On Tue, May 23, 2006 9:52 am, tedd wrote: > At 9:45 AM +0100 5/23/06, Rory Browne wrote: > I'm not disagreeing with you, but how would that work? The file would > still have a suffix of ".gif" and as such wouldn't be recognized as > code to execute. Unless you have ANOTHER bug somewhere in those million lines of PHP code... Which might maybe let you eval() that, or manage to include it or... Why risk it? Defense in depth. It's not like a call to http://getimagesize is gonna kill you. Even moving the image out of web tree and using readfile is fine for all but the busiest servers. [shrug] I don't understand why people are so resistant to something so simple that adds a layer of defense. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
