLOn by defaultphp -t foo.php # template mode by default
php -T foo.php # template mode offPeople has option to make their code a little secure than now
or stick with current behavior.Regards,
How does it help security?
If any, requiring '<?php' before executable code makes easier to filter
out malicious files on apps with uploads in case there's a local
inclusion vulnerability somewhere.Attackers may inject PHP script almost anything/anywhere since
PHP code may be embed anywhere in a file.For example, malicious PHP script may be in GIF something like
gif89a ...any data.. <?php exec('rm -rf /') ?>
and all attacker have to do is include/require the data somehow.
Attacker cannot do that this for other languages, since they are
not a embedded language. I know case that attackers may inject
malicious perl/ruby script in data files, but PHP is too easy
compare to these languages.Regards,
--
Yasuo Ohgaki--
Improperly configured WEB server is not the reason to change the most basic
part of the language that will break every damn application out there.This is not an configuration issue, but a security vulnerability that
can simply closed by disabling embed mode.As I mentioned already, injecting malformed PHP scripts into files
is too easy compare to other languages. This could be improved
by simple modification and we can maintain compatibility with it.I don't see anything wrong here.
Yet another PHP script injection example.
There are many applications that store user inputs in $_SESSION.
Attacker can inject PHP script into $_SESSION, then locally include
it. This is easy since attacker knew their session ID and path to
session file is can be guessed easily. All attacker has to do is
finding a vulnerable include()/require() to attack.Regards,
--
Yasuo Ohgaki--
--
Tom Boutell
P'unk Avenue
215 755 1330
punkave.com
window.punkave.com
And you get same issues that existed with magic quotes, register variables,
safe mode and other optional stuff that was required to run application
when set specificaly and it would break if something set differently. PHP
just got rid of it and you want to introduce a new optional feature that
will change how PHP behaves.
09.04.2012 9:03 пользователь "Yasuo Ohgaki" yohgaki@ohgaki.net написал:
Hi,
2012/4/9 Tom Boutell tom@punkave.com:
Vulnerabilities in include/require should be fixed there, IMHO, not by
limiting the feature set of the language.I'm not insisting to remove embed feature, but give a option
for programmers/administrators for better security.If one is comfortable with current behavior, they can keep
using embed feature by default. Others who care security
may disable embed feature by optional php.ini setting or CLI
option.Half of Morihoshi's RFC was joke, but it's a serious proposal
for people who persist better security. IMHO.Regards,
--
Yasuo Ohgaki
yohgaki@ohgaki.netHi,
2012/4/9 Arvids Godjuks arvids.godjuks@gmail.com:
8 апреля 2012 г. 8:16 пользователь Yasuo Ohgaki <yohgaki@ohgaki.net
написал:2012/4/8 Ángel González keisial@gmail.com:
Hi,
The only valid reason for removing <?php from PHP script would be
security.Since the null byte detection for fopen, remote/local script
inclusion
became much harder than before. However, it's still possible and
very
easy compare to other languages. Script execution is critical
security
problem and it's worth to make it better.If there is a switch that turns off PHP's template engine nature,
PHP
could be more secure than now.php.ini
template_mode = on ;INI_ALLOn by defaultphp -t foo.php # template mode by default
php -T foo.php # template mode offPeople has option to make their code a little secure than now
or stick with current behavior.Regards,
How does it help security?
If any, requiring '<?php' before executable code makes easier to
filter
out malicious files on apps with uploads in case there's a local
inclusion vulnerability somewhere.Attackers may inject PHP script almost anything/anywhere since
PHP code may be embed anywhere in a file.For example, malicious PHP script may be in GIF something like
gif89a ...any data.. <?php exec('rm -rf /') ?>
and all attacker have to do is include/require the data somehow.
Attacker cannot do that this for other languages, since they are
not a embedded language. I know case that attackers may inject
malicious perl/ruby script in data files, but PHP is too easy
compare to these languages.Regards,
--
Yasuo Ohgaki--
Improperly configured WEB server is not the reason to change the most
basic
part of the language that will break every damn application out there.This is not an configuration issue, but a security vulnerability that
can simply closed by disabling embed mode.As I mentioned already, injecting malformed PHP scripts into files
is too easy compare to other languages. This could be improved
by simple modification and we can maintain compatibility with it.I don't see anything wrong here.
Yet another PHP script injection example.
There are many applications that store user inputs in $_SESSION.
