At 19:35 17-08-01, Cynic wrote:
>This will happily run in E_ALL &~ E_NOTICE whether $x == 'foo' or not.
>Attacker can then inject $secure in the query string, and it'll apply
>whether or not $x == 'foo'. This will be caught with error_reporting
>E_ALL.

That's just a specific case of the register_globals problem.  We're already 
phasing register_globals out...  In the post register_globals era, the 
likelihood that E_NOTICE's will be hiding a security bug is much, much 
lower.  However, there are quite a few other situations in which E_NOTICE's 
are emitted, which are perfectly ok.  It has to do with coding style, not 
security.

>Yes, average PHP code is full of security or other holes.

E_NOTICE's only sometimes imply a security hole or a bug.  Very often, they 
imply absolutely nothing.

Zeev


-- 
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to