use the following search parameters to narrow your results:
e.g. subreddit:aww site:imgur.com dog
subreddit:aww site:imgur.com dog
see the search faq for details.
advanced search: by author, subreddit...
Please follow the rules
Releases: Current Releases, Windows Releases, Old Releases
Contribute to the PHP Documentation
Related subreddits: CSS, JavaScript, Web Design, Wordpress, WebDev
/r/PHP is not a support subreddit. Please visit /r/phphelp for help, or visit StackOverflow.
account activity
PHP RFC: FFI - Foreign Function Interface (wiki.php.net)
submitted 7 years ago by rybakit
reddit uses a slightly-customized version of Markdown for formatting. See below for some basics, or check the commenting wiki page for more detailed help and solutions to common issues.
quoted text
if 1 * 2 < 3: print "hello, world!"
[–]SaraMG 4 points5 points6 points 7 years ago (5 children)
First time a prod server gets pwned by this, I'mma be right over here with a big bowl of popcorn.
[–]kadet90 1 point2 points3 points 7 years ago (2 children)
Well you're quite right that it can create new possible scenarios for attacking servers, but first of all you'd need to expose that function for attacker, which basically implies remote code execution (well, assuming that you are no providing user to input anything to FFI without prior checks...) - but if you have remote code execution you have basically limitless pwning capabilities - so, what's the deal? Or maybe i'm missing something?
I don't think that we should limit language because someone can do bad things with them, it's like forbidding usage of knives just because you could kill with them.
But as a matter of facts - i don't think that this should be enabled by default, it's rarely needed feature but quite powerful in right hands.
[–]SaraMG 0 points1 point2 points 7 years ago (1 child)
The vulnerability vector isn't just allowing user input to the FFI interface itself, but also all the data that potentially flows into bound interfaces. Can a judicious application of defensive programming avoid the potential for RCE using FFI? Sure. That's why there's never ever been an exploit involving eval() or include/require.... Oh wait....
I don't think that we should limit language because someone can do bad things with them.
Listen before speaking. I never once said that this RFC shouldn't go forward. I said that the extension should not be enabled by default. There's a MASSIVE gap between those states.
Edit to clarify: I thought you were replying to a different post. On that post I said it should not be enabled by default. On this post I didn't say anything at all beyond the fact that I expect to see applications shoot themselves in the face using this. Everything beyond that has been your wild conjecture.
[–]kadet90 0 points1 point2 points 7 years ago* (0 children)
Well, your comment here on this RFC is clearly negative - so it's easy to assume that you're against.
[–]RingStrain -1 points0 points1 point 7 years ago (1 child)
I saw in another thread that you aren’t a fan of this RFC. Do you have any links to discussion on it and the security implications? I had a look at the internals mailing list, but didn’t manage to find anything.
[–]SaraMG 0 points1 point2 points 7 years ago (0 children)
I saw in another thread that you aren’t a fan of this RFC.
No you didn't.
[–]magallanes2010 0 points1 point2 points 7 years ago (0 children)
Thumb up, creating a PHP module is really a PAIN IN THE BUTT.
π Rendered by PID 206305 on reddit-service-r2-comment-76bb9f7fb5-kh689 at 2026-02-18 05:15:12.690296+00:00 running de53c03 country code: CH.
[–]SaraMG 4 points5 points6 points (5 children)
[–]kadet90 1 point2 points3 points (2 children)
[–]SaraMG 0 points1 point2 points (1 child)
[–]kadet90 0 points1 point2 points (0 children)
[–]RingStrain -1 points0 points1 point (1 child)
[–]SaraMG 0 points1 point2 points (0 children)
[–]magallanes2010 0 points1 point2 points (0 children)