Re: Re: [RFC] No PHP tags
On 02/13/2014 02:51 PM, Yasuo Ohgaki wrote:
> PHP is for the web. Web is extremely dangerous as serious professional
> attackers exploit web for money. Introducing yet another effective
> counter measure for fatal error is valuable for PHP community because
> there are vulnerable applications/codes. I cannot accept the fact that
> PHP could be much insecure than others when the same developers write
> applications...
Perhaps the biggest part of writing secure applications is understanding
your tools and your environment. The more complicated they are, the
harder it is to use them correctly. You are asking to add a brand new
high-level concept to PHP by adding a distinction between a template and
a non-template file. As far as PHP is concerned, everything is a
"template", although we never use that term. Even a plain text file with
no php tags is a template. There is no technical difference between a
file containing:
hello world
and one containing:
<?= "hello world\n";
They both compile to exactly:
ECHO 'hello+world%0A'
RETURN 1
So what is a template? What isn't a template? Is it a template simply
because it contains a PHP tag? Or is a file not a template because it
doesn't? Or is it the name of the file? What about its location? In the
end, none of these things fully define a template. A template is defined
by the context in which it is used. Changing this basic characteristic
of PHP is a really serious change and you are going to need a much
better argument than simple LFI for it to have any chance in a vote I
would suspect.
Striving to make PHP more secure for neophyte developers is always a
worthy goal, but it needs to be done in a way that doesn't make things
worse. I think this particular approach would make things worse by
needlessly complicating things.
-Rasmus
Thread (37 messages)