comment on

No.

PHP source files are basically webpages, so include is often used to manage template hierarchies. But these templates can contain code – and the function will happily fetch them from remote URLs. These factors play together to make very ordinary-looking code a potential minefield.

In Perl, you’d use open, and you can’t give that a URL and have it work. Much less will it automatically cause code in loaded files to execute. require is very rarely used on user input and use practically never.

So basically, in PHP, you only need to where code carelessly puts user input into file paths, whereas in Perl, you need to find a place where user input is used imprudently in an eval.

I’d say the odds are significantly stacked against PHP in this matter.

But, sure, once a developer has been bitten and knows to pay attention to this trap, it’s not that hard to protect against.

Makeshifts last the longest.

In reply to Re^3: Awstats Perl security by Aristotle
in thread Awstats Perl security by hakkr

Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!

Titles consisting of a single word are discouraged, and in most cases are disallowed outright.

Read Where should I post X? if you're not absolutely sure you're posting in the right place.

Please read these before you post! —

Posts may use any of the Perl Monks Approved HTML tags:

a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr

You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)

	For:		Use:
	&		`&`
	<		`<`
	>		`>`
	[		`[`
	]		`]`

Link using PerlMonks shortcuts! What shortcuts can I use for linking?

See Writeup Formatting Tips and other pages linked from there for more info.