No. He's saying YOUR code is, more or less, not unlike: <?php include $_GET['page']; ?> Maybe it's more like this: <?php include $page; ?> Well, if at some point, you forget to initialize $page, AND IF you have register_globals on, for some reason, perhaps even because you later install some 3rd-party software that needs it, and you integrate their app with your app, *THEN* years down the road, after you've completely FORGOTTEN this entire thread in PHP-General, *YOUR* application is now wide open to a hack. We're warning you that you are about to unlock the door, and even if you have an armed guard today, that doesn't guarantee that the guard will always Be There. Your software will grow and change. It is exactly the kind of decision you are contemplating now that will bite you in the butt with a hacked server a couple years from now, after OTHER problems accrete, in a domino effect, stretched out over the course of years. On Wed, June 14, 2006 9:48 pm, Dave M G wrote: > Jochem, >> ::index.php >> <?php >> include $_GET['page']; >> ?> > > Wouldn't strip_tags() eliminate the <?php ?> tags that make this > possible? > > -- > Dave M G > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
