On Thu, Jan 11, 2007 at 08:06:16AM -0800, Rasmus Lerdorf wrote: > Alain Williams wrote: > > On Thu, Jan 11, 2007 at 07:43:21AM -0800, Rasmus Lerdorf wrote: > >> Alain Williams wrote: > >>> This has just appeared: > >>> > >>> http://www.theregister.co.uk/2007/01/11/php_apps_security/ > >> There are some concrete suggestions in the article that we addressed a > >> while ago. Things like: > >> ... > > > > One of the biggest things that I would like is to be able to insist that > > variables are declared, as in perl 'use strict'. I did raise a bug for > > it, but this seems to have been lost: > > > > http://bugs.php.net/bug.php?id=39091 > > Catching typos on variable assignment doesn't really do much for > security as far as I am concerned.
It causes program correctness problems, which can impact on security. One problem that I see persistently have is forgetting to declare variable 'global' in a function ... you only find out that something is wrong when the program misbehaves. Forcing variable declaration would help here. I write PHP scripts, I also occasionally teach PHP classes, so I get to see the problems that PHP newbies have. I also write & teach perl and appreciate what 'use strict' does. Would it really be that hard to add ? Ideally on a file by file basis so as to not break included stuff that isn't your own. -- Alain Williams Linux Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer. +44 (0) 787 668 0256 http://www.phcomp.co.uk/ Parliament Hill Computers Ltd. Registration Information: http://www.phcomp.co.uk/contact.php #include <std_disclaimer.h> -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
