+1. thanks.
On Sun, Dec 4, 2011 at 10:05 PM, Ferenc Kovacs <tyr...@gmail.com> wrote: > On Sat, Dec 3, 2011 at 5:08 PM, Alan Knowles <a...@akbkhome.com> wrote: > >> I've had a look at making string offsets of strings a bit saner. >> >> At present with the fix for array dereferencing : ?search=hello and a >> test like isset($_GET['search']['name']) results in true, which is has >> potential security problems and is very confusing for any programmer >> finding and working out why something like that may be failing. >> >> To solve this quite a few people agreed that not allowing non-numeric >> string offsets on strings would be the smart way to go, the change is going >> to break BC, so the idea is to at least not break it too badly... >> >> This patch is a start. >> https://bugs.php.net/patch-**display.php?bug_id=60362&** >> patch=first_effort_to_fix_**this&revision=latest<https://bugs.php.net/patch-display.php?bug_id=60362&patch=first_effort_to_fix_this&revision=latest> >> >> It's been quite a while since I hacked on the engine, so the patch only >> works reasonably well.. (see the FIXME on the tests at the bottom of the >> patch.) >> >> The patch changes the following: >> * $s = "string"; $s['offset'] -- produces a warning (and returns an >> empty string) >> * $s = "string"; $s['1'] -- works as before.. >> * $s = "string"; $s[true] $s[false] $s[0.1] -- give a notice (cast it to >> an int if you want to get rid of the notice) - however work as before. >> * changes the warning on invalid indexes to say "Uninitialized or >> invalid" rather than just "Uninitialized" >> * fixes most of the related tests >> > > I think that those changes are pretty much in line with the discussion that > we had. > Thanks for fixing this! > > > -- > Ferenc Kovács > @Tyr43l - http://tyrael.hu -- Laruence Xinchen Hui http://www.laruence.com/ -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
