$_GET["foo"] = 'include( "evil_file.php" )'; assert( '$_GET["foo"] == "fluffy bunny rabbit"' ); // This is fine assert( "$_GET['foo'] == 'fluffy bunny rabbit'" ); // But this is not
Deliberately using a function which reduces the security of your application to relying on everyone choosing the correct type of quotes is definitely asking for trouble. --HM On 31 July 2013 13:19, Tyler Romeo <[email protected]> wrote: > On Wed, Jul 31, 2013 at 7:42 AM, Tim Starling <[email protected] > >wrote: > > > Indeed. In C, assert() will abort the program if it is enabled, which > > is hard to miss. It is not comparable to the PHP assert() function. > > > ...except PHP's assert() *also* aborts the program if enabled. What am I > missing here? > > > > The reasons I don't like assert() are: > > > > 1. It doesn't throw an exception > > 2. It acts like eval() > > > > We could have a library of PHPUnit-style assertion functions which > > throw exceptions and don't act like eval(), I would be fine with that. > > Maybe MWAssert::greaterThan( $foo, $bar ) or something. > > > > 1. It's fairly trivial to use assert_options() to make assertions throw > exceptions if you really wanted to while developing. > 2. Except it's not. Again, you're welcome to give an example where code > provided as a string in an assertion is not exactly the same as having the > code hardcoded. > > *-- * > *Tyler Romeo* > Stevens Institute of Technology, Class of 2016 > Major in Computer Science > www.whizkidztech.com | [email protected] > _______________________________________________ > Wikitech-l mailing list > [email protected] > https://lists.wikimedia.org/mailman/listinfo/wikitech-l > _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