Attacker can inject PHP script into $_SESSION, then locally include
it. This is easy since attacker knew their session ID and path to
session file is can be guessed easily. All attacker has to do is
finding a vulnerable include()/require() to attack.Regards,
--
Yasuo Ohgaki--
--
Tom Boutell
P'unk Avenue
215 755 1330
punkave.com
window.punkave.com
Hi,
2012/4/9 Arvids Godjuks arvids.godjuks@gmail.com:
And you get same issues that existed with magic quotes, register variables,
safe mode and other optional stuff that was required to run application when
set specificaly and it would break if something set differently. PHP just
got rid of it and you want to introduce a new optional feature that will
change how PHP behaves.
Magic Quotes is broken by design.
Register Globals may work but erroneous.
Safe Mode was great for fail safe, but it was misunderstood.
Therefore, they are removed.
All of these are security related changes why not for
mandatory embed mode?
There were full of embedded PHP pages 10 years ago.
Only template pages require embedded PHP script now.
There is no compatibility issue for current code.
New code that adopts non-embed scripting will enjoy
better security than now.
Embed w/o option would be the last existing PHP feature
that other language programmers may call "PHP is insecure
than my language" IMO
Regards,
--
Yasuo Ohgaki
yohgaki@ohgaki.net
The only benefit of '<?php' less class files is the feeling of programming
language rather than scripting language while coding in class files.
Hi,
2012/4/9 Arvids Godjuks arvids.godjuks@gmail.com:
And you get same issues that existed with magic quotes, register
variables,
safe mode and other optional stuff that was required to run application
when
set specificaly and it would break if something set differently. PHP just
got rid of it and you want to introduce a new optional feature that will
change how PHP behaves.Magic Quotes is broken by design.
Register Globals may work but erroneous.
Safe Mode was great for fail safe, but it was misunderstood.
Therefore, they are removed.All of these are security related changes why not for
mandatory embed mode?There were full of embedded PHP pages 10 years ago.
Only template pages require embedded PHP script now.There is no compatibility issue for current code.
New code that adopts non-embed scripting will enjoy
better security than now.Embed w/o option would be the last existing PHP feature
that other language programmers may call "PHP is insecure
than my language" IMORegards,
--
Yasuo Ohgaki
yohgaki@ohgaki.net
From: yohgaki@gmail.com [mailto:yohgaki@gmail.com] On Behalf Of Yasuo Ohgaki
There were full of embedded PHP pages 10 years ago.
Only template pages require embedded PHP script now.
There are legions of sites that use PHP "on the metal". No framework, no MVC, no CMS, just direct code files mingled with some includes for site layout. It works brilliantly for smaller sites and it is blazing fast.
There is no compatibility issue for current code.
New code that adopts non-embed scripting will enjoy better security than now.
The security argument here is really totally bogus. The idea behind this change has nothing to do with security, and making it won't improve security either. There's been a lot of talk about scripts embedded in images or other uploads, but the truth is that this will have zero impact on such attacks. If the attack used direct execution then the script didn't even check the extension, and an attacker just has to upload a different format and/or use a different extension (and even that only if the server, probably apache, is configured to know the difference). If the attack was via inclusion, same thing, changing the expected syntax of the included file doesn't make it any less vulnerable.
So far I'm not seeing a compelling argument for removing <?php from the start of files or eliminating the ability to drop into template mode. Certainly nothing that would justify such a radical language change nor the mess that it will create for the whole rest of the ecosystem.
John Crenshaw
Priacta, Inc.
John, please take a look at the RFC:
https://wiki.php.net/rfc/source_files_without_opening_tag
I am not proposing any backwards-incompatible changes that would
affect existing code. Code that isn't interested need not ever take
advantage of the feature and can interoperate with code that does. I
realize there is confusion about this because of a separate and
unrelated RFC to actually eliminate <?php.
I agree that the security argument is bogus, but it was never one of
my reasons for this proposal.
--
Tom Boutell
P'unk Avenue
215 755 1330
punkave.com
window.punkave.com
From: Tom Boutell [mailto:tom@punkave.com]
John, please take a look at the RFC:
https://wiki.php.net/rfc/source_files_without_opening_tag
I am not proposing any backwards-incompatible changes that would affect existing code. Code that isn't interested need not ever take advantage of the feature and can interoperate with code that does. I realize there is confusion about this because of a separate and unrelated RFC to actually eliminate <?php.
