$_GET["foo"] = 'include( "evil_file.php" )'; assert( '$_GET["foo"] == "fluffy bunny rabbit"' ); // This is fine assert( "$_GET['foo'] == 'fluffy bunny rabbit'" ); // But this is not
Deliberately using a function which reduces the security of your application to relying on everyone choosing the correct type of quotes is definitely asking for trouble.
--HM
On 31 July 2013 13:19, Tyler Romeo tylerromeo@gmail.com wrote:
On Wed, Jul 31, 2013 at 7:42 AM, Tim Starling <tstarling@wikimedia.org
wrote:
Indeed. In C, assert() will abort the program if it is enabled, which is hard to miss. It is not comparable to the PHP assert() function.
...except PHP's assert() *also* aborts the program if enabled. What am I missing here?
The reasons I don't like assert() are:
- It doesn't throw an exception
- It acts like eval()
We could have a library of PHPUnit-style assertion functions which throw exceptions and don't act like eval(), I would be fine with that. Maybe MWAssert::greaterThan( $foo, $bar ) or something.
- It's fairly trivial to use assert_options() to make assertions throw
exceptions if you really wanted to while developing. 2. Except it's not. Again, you're welcome to give an example where code provided as a string in an assertion is not exactly the same as having the code hardcoded.
*-- * *Tyler Romeo* Stevens Institute of Technology, Class of 2016 Major in Computer Science www.whizkidztech.com | tylerromeo@gmail.com _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l