On Thu, 11 Jan 2007, Alain Williams wrote: > On Thu, Jan 11, 2007 at 12:26:17PM -0500, Ilia Alshanetsky wrote: > > > > On 11-Jan-07, at 12:11 PM, Alain Williams wrote: > > >The discussion is how PHP can help them to discover problems in their > > >scripts. This is what led to Wietse Venema's suggestion about tainting > > >a few weeks ago. These may be things that members of this forum do not > > >feel that they need, but the ''quality'' of the majority of PHP > > >programmers is such that they would be of benefit. > > > > > >To an extent it is an accolade to PHP that novice/... programmers can > > >use it do create applications, it just puts a greater burden on us > > >to do > > >what we can to protect them from their own problems. > > > > The tools already exist, look at E_NOTICE for example. A good number > > of PHP exploits are caused by register_globals + un-initialized vars. > > If the developers of those apps tried to run their code with that > > error reporting method enabled there would be far fewer security bugs > > all around. > > E_NOTICE flags up attempts to use an uninitialised variable, it is not > helpful if you assign to a typeo. This people do and can be hard to find, > especially if it is not in an often used code path.
That is why there is a concept called "testing" [1] and code coverage [2]. [1]. http://phpunit.de/ [2]. http://sebastian-bergmann.de/archives/578-Code-Coverage-Reports-with-PHPUnit-3.html regards, Derick -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