I agree that the security argument is bogus, but it was never one of my reasons for this proposal.
Yeah, the discussion isn't always focused. I was responding to some arguments that are mostly separate from what is specifically proposed in your RFC.
About the RFC:
- Passing two parameters to a keyword feels super awkward. I think it's fair to require this to be used more like a function.
- IMO the selected name (require_path) is confusing.
There are still some ecosystem issues, and interoperability is somewhat reduced in the sense that all 3rd party code would have to be checked for the <?php, but I think I can live with that. I still don't see a strong reason for eliminating the opening tag, but in my mind the substance of this proposal is really more about opening the door to more flexible inclusion in the future, and I can get behind that.
John Crenshaw
Priacta, Inc.
interoperability is somewhat reduced in the sense that all 3rd party code would have to be checked for the <?php
I'm not sure what you mean by this part exactly?
--
Tom Boutell
P'unk Avenue
215 755 1330
punkave.com
window.punkave.com
From: Tom Boutell [mailto:tom@punkave.com]
interoperability is somewhat reduced in the sense that all 3rd party
code would have to be checked for the <?phpI'm not sure what you mean by this part exactly?
Suppose a code library is written and the author writes it without the <?php at the head of each file. Using that library in a project that opted to keep the <?php requires adding this to the head of each file, or else ensuring that the library is always included with the code parameter set (which could get really messy with autoloaders.) Additionally (assuming that you modified the code files) updating the library in the future gets really messy. It's not the end of the world, but it's frustrating. I'd like to believe that most library authors will be smart enough to always include the <?php for compatibility purposes, but I'm sure some won't.
John Crenshaw
Priacta, Inc.
Such code would have the .phpc extension, so it wouldn't get loaded at
all by most autoloaders that aren't prepared for it I imagine.
This feature would certainly make the most sense as part of a new
version of PHP that introduces other new functionality. "I'm going to
use feature X in this code, which doesn't exist in version Y anyway,
so I may as well take advantage of not having to type <?php anymore as
well."
From: Tom Boutell [mailto:tom@punkave.com]
interoperability is somewhat reduced in the sense that all 3rd party
code would have to be checked for the <?phpI'm not sure what you mean by this part exactly?
Suppose a code library is written and the author writes it without the <?php at the head of each file. Using that library in a project that opted to keep the <?php requires adding this to the head of each file, or else ensuring that the library is always included with the code parameter set (which could get really messy with autoloaders.) Additionally (assuming that you modified the code files) updating the library in the future gets really messy. It's not the end of the world, but it's frustrating. I'd like to believe that most library authors will be smart enough to always include the <?php for compatibility purposes, but I'm sure some won't.
John Crenshaw
Priacta, Inc.
--
Tom Boutell
P'unk Avenue
215 755 1330
punkave.com
window.punkave.com
Hi,
2012/4/10 Tom Boutell tom@punkave.com:
I agree that the security argument is bogus, but it was never one of
my reasons for this proposal.
The risk is there and it is hard to get rid of it.
The risk will not go anywhere by telling the risk bogus.
If programmers/administrators could disable embed mode,
then systems will be protected from vulnerable codes.
If you insist, please show us how to protect from $_SESSION
script injection. Please do not tell me that programmer should
learn not to, since it's not a protection but education.
Regards,
--
Yasuo Ohgaki
yohgaki@ohgaki.net
--
Tom Boutell
P'unk Avenue
215 755 1330
punkave.com
window.punkave.com
Please do not tell me that programmer should
learn not to, since it's not a protection but education.
Hire a more competent programmer? If he writes such code,
he will be completely unaware of the subtleties of XSS, or how
SQL should be escaped, and his code is probably beyond
"protection". You're better served by rewriting it.
If programmers/administrators could disable embed mode,
then systems will be protected from vulnerable codes.
How do you enforce that the application you need doesn't rely on it?
Note: 'education' is also forbidden as you restricted it in the
previous question. :-)
Hi,
2012/4/10 Ángel González keisial@gmail.com:
Please do not tell me that programmer should
learn not to, since it's not a protection but education.
Hire a more competent programmer? If he writes such code,
he will be completely unaware of the subtleties of XSS, or how
SQL should be escaped, and his code is probably beyond
"protection". You're better served by rewriting it.
I'm teaching at University on occasion.
Do you forget how you have learned languages?
If programmers/administrators could disable embed mode,
then systems will be protected from vulnerable codes.
