C>> if('foo' == $x){
C>>   $secure = true;
C>> }
C>> ...
C>> if($secure){
C>>   # do sumthing that needs authentication
C>> }
C>> This will happily run in E_ALL &~ E_NOTICE whether $x == 'foo' or not.
C>> Attacker can then inject $secure in the query string, and it'll apply
C>> whether or not $x == 'foo'. This will be caught with error_reporting
C>> E_ALL.

That's entirely different issue, having nothing to do with notices, but
with register_globals and mixing internal and user-supplied variables. The
fact that E_NOTICE may in some situation help you to find it is lucky (or,
on the second thought, unlucky - it may as well not happen, and you are
toast with all your belief in notices) coincidence, nothing more.

C>> Yes, average PHP code is full of security or other holes.

That's overbroad statement which is just wrong. I can show you a lot of
scripts generating a real lot of notices, but having no security hole.

Also, note that fixing notice in the above code in the obvious way -
changing simple if() to isset and stuff - will shut up your precious
notice mechanism, while leaving the hole wide open. Is that what you want?

Stanislav Malyshev, Zend Products Engineer
[EMAIL PROTECTED]  http://www.zend.com/ +972-3-6139665 ext.115

PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to