$_GET["foo"] = 'include( "evil_file.php" )';
assert( '$_GET["foo"] == "fluffy bunny rabbit"' ); // This is
fine
assert( "$_GET['foo'] == 'fluffy bunny rabbit'" ); // But this
is not
Deliberately using a function which reduces the security of your
application to relying on everyone choosing the correct type of quotes is
definitely asking for trouble.
--HM
On 31 July 2013 13:19, Tyler Romeo <tylerromeo(a)gmail.com> wrote:
On Wed, Jul 31, 2013 at 7:42 AM, Tim Starling
<tstarling(a)wikimedia.org
wrote:
Indeed. In C, assert() will abort the program if
it is enabled, which
is hard to miss. It is not comparable to the PHP assert() function.
...except PHP's assert() *also* aborts the program if enabled. What am I
missing here?
The reasons I don't like assert() are:
1. It doesn't throw an exception
2. It acts like eval()
We could have a library of PHPUnit-style assertion functions which
throw exceptions and don't act like eval(), I would be fine with that.
Maybe MWAssert::greaterThan( $foo, $bar ) or something.
1. It's fairly trivial to use assert_options() to make assertions throw
exceptions if you really wanted to while developing.
2. Except it's not. Again, you're welcome to give an example where code
provided as a string in an assertion is not exactly the same as having the
code hardcoded.
*-- *
*Tyler Romeo*
Stevens Institute of Technology, Class of 2016
Major in Computer Science
www.whizkidztech.com | tylerromeo(a)gmail.com
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l