At 18:16 8/17/2001, Stanislav Malyshev wrote the following:
--------------------------------------------------------------
>ZS>> I consider E_NOTICE as a basic element of good programming
>ZS>> practices. Unlike register_globals, which simply begs for
>ZS>> security bugs to
>
>Actually, I fail to see why it is so. Let's see two code snippets:
>
>if($arr['foo']) { ... do something ... }
>if(isset($arr['foo']) && $arr['foo']!=false) { ... do something ... }
if('foo' == $x){
$secure = true;
}
...
if($secure){
# do sumthing that needs authentication
}
This will happily run in E_ALL &~ E_NOTICE whether $x == 'foo' or not.
Attacker can then inject $secure in the query string, and it'll apply
whether or not $x == 'foo'. This will be caught with error_reporting
E_ALL.
>Both have the same function, but the first generates E_NOTICE. Why the
>first is bad programming practice? How many PHP users would really prefer
>the second over the first?
>
>ZS>> kind of suggestion. That's why I think that adding it to the
>ZS>> php.ini-recommended is a good first step.
>
>However, it would make average PHP code to output tens of warnig, which
>would be annoying and would hardly be useful in many cases.
Yes, average PHP code is full of security or other holes.
[EMAIL PROTECTED]
-------------
And the eyes of them both were opened and they saw that their files
were world readable and writable, so they chmoded 600 their files.
- Book of Installation chapt 3 sec 7
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
