On Tue, Jul 30, 2013 at 7:37 PM, Kevin Israel pleasestand@live.com wrote:
As in: that function is just as evil as eval(), and the innocent looking
assert( "$_GET[id] > 0" ); assert( $this->functionFromSuperclass() );
This is what I mean by misusing the assert function. Assert should always be called by passing a single-quoted string as an argument. If used correctly, it is no more a security vulnerability than if you were to put the same code into an if statement.
Also, like I said, assertions are for statements that are always true, so checking user input with assertions is incorrect.
Interesting concept. I think in C, they are most often used for
validating function input, so obviously they can be hit. The Wikipedia articles [[Assertion (software development)]] and [[Precondition]] both mention this usage.
Using assertions to validate function input is indeed a valid usage, but it should be done in ways where they won't be hit. In other words, they should not be used for data validation; they should be used in cases where *the program expects the data to already be valid*.
*-- * *Tyler Romeo* Stevens Institute of Technology, Class of 2016 Major in Computer Science www.whizkidztech.com | tylerromeo@gmail.com