On Tue, Jul 30, 2013 at 7:37 PM, Kevin Israel <pleasest...@live.com> wrote: > > As in: that function is just as evil as eval(), and the innocent looking > > assert( "$_GET[id] > 0" ); > > assert( $this->functionFromSuperclass() ); > > This is what I mean by misusing the assert function. Assert should always be called by passing a single-quoted string as an argument. If used correctly, it is no more a security vulnerability than if you were to put the same code into an if statement.
Also, like I said, assertions are for statements that are always true, so checking user input with assertions is incorrect. Interesting concept. I think in C, they are most often used for > validating function input, so obviously they can be hit. The Wikipedia > articles [[Assertion (software development)]] and [[Precondition]] > both mention this usage. Using assertions to validate function input is indeed a valid usage, but it should be done in ways where they won't be hit. In other words, they should not be used for data validation; they should be used in cases where *the program expects the data to already be valid*. *-- * *Tyler Romeo* Stevens Institute of Technology, Class of 2016 Major in Computer Science www.whizkidztech.com | tylerro...@gmail.com _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l