At 19:16 17-08-01, Stanislav Malyshev wrote:
>ZS>> I consider E_NOTICE as a basic element of good programming
>ZS>> practices. Unlike register_globals, which simply begs for
>ZS>> security bugs to
>
>Actually, I fail to see why it is so. Let's see two code snippets:
>
>if($arr['foo']) { ... do something ... }
>if(isset($arr['foo']) && $arr['foo']!=false) { ... do something ... }
>
>Both have the same function, but the first generates E_NOTICE. Why the
>first is bad programming practice? How many PHP users would really prefer
>the second over the first?
This is one case in which there's no added value to E_NOTICE - in your
example, you explicitly don't care whether the variable exists or
not. There are many cases in which there is an added value in
E_NOTICE. For example:
for ($i=0; $i<100; $i++) {
$sum += sth()
}
print "The total some is $total";
True, a dumb programming error (it can get more complex), but an E_NOTICE
would have caught in a second. I think that in the post register_globals
era it'll usually not help uncover security bugs, but it improves code
cleanliness.
>ZS>> kind of suggestion. That's why I think that adding it to the
>ZS>> php.ini-recommended is a good first step.
>
>However, it would make average PHP code to output tens of warnig, which
>would be annoying and would hardly be useful in many cases.
I agree. I'm saying that it's a difficult call.
>ZS>> While we're at it, I think that we should also take another
>ZS>> recommendation from the advisory that brought this mess upon us
>ZS>> - and turn URL fopens off by default.
>
>Well, generally I personally would even go further and make two functions
>- one for file-only fopen (about 90% of fopen usage?) and another which
>would open everything and the kitchen://sink. Or make some switch, etc. -
>configuration option doesn't seem to me fit here, it's not per-server but
>per-script property if you want URL fopens or not.
You can set any INI entries using ini_set() for a particular script. I
think adding new functions is messy - too many functions in PHP support
opening URLs (because they're built on top of fopen-wrappers).
Zeev
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
