I write all of my code with/for E_ALL as well. Plus, I consider
not relying on register_globals = on to be a crucial requirement
WRT portability.

At 17:04 7/25/2001, Phil Driscoll wrote the following:
>On Wednesday 25 July 2001 15:31, Rasmus Lerdorf wrote:
>> The change I would rather see in php.ini would be to have the default
>> error_level be set to E_ALL because then the above script would generate a
>> warning complaining about the fact that $ok was not initialized.  Since
>> PHP can determine when variables are not initialized the case for
>> turning register_globals off in this example is rather weak.
>The security issue is poor coding rather than anything else. Using the 
>various VAR arrays largely moves the problem sideways.
>I took the liberty on the Windows installer of making the default route 
>through the wizard set the error level to E_ALL. I am fed up that almost all 
>the freely available PHP scripts out there just won't run at E_ALL because 
>they either spew out so many warning messages that you can't see what's going 
>on, and in many cases, the warning messages cause crucial headers not to be 
>sent. My own rule of thumb is that if a script outputs any warnings during 
>normal use, then it just can't be trusted to be secure.
>Phil Driscoll

And the eyes of them both were opened and they saw that their files
were world readable and writable, so they chmoded 600 their files.
    - Book of Installation chapt 3 sec 7 

PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to