How do you enforce that the application you need doesn't rely on it?Note: 'education' is also forbidden as you restricted it in the
previous question. :-)
Why do you insist while there is a systematic solution for it?
Regards,
--
Yasuo Ohgaki
I agree, which is why the rfc does not call for a php.ini option.
Sent from my iPhone
And you get same issues that existed with magic quotes, register variables, safe mode and other optional stuff that was required to run application when set specificaly and it would break if something set differently. PHP just got rid of it and you want to introduce a new optional feature that will change how PHP behaves.
09.04.2012 9:03 пользователь "Yasuo Ohgaki" yohgaki@ohgaki.net написал:
Hi,2012/4/9 Tom Boutell tom@punkave.com:
Vulnerabilities in include/require should be fixed there, IMHO, not by
limiting the feature set of the language.I'm not insisting to remove embed feature, but give a option
for programmers/administrators for better security.If one is comfortable with current behavior, they can keep
using embed feature by default. Others who care security
may disable embed feature by optional php.ini setting or CLI
option.Half of Morihoshi's RFC was joke, but it's a serious proposal
for people who persist better security. IMHO.Regards,
--
Yasuo Ohgaki
yohgaki@ohgaki.netHi,
2012/4/9 Arvids Godjuks arvids.godjuks@gmail.com:
8 апреля 2012 г. 8:16 пользователь Yasuo Ohgaki yohgaki@ohgaki.netнаписал:
2012/4/8 Ángel González keisial@gmail.com:
Hi,
The only valid reason for removing <?php from PHP script would be
security.Since the null byte detection for fopen, remote/local script inclusion
became much harder than before. However, it's still possible and very
easy compare to other languages. Script execution is critical security
problem and it's worth to make it better.If there is a switch that turns off PHP's template engine nature, PHP
could be more secure than now.php.ini
template_mode = on ;INI_ALLOn by defaultphp -t foo.php # template mode by default
php -T foo.php # template mode offPeople has option to make their code a little secure than now
or stick with current behavior.Regards,
How does it help security?
If any, requiring '<?php' before executable code makes easier to filter
out malicious files on apps with uploads in case there's a local
inclusion vulnerability somewhere.Attackers may inject PHP script almost anything/anywhere since
PHP code may be embed anywhere in a file.For example, malicious PHP script may be in GIF something like
gif89a ...any data.. <?php exec('rm -rf /') ?>
and all attacker have to do is include/require the data somehow.
Attacker cannot do that this for other languages, since they are
not a embedded language. I know case that attackers may inject
malicious perl/ruby script in data files, but PHP is too easy
compare to these languages.Regards,
--
Yasuo Ohgaki--
Improperly configured WEB server is not the reason to change the most basic
part of the language that will break every damn application out there.This is not an configuration issue, but a security vulnerability that
can simply closed by disabling embed mode.As I mentioned already, injecting malformed PHP scripts into files
is too easy compare to other languages. This could be improved
by simple modification and we can maintain compatibility with it.I don't see anything wrong here.
Yet another PHP script injection example.
There are many applications that store user inputs in $_SESSION.
Attacker can inject PHP script into $_SESSION, then locally include
it. This is easy since attacker knew their session ID and path to
session file is can be guessed easily. All attacker has to do is
finding a vulnerable include()/require() to attack.Regards,
--
Yasuo Ohgaki--
--
Tom Boutell
P'unk Avenue
215 755 1330
punkave.com
window.punkave.com
hi!
I agree, which is why the rfc does not call for a php.ini option.
Can we kill this thread and focus only on the RFC one please? Thanks.
Cheers,
Pierre
@pierrejoye | http://blog.thepimp.net | http://www.libgd.org
hi!
I agree, which is why the rfc does not call for a php.ini option.
Can we kill this thread and focus only on the RFC one please? Thanks.
+1
We've got 2 active threads discussing the same idea. Let's move further
replies to the one linking to the RFC so it's easier to follow, ok?
Thanks!
--Kris
Cheers,
Pierre
@pierrejoye | http://blog.thepimp.net | http://www.libgd.org
Agreed, I will respond only on the RFC thread.
hi!
I agree, which is why the rfc does not call for a php.ini option.
Can we kill this thread and focus only on the RFC one please? Thanks.
+1
We've got 2 active threads discussing the same idea. Let's move further
replies to the one linking to the RFC so it's easier to follow, ok?Thanks!
