On Wednesday 25 July 2001 15:31, Rasmus Lerdorf wrote:
> The change I would rather see in php.ini would be to have the default
> error_level be set to E_ALL because then the above script would generate a
> warning complaining about the fact that $ok was not initialized. Since
> PHP can determine when variables are not initialized the case for
> turning register_globals off in this example is rather weak.
+1
The security issue is poor coding rather than anything else. Using the
various VAR arrays largely moves the problem sideways.
I took the liberty on the Windows installer of making the default route
through the wizard set the error level to E_ALL. I am fed up that almost all
the freely available PHP scripts out there just won't run at E_ALL because
they either spew out so many warning messages that you can't see what's going
on, and in many cases, the warning messages cause crucial headers not to be
sent. My own rule of thumb is that if a script outputs any warnings during
normal use, then it just can't be trusted to be secure.
--
Phil Driscoll
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
