$_GET["foo"] = 'include( "evil_file.php" )';
assert( '$_GET["foo"] == "fluffy bunny rabbit"' ); // This is
assert( "$_GET['foo'] == 'fluffy bunny rabbit'" ); // But this
Deliberately using a function which reduces the security of your
application to relying on everyone choosing the correct type of quotes is
definitely asking for trouble.
On 31 July 2013 13:19, Tyler Romeo <tylerromeo(a)gmail.com> wrote:
On Wed, Jul 31, 2013 at 7:42 AM, Tim Starling
Indeed. In C, assert() will abort the program if
it is enabled, which
is hard to miss. It is not comparable to the PHP assert() function.
...except PHP's assert() *also* aborts the program if enabled. What am I
The reasons I don't like assert() are:
1. It doesn't throw an exception
2. It acts like eval()
We could have a library of PHPUnit-style assertion functions which
throw exceptions and don't act like eval(), I would be fine with that.
Maybe MWAssert::greaterThan( $foo, $bar ) or something.
1. It's fairly trivial to use assert_options() to make assertions throw
exceptions if you really wanted to while developing.
2. Except it's not. Again, you're welcome to give an example where code
provided as a string in an assertion is not exactly the same as having the
Stevens Institute of Technology, Class of 2016
Major in Computer Science
Wikitech-l mailing list