--Kris
Cheers,
Pierre
@pierrejoye | http://blog.thepimp.net | http://www.libgd.org
--
--
Tom Boutell
P'unk Avenue
215 755 1330
punkave.com
window.punkave.com
Hi,
The only valid reason for removing <?php from PHP script would be
security.
I disagree here.
What you are talking about here is
https://www.owasp.org/index.php/Unrestricted_File_Upload
So a malicious user can upload a file containing php code and fire a
request which will execute it.
Executing it can happen directly (you request the uploaded file via http),
or indirectly (you can trick some other script to include it aka LFI which
is a vulnerability in itself)
For preventing the uploaded files from be executed directly, one should put
the uploaded files to a separate directory and disable the php execution
for that directory via the web server config (php_flag engine 0)
I don't see how would the removal of the open tags prevent
the malicious user from sending valid php code without opening tag.
I know that in your example you mentioned valid image files containing php
code with opening tag (in the image meta information), but that assumes
that the code properly checks that the uploaded file is a valid image (or
any other file format which can be injected with arbitrary php code). If
that check doesn't happen or not entirely safe, one could inject php code
even if we remove the opening tags.
So imo the correct defense against these kind of attacks is:
- properly handle the file upload paths, so the users can only upload files
to the given directory. - turn off the php engine for that directory
- properly handle your file inclusions so you don't have LFI/RFI
vulnerabilities.
--
Ferenc Kovács
@Tyr43l - http://tyrael.hu
I agree, there should be no limiting of unrelated language features to half-protect people who can't plan where uploads go.
Sent from my iPhone
Hi,
The only valid reason for removing <?php from PHP script would be
security.I disagree here.
What you are talking about here is
https://www.owasp.org/index.php/Unrestricted_File_Upload
So a malicious user can upload a file containing php code and fire a request which will execute it.
Executing it can happen directly (you request the uploaded file via http), or indirectly (you can trick some other script to include it aka LFI which is a vulnerability in itself)
For preventing the uploaded files from be executed directly, one should put the uploaded files to a separate directory and disable the php execution for that directory via the web server config (php_flag engine 0)I don't see how would the removal of the open tags prevent the malicious user from sending valid php code without opening tag.
I know that in your example you mentioned valid image files containing php code with opening tag (in the image meta information), but that assumes that the code properly checks that the uploaded file is a valid image (or any other file format which can be injected with arbitrary php code). If that check doesn't happen or not entirely safe, one could inject php code even if we remove the opening tags.
So imo the correct defense against these kind of attacks is:
- properly handle the file upload paths, so the users can only upload files to the given directory.
- turn off the php engine for that directory
- properly handle your file inclusions so you don't have LFI/RFI vulnerabilities.
--
Ferenc Kovács
@Tyr43l - http://tyrael.hu
Hi,
2012/4/9 Tom Boutell tom@punkave.com:
I agree, there should be no limiting of unrelated language features to
half-protect people who can't plan where uploads go.
You misunderstood the problem.
File upload does not matter.
Mandatory embed feature makes PHP vulnerable.
See my script injection example in RFC.
https://wiki.php.net/rfc/nophptags
Regards,
--
Yasuo Ohgaki
yohgaki@ohgaki.net
Sent from my iPhone
Hi,
The only valid reason for removing <?php from PHP script would be
security.I disagree here.
What you are talking about here is
https://www.owasp.org/index.php/Unrestricted_File_Upload
So a malicious user can upload a file containing php code and fire a request
which will execute it.
Executing it can happen directly (you request the uploaded file via http),
or indirectly (you can trick some other script to include it aka LFI which
is a vulnerability in itself)
For preventing the uploaded files from be executed directly, one should put
the uploaded files to a separate directory and disable the php execution for
that directory via the web server config (php_flag engine 0)I don't see how would the removal of the open tags prevent
the malicious user from sending valid php code without opening tag.
I know that in your example you mentioned valid image files containing php
code with opening tag (in the image meta information), but that assumes that
the code properly checks that the uploaded file is a valid image (or any
other file format which can be injected with arbitrary php code). If that
check doesn't happen or not entirely safe, one could inject php code even if
we remove the opening tags.
So imo the correct defense against these kind of attacks is:
- properly handle the file upload paths, so the users can only upload files
to the given directory.- turn off the php engine for that directory
- properly handle your file inclusions so you don't have LFI/RFI
vulnerabilities.--
Ferenc Kovács
@Tyr43l - http://tyrael.hu