if(user_is_authorized){
$explodenuke = 1;
}
...
if(!empty($explodenuke)){
//Explode a nuke!
}The only reason there to initialize $explodenuke would be for security (register_globals), and there are other cases like this. I generally initialize variables before using them, but there's always going to be a time when someone forgets. That shouldn't present a security hazard, which is why I think register_globals should *always* be off.
Rasmus Lerdorf wrote:
On Wed, 4 Jun 2003, Leif K-Brooks wrote:
It's true that register_globals being on only makes sloppy code more
insecure. Most people aren't going to write perfect code, though. It's
incredibly annoying to have to unset every variable that shouldn't be
from an outside source. Even if you do so, it's very likely that you
will forget one variable on one page. It will, of course, be the
variable allowing admins to blow up a nuclear bomb over New York. :)
It's incredibly annoying to have to initialize your variables?
This would be an example:
for($i=0;$i<10;$i++) { $str .= $i; }
Here, since you haven't initialized $str and you are appending to it, someone can inject something into $str via GET or POST data. To fix it, you have to make the code:
$str = ''; for($i=0;$i<10;$i++) { $str .= $i; }
Is that really what you find incredibly annoying? Even without register_globals, you should be initializing your variables this way. What if other parts of your code happened to use $str and left stuff in it you didn't expect?
-Rasmus
-- The above message is encrypted with double rot13 encoding. Any unauthorized attempt to decrypt it will be prosecuted to the full extent of the law.
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
