At 15:35 8/17/2001, Zeev Suraski wrote the following:
>At 16:21 17-08-01, Cynic wrote:
>>I vote for E_ALL as default in 4.1. NB I thought it was agreed
>>that the same code will be released as 4.0.7 and 4.1.0 with the
>>difference being php.ini settings. Was it a misperception on my
>Defaults and ini settings (the binary will also reflect the new default php.ini
>The reasons I'm not sure about whether E_NOTICE should be in or not:
>- The consequences of turning it on are extremely far reaching - it requires you to
>go over each and every line of your code, until the very last one, and check it, on
>the logical level (i.e., try to think about every possible path of execution).
>- It's almost always harmless, especially after we change the default value of
>register_globals to off.
>I'm very non decisive about my opinion on this one. I know that in 1997 when these
>warnings were added to the language in the first place, they were E_WARNING's.
>Rasmus and others said that these warnings were too excessive, and introduced the
>NOTICE (or STRICT as it was called back then) error level, which was off by default,
>basically telling people it's ok to write code that way. This happened about 4 years
>ago, at the early days of PHP 3.0. Weighting the gain (it's there, but it's not
>overwhelming) and weighting the mess (it's there alright :), it very difficult to
>come up with a firm decision.
>I consider E_NOTICE as a basic element of good programming practices. Unlike
>register_globals, which simply begs for security bugs to occur, though, E_NOTICE is
>more of an application-level, code-cleanliness kind of suggestion. That's why I
>think that adding it to the php.ini-recommended is a good first step.
I'd do this:
php.ini-standard basically today's php.ini-dist
php.ini-recommended basically today's php.ini-optimized
+ the proposed security related changes
what this is exactly I don't know. perhaps
only register_globals off
php.ini-standard php.ini-recommended as contained in 4.0.7
+ anything else you think should be there
(it can be more "strict" than 4.0.7's rec.)
php.ini-compat php.ini-standard as contained in 4.0.7
And while I'm at it: can the Powers That Be consider switching the
default setting for display_startup_errors to On in either of the
ini files? I believe (my experience indicates it) that this would
help to lower the confusion in some cases quite a bit: a message
instead of just a 500 can change one's day.
>While we're at it, I think that we should also take another recommendation from the
>advisory that brought this mess upon us - and turn URL fopens off by default.
And the eyes of them both were opened and they saw that their files
were world readable and writable, so they chmoded 600 their files.
- Book of Installation chapt 3 sec 7
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]