Electronics & Programming

develissimo

Open Source electronics development and programming

  • You are not logged in.
  • Root
  • » PHP
  • » [PHP-DEV] E_NOTICE should warn of uninitialized arrays [RSS Feed]

#1 Nov. 1, 2005 13:44:25

Jakub V.
Registered: 2009-11-02
Reputation: +  0  -
Profile   Send e-mail  

[PHP-DEV] E_NOTICE should warn of uninitialized arrays


Hello!

E_NOTICE warns of uninitialized variables but doesn't warn of adding
elements to an uninitialized array ($a = 5). It is a very similar
problem so E_NOTICE should warn of it either.

It's the same bad practice as working with uninitialized variables
with the same security risks and IMHO the programmer should be warned
of it.

There is a bug regarding this topic marked as bogus by Iliia:http://bugs.php.net/bug.php?id=28151Is current behavior really expected and wanted?

Jakub Vrana

--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit:http://www.php.net/unsub.php

Offline

#2 Nov. 1, 2005 19:00:26

Sharif I.
Registered: 2009-11-02
Reputation: +  0  -
Profile   Send e-mail  

[PHP-DEV] E_NOTICE should warn of uninitialized arrays


On 11/1/05, Jakub Vrana <> wrote:
> Hello!
>
> E_NOTICE warns of uninitialized variables but doesn't warn of adding
> elements to an uninitialized array ($a = 5). It is a very similar
> problem so E_NOTICE should warn of it either.
>
> It's the same bad practice as working with uninitialized variables
> with the same security risks and IMHO the programmer should be warned
> of it.
>
> There is a bug regarding this topic marked as bogus by Iliia:
>http://bugs.php.net/bug.php?id=28151>
> Is current behavior really expected and wanted?
>
> Jakub Vrana
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit:http://www.php.net/unsub.php>
>

This was brought up about 2 months ago with the additional point that
a notice here can alert one to possible script injections that can
occur when register_globals is on.

A simplistic example:
$auth = 'foo';
$auth = 'bar';
if ($_REQUEST == $auth && $_REQUEST == $auth)
{
// Do something that requires authentication
}

Which is exploitable when register_globals is on by
script.php?auth=123&user=b&pass=b

(http://www.colder.ch/news/09-09-2005/4/another-example-showing-t.html)

Of course register_globals should be off, but many hosts still
stupidly turn it on by default. Most* other code that is susceptible
to register_globals vulnerabilities will generate an E_NOTICE which
helps guard against silly mistakes of forgetting to initialize global
variables, at least.

This particular issue was brought up a year or two back when Sara
submitted a patch to add the notice which was discussed and rejected,
though the interaction with register_globals wasn't mentioned.

While I'd personally like an E_NOTICE here, I'm and outsider without
any karma so am just presenting some of the background on the issue.

* Of course it's possible to get rid of the notice while retaining the
register_globals vulnerability by using isset($globalvar) ? $globalvar
: '' but there's an E_NOTICE in the normal cases.

- Sharif

Offline

  • Root
  • » PHP
  • » [PHP-DEV] E_NOTICE should warn of uninitialized arrays [RSS Feed]

Board footer

Moderator control

Enjoy the 18th of November
PoweredBy

The Forums are managed by develissimo stuff members, if you find any issues or misplaced content please help us to fix it. Thank you! Tell us via Contact Options
Leave a Message
Welcome to Develissimo Live Support