Hi, > This issue has now been fixed in their CVS repository. This is the > patch that they used: I dislike calling my patch a fix. The problem you describe is not a bug within PHP. One could call it an undocumented feature, that is now gone with my patch. You cannot blame a programmer's error on the language itself. Your fopen() thing does only occur if the programmer does TWO stupid things: A) pass user input directly to a function without proper validation, B) pass an url to a function that is not an url. Any string that contains control chars cannot be a valid url. Before you pass a string that should be an url to any function you MUST urlencode() it. No need for your reg expression at all. Following your idea I could blame the libc authors for implementing strcpy() because misused it leads to bufferoverflows. Just because PHP is easy (to learn) you cannot leave your brain at home when programming for your company. Stefan Esser
Attachment:
pgp00210.pgp
Description: PGP signature
