$_GET["foo"] = 'include( "evil_file.php" )';
assert( '$_GET["foo"] == "fluffy bunny rabbit"' ); // This is fine
assert( "$_GET['foo'] == 'fluffy bunny rabbit'" ); // But this is not

Deliberately using a function which reduces the security of your application to relying on everyone choosing the correct type of quotes is definitely asking for trouble. 


On 31 July 2013 13:19, Tyler Romeo <tylerromeo@gmail.com> wrote:
On Wed, Jul 31, 2013 at 7:42 AM, Tim Starling <tstarling@wikimedia.org>wrote:

> Indeed. In C, assert() will abort the program if it is enabled, which
> is hard to miss. It is not comparable to the PHP assert() function.

...except PHP's assert() *also* aborts the program if enabled. What am I
missing here?

> The reasons I don't like assert() are:
> 1. It doesn't throw an exception
> 2. It acts like eval()
> We could have a library of PHPUnit-style assertion functions which
> throw exceptions and don't act like eval(), I would be fine with that.
> Maybe MWAssert::greaterThan( $foo, $bar ) or something.

1. It's fairly trivial to use assert_options() to make assertions throw
exceptions if you really wanted to while developing.
2. Except it's not. Again, you're welcome to give an example where code
provided as a string in an assertion is not exactly the same as having the
code hardcoded.

*-- *
*Tyler Romeo*
Stevens Institute of Technology, Class of 2016
Major in Computer Science
www.whizkidztech.com | tylerromeo@gmail.com
Wikitech-l mailing list