ZS>> I consider E_NOTICE as a basic element of good programming
ZS>> practices.  Unlike register_globals, which simply begs for
ZS>> security bugs to

Actually, I fail to see why it is so. Let's see two code snippets:

if($arr['foo']) { ... do something ... }
if(isset($arr['foo']) && $arr['foo']!=false) { ... do something ... }

Both have the same function, but the first generates E_NOTICE. Why the
first is bad programming practice? How many PHP users would really prefer
the second over the first?

ZS>> kind of suggestion.  That's why I think that adding it to the
ZS>> php.ini-recommended is a good first step.

However, it would make average PHP code to output tens of warnig, which
would be annoying and would hardly be useful in many cases.

ZS>> While we're at it, I think that we should also take another
ZS>> recommendation from the advisory that brought this mess upon us
ZS>> - and turn URL fopens off by default.

Well, generally I personally would even go further and make two functions
- one for file-only fopen (about 90% of fopen usage?) and another which
would open everything and the kitchen://sink. Or make some switch, etc. -
configuration option doesn't seem to me fit here, it's not per-server but
per-script property if you want URL fopens or not.

Stanislav Malyshev, Zend Products Engineer
[EMAIL PROTECTED]  http://www.zend.com/ +972-3-6139665 ext.115

PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to