From: [email protected] [mailto:[email protected]] On Behalf Of Yasuo Ohgaki
> There were full of embedded PHP pages 10 years ago.
> Only template pages require embedded PHP script now.
There are legions of sites that use PHP "on the metal". No framework, no MVC, no CMS, just
direct code files mingled with some includes for site layout. It works brilliantly for smaller sites
and it is blazing fast.
>
> There is no compatibility issue for current code.
> New code that adopts non-embed scripting will enjoy better security than now.
The security argument here is really totally bogus. The idea behind this change has nothing to do
with security, and making it won't improve security either. There's been a lot of talk
about scripts embedded in images or other uploads, but the truth is that this will have zero impact
on such attacks.. If the attack used direct execution then the script didn't even check the
extension, and an attacker just has to upload a different format and/or use a different extension
(and even that only if the server, probably apache, is configured to know the difference). If the
attack was via inclusion, same thing, changing the expected syntax of the included file doesn't
make it any less vulnerable.
So far I'm not seeing a compelling argument for removing <?php from the start of files or
eliminating the ability to drop into template mode. Certainly nothing that would justify such a
radical language change nor the mess that it will create for the whole rest of the ecosystem.
John Crenshaw
Priacta, Inc.