On Apr 9, 2012, at 7:44 PM, Yasuo Ohgaki <[email protected]> wrote:
> Hi,
>
> 2012/4/10 Luke Scott <[email protected]>:
>>>>> That said, allowing the skipping of an initial <?php tag at the top of
>>>>> the file probably wouldn't be a big deal to implement in code mode.
>>>>
>>>>
>>>> OK. If you can agree to this then I'm good. Perhaps only allow white space
>>>> before it (which is ignored - everything else throws a parse error)?
>>>
>>> Great, that sounds doable. (This would be *allowing* a leading <?php,
>>> not *requiring* one.
>>
>> Great! Then it seems we both agree.
>>
>> As far as the require/include statement, have we pretty much settled
>> on something like this:
>>
>> include "/foo/bar.php", INC_CODE;
>>
>> verses:
>>
>> include_path "/foo/bar.php";
>>
>
> These syntax does not help removing LFI risk in existing code
> and allows novice to write suicide code.
>
> The only valid reason make mandatory embedded mode to
> non mandatory is security. IMHO.
>
> BTW, although I'll vote opposing voice to have include_path() or
> like, include_path() should be include_script(), shouldn't it?
I'm not sure I fully understand your concern. require/include
shouldn't be used for anything other than local php files. User input
should also not be placed there.
What am I missing?
Luke