Richard Lynch wrote:
Why risk the possibility of your code being exposed or executed out of context when it's so *EASY* to move the include files and set include_path? I just don't understand the resistance to such a simple straight-forward elegant security measure. For 5 minutes of time, you can avoid dozens of potential pitfalls. [shrug]
I completely agree with this sentiment, and it is relevant to many discussions, such as:
1. The debate between using mysql_real_escape_string() versus addslashes() or magic_quotes_gpc.
2. The debate between escaping data to be sent to the client with htmlentities() versus using str_replace() to just replace angled brackets with their HTML entity equivalents.
3. The debate between storing includes outside of document root versus using a .php file extension, instructing Apache to process .inc files as PHP, instructing PHP to deny requests for .inc files, etc.
All of these discussions are a result of developers being foolish and stubborn. Just because you might not be able to think of an exploit for your particular approach doesn't mean that it's safe.
Web application security is a highly specialized discipline, and unless you really know what you're doing, it's unlikely that you can properly refute practices that have been developed and refined over many years. Stick with best practices unless you are certain that they're not actually best, in which case, you should share your evidence with the community. :-)
(By the way, it's faster to specify an absolute path to your includes than to rely on include_path. You can save PHP the hassle of searching.)
Chris -- Chris Shiflett Brain Bulb, The PHP Consultancy http://brainbulb.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
