Zeev Suraski schrieb:

At 01:04 29/07/2001, Phil Driscoll wrote:
>On Saturday 28 July 2001 20:52, Zeev Suraski wrote:
>a rebuf to each of my arguments :)
>Rather than prolong the agony, my point is that in all the cases where a
>malicious user has the chance to inject a dodgy variable, the code must
>normally have a logic path which allows the code to pass through an undefined
>usage of that variable. In testing the code with E_NOTICE on, a warning
>message will be displayed. The warning message could be beefed up to scare
>the user a bit more, but for me it is this that hits the nail on the head.

*sigh* :)  As I said numerous times, PHP gives you standard clean ways to
test your variables without generating E_NOTICE's, namely, isset() (very
popular) and empty() (less popular, but available all the same).  There's a
good, fairly darned good chance that exploitable code will generate no
warnings whatsoever, and that code that was written with cleanliness in
mind will actually be more difficult to debug than sucky
E_NOTICE-generating code would.

>I can assure you that the monkeys will screw things up whowever you change
>the code :)
>That said, It's easy to live with the proposal, especially with the
>import_globals() functions.

I think the import_globals() is a good idea, provided we do it the right
way, and publish it for what it is.  I don't think it's going to make a
remarkable difference in neither those who would have to migrate (if they
want to take the benefit from register_globals=off, they'd still have to go
over all of their code) or the newbies (I still believe it's not easier to
use $foo than it is to use $_FORM['foo'], definitely if you have to learn
about functions (import_globals()) and the notion of the global scope, the
'global' statement and/or $GLOBALS to properly use the $foo version :)  I
think it'd take a more educated monkey, actually ;)


PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to