On Thu, Jan 11, 2007 at 12:26:17PM -0500, Ilia Alshanetsky wrote: > > On 11-Jan-07, at 12:11 PM, Alain Williams wrote: > >The discussion is how PHP can help them to discover problems in their > >scripts. This is what led to Wietse Venema's suggestion about tainting > >a few weeks ago. These may be things that members of this forum do not > >feel that they need, but the ''quality'' of the majority of PHP > >programmers is such that they would be of benefit. > > > >To an extent it is an accolade to PHP that novice/... programmers can > >use it do create applications, it just puts a greater burden on us > >to do > >what we can to protect them from their own problems. > > The tools already exist, look at E_NOTICE for example. A good number > of PHP exploits are caused by register_globals + un-initialized vars. > If the developers of those apps tried to run their code with that > error reporting method enabled there would be far fewer security bugs > all around.
E_NOTICE flags up attempts to use an uninitialised variable, it is not helpful if you assign to a typeo. This people do and can be hard to find, especially if it is not in an often used code path. -- Alain Williams Linux Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer. +44 (0) 787 668 0256 http://www.phcomp.co.uk/ Parliament Hill Computers Ltd. Registration Information: http://www.phcomp.co.uk/contact.php #include <std_disclaimer.h> -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
