At 10:27 29/07/2001, Phil Driscoll wrote:
>On Sunday 29 July 2001 17:35, Zeev Suraski wrote:
> > *sigh* :) As I said numerous times, PHP gives you standard clean ways to
> > test your variables without generating E_NOTICE's, namely, isset() (very
> > popular) and empty() (less popular, but available all the same). There's a
> > good, fairly darned good chance that exploitable code will generate no
> > warnings whatsoever, and that code that was written with cleanliness in
> > mind will actually be more difficult to debug than sucky
> > E_NOTICE-generating code would.
>
>We'll have to agree to differ - Over the last year I must have downloaded
>about 50 PHP scripts from the popular places with a view to using them. ALL
>of them - yes every last one - generated warning messages under E_WARNING.
Under E_WARNING or E_NOTICE?
Make no mistake, I agree that quite a few and perhaps even probably the
majority of the scripts are not E_NOTICE compliant. I just don't agree
that the overlap between the group of scripts which are in fact E_NOTICE
safe and the group of scripts which are exploitable by this issue is non
existent, or even small.
Zeev
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
