You could easily include a library from another server in perl as well (maybe not as easily, but not very difficult with lwp/eval/require/do)
This is not a problem with a language, but a problem with the developer knowing enough to be able to use it, but not knowing enough to know why they should not use it. | [reply] |
No.
PHP source files are basically webpages, so include is often used to manage template hierarchies. But these templates can contain code – and the function will happily fetch them from remote URLs. These factors play together to make very ordinary-looking code a potential minefield.
In Perl, you’d use open, and you can’t give that a URL and have it work. Much less will it automatically cause code in loaded files to execute. require is very rarely used on user input and use practically never.
So basically, in PHP, you only need to where code carelessly puts user input into file paths, whereas in Perl, you need to find a place where user input is used imprudently in an eval.
I’d say the odds are significantly stacked against PHP in this matter.
But, sure, once a developer has been bitten and knows to pay attention to this trap, it’s not that hard to protect against.
Makeshifts last the longest.
| [reply] |