On Tue, Jul 30, 2013 at 7:37 PM, Kevin Israel <pleasestand(a)live.com> wrote:
As in: that function is just as evil as eval(), and the innocent looking
assert( "$_GET[id] > 0" );
assert( $this->functionFromSuperclass() );
This is what I mean by misusing the assert function. Assert should always
be called by passing a single-quoted string as an argument. If used
correctly, it is no more a security vulnerability than if you were to put
the same code into an if statement.
Also, like I said, assertions are for statements that are always true, so
checking user input with assertions is incorrect.
Interesting concept. I think in C, they are most often used for
validating function input, so obviously they can be
hit. The Wikipedia
articles [[Assertion (software development)]] and [[Precondition]]
both mention this usage.
Using assertions to validate function input is indeed a valid usage, but it
should be done in ways where they won't be hit. In other words, they should
not be used for data validation; they should be used in cases where *the
program expects the data to already be valid*.
*-- *
*Tyler Romeo*
Stevens Institute of Technology, Class of 2016
Major in Computer Science
www.whizkidztech.com | tylerromeo(a)gmail.com