[PHP-DEV] Re: [PHP-QA] Re: PHP-4.0.7RC1

Fri, 17 Aug 2001 17:36:49 -0700 

Relying on initialization by the system instead of doing it by hand is bad.

What if somebody then includes your file into something else, but has used
that variable, but their final value is usually 0, except when it's not...

Then, your code works for a while and then inexplicably breaks.

Always initialize variables.

--
WARNING [EMAIL PROTECTED] address is an endangered species -- Use
[EMAIL PROTECTED]
Wanna help me out?  Like Music?  Buy a CD: http://l-i-e.com/artists.htm
Volunteer a little time: http://chatmusic.com/volunteer.htm
----- Original Message -----
From: Stanislav Malyshev <[EMAIL PROTECTED]>
To: Cynic <[EMAIL PROTECTED]>
Cc: Zeev Suraski <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; PHP Development
<[EMAIL PROTECTED]>
Sent: Friday, August 17, 2001 11:33 AM
Subject: Re: [PHP-QA] Re: PHP-4.0.7RC1


> C>> if('foo' == $x){
> C>>   $secure = true;
> C>> }
> C>> ...
> C>> if($secure){
> C>>   # do sumthing that needs authentication
> C>> }
> C>>
> C>> This will happily run in E_ALL &~ E_NOTICE whether $x == 'foo' or not.
> C>> Attacker can then inject $secure in the query string, and it'll apply
> C>> whether or not $x == 'foo'. This will be caught with error_reporting
> C>> E_ALL.
>
> That's entirely different issue, having nothing to do with notices, but
> with register_globals and mixing internal and user-supplied variables. The
> fact that E_NOTICE may in some situation help you to find it is lucky (or,
> on the second thought, unlucky - it may as well not happen, and you are
> toast with all your belief in notices) coincidence, nothing more.
>
> C>> Yes, average PHP code is full of security or other holes.
>
> That's overbroad statement which is just wrong. I can show you a lot of
> scripts generating a real lot of notices, but having no security hole.
>
> Also, note that fixing notice in the above code in the obvious way -
> changing simple if() to isset and stuff - will shut up your precious
> notice mechanism, while leaving the hole wide open. Is that what you want?
>
> --
> Stanislav Malyshev, Zend Products Engineer
> [EMAIL PROTECTED]  http://www.zend.com/ +972-3-6139665 ext.115
>
>
>
> --
> PHP Quality Assurance Mailing List <http://www.php.net/>
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]


-- 
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to