On Apr 9, 2012, at 9:08 PM, Yasuo Ohgaki <[email protected]> wrote:
>> I would actually suggest that require/include stop supporting remote
>> files all together. But that can be a different RFC.
>>
>> This "security problem" isn't a problem with common sense.
>
> Requiring/Including remote file is not bad, just like embedded mode
> of PHP is not bad.
You can fetch a remote file with curl, socket functions, he'll even
file_get_contents. Point is you shouldn't be using require/include for
including remote files. It's not the purpose of these functions, and
even though "you can" it doesn't mean you should and it's highly
discouraged.
It's not a core PHP problem. It's programming problem.
Where I work we forbid certain things like this for good reason. We
also have a code review process. All code is checked by another
developer before it gets commited. Even my code, and I'm a manager.
This should be done at the very least. Some companies do this and then
have a third party audit the code on top of it.
> They are bad for security if they are enabled by default or mandatory.
Again nothing has changed with this RFC.
Luke