At 15:35 8/17/2001, Zeev Suraski wrote the following:
--------------------------------------------------------------
>At 16:21 17-08-01, Cynic wrote:
>>I vote for E_ALL as default in 4.1. NB I thought it was agreed
>>that the same code will be released as 4.0.7 and 4.1.0 with the
>>difference being php.ini settings. Was it a misperception on my
>>part?
>
>Defaults and ini settings (the binary will also reflect the new default php.ini
>settings).
>
>The reasons I'm not sure about whether E_NOTICE should be in or not:
>
>- The consequences of turning it on are extremely far reaching - it requires you to
>go over each and every line of your code, until the very last one, and check it, on
>the logical level (i.e., try to think about every possible path of execution).
>- It's almost always harmless, especially after we change the default value of
>register_globals to off.
>
>I'm very non decisive about my opinion on this one. I know that in 1997 when these
>warnings were added to the language in the first place, they were E_WARNING's.
>Rasmus and others said that these warnings were too excessive, and introduced the
>NOTICE (or STRICT as it was called back then) error level, which was off by default,
>basically telling people it's ok to write code that way. This happened about 4 years
>ago, at the early days of PHP 3.0. Weighting the gain (it's there, but it's not
>overwhelming) and weighting the mess (it's there alright :), it very difficult to
>come up with a firm decision.
>
>I consider E_NOTICE as a basic element of good programming practices. Unlike
>register_globals, which simply begs for security bugs to occur, though, E_NOTICE is
>more of an application-level, code-cleanliness kind of suggestion. That's why I
>think that adding it to the php.ini-recommended is a good first step.
I'd do this:
4.0.7:
php.ini-standard basically today's php.ini-dist
php.ini-recommended basically today's php.ini-optimized
+ the proposed security related changes
what this is exactly I don't know. perhaps
only register_globals off
4.1.0:
php.ini-standard php.ini-recommended as contained in 4.0.7
+ anything else you think should be there
(it can be more "strict" than 4.0.7's rec.)
php.ini-compat php.ini-standard as contained in 4.0.7
And while I'm at it: can the Powers That Be consider switching the
default setting for display_startup_errors to On in either of the
ini files? I believe (my experience indicates it) that this would
help to lower the confusion in some cases quite a bit: a message
instead of just a 500 can change one's day.
>While we're at it, I think that we should also take another recommendation from the
>advisory that brought this mess upon us - and turn URL fopens off by default.
+0
[EMAIL PROTECTED]
-------------
And the eyes of them both were opened and they saw that their files
were world readable and writable, so they chmoded 600 their files.
- Book of Installation chapt 3 sec 7
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
