Edit report at https://bugs.php.net/bug.php?id=54556&edit=1
ID: 54556 Comment by: gtisza at gmail dot com Reported by: kal dot el dot ias at gmx dot net Summary: array access to empty var does not trigger a notice Status: Verified Type: Bug Package: Scripting Engine problem Operating System: Ubuntu 10.04.2 LTS PHP Version: trunk-SVN-2011-04-18 (snap) Assigned To: dmitry Block user comment: N Private report: N New Comment: The same happens with every non-string scalar value, not just null: <?php error_reporting(E_ALL|E_STRICT); $arr = false; var_dump($arr['foo']['bar']['baz']); // NULL ?> This is a major problem as lots of data access functions return null or false if the key is not found (memcached for example, or may active record libraries), so this bug can easily lead to unexpected behavior. In unfortunate cases (e.g. trying to load a usergroup blacklist from database) it might even lead to authentication bypass vulnerabilities and other severe security issues. Previous Comments: ------------------------------------------------------------------------ [2011-09-14 13:53:51] dmi...@php.net I've added a bit better patch (for trunk), but I'm not sure we need it. At least it "breaks" about 30 tests. ------------------------------------------------------------------------ [2011-09-14 13:51:04] dmi...@php.net The following patch has been added/updated: Patch Name: wrong-array-access.diff Revision: 1316008264 URL: https://bugs.php.net/patch-display.php?bug=54556&patch=wrong-array-access.diff&revision=1316008264 ------------------------------------------------------------------------ [2011-09-14 07:28:36] larue...@php.net dmitry, plz look at this, thanks ------------------------------------------------------------------------ [2011-07-26 11:12:22] larue...@php.net The following patch has been added/updated: Patch Name: php-5-3-use-a-null-as-array-trigger-notice Revision: 1311678742 URL: https://bugs.php.net/patch-display.php?bug=54556&patch=php-5-3-use-a-null-as-array-trigger-notice&revision=1311678742 ------------------------------------------------------------------------ [2011-07-25 12:10:52] larue...@php.net The following patch has been added/updated: Patch Name: php-5-3-use-a-null-as-array-trigger-notice Revision: 1311595852 URL: https://bugs.php.net/patch-display.php?bug=54556&patch=php-5-3-use-a-null-as-array-trigger-notice&revision=1311595852 ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at https://bugs.php.net/bug.php?id=54556 -- Edit this bug report at https://bugs.php.net/bug.php?id=54556&edit=1
