On Sunday 29 July 2001 17:35, Zeev Suraski wrote:
> *sigh* :) As I said numerous times, PHP gives you standard clean ways to
> test your variables without generating E_NOTICE's, namely, isset() (very
> popular) and empty() (less popular, but available all the same). There's a
> good, fairly darned good chance that exploitable code will generate no
> warnings whatsoever, and that code that was written with cleanliness in
> mind will actually be more difficult to debug than sucky
> E_NOTICE-generating code would.
We'll have to agree to differ - Over the last year I must have downloaded
about 50 PHP scripts from the popular places with a view to using them. ALL
of them - yes every last one - generated warning messages under E_WARNING.
People who code sloppily, code sloppily, the warning messages will get out.
Even people who code well but don't test under E_WARNING will find that
E_WARNING is their friend. I don't think that the typical uses of isset and
empty actually serve to hide the warning messages that would appear in
vulnerable code.
Anyway, I'll shut up now and leave you in peace :)
--
Phil Driscoll
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
