On 07/30/2013 06:28 PM, Tim Starling wrote:
On 31/07/13 07:28, Max Semenik wrote:
I remeber we discussed using asserts and decided
they're a bad
idea for WMF-deployed code - yet I see
Warning: assert() [<a href='function.assert'>function.assert</a>]:
Assertion failed in
/usr/local/apache/common-local/php-1.22wmf12/extensions/WikibaseDataModel/DataModel/Claim/Claims.php
on line 291
The original discussion is here:
<http://thread.gmane.org/gmane.science.linguistics.wikipedia.technical/59620>
Judge for yourself.
I'll further elaborate on the "[...] you have to put the source code
inside a string [...]" part. From the [documentation][1]:
If the assertion is given as a string it will be
evaluated as PHP
code by assert().
As in: that function is just as evil as eval(), and the innocent looking
assert( "$_GET[id] > 0" );
can actually be a security vulnerability, depending on server
configuration (yes, servers can be and are misconfigured). And when
assert() is used like this (yes, there actually is one of these in
WikibaseDataModel):
assert( $this->functionFromSuperclass() );
it might be necessary to check multiple files to verify that a string
is not passed to assert().
Perhaps it might make sense to do
assert( (bool)( ... ) );
though, as pointed out previously, this really is no better than, say:
if ( !( ... ) ) {
throw new MWException( '...' );
}
[1]:
http://php.net/manual/en/function.assert.php
--
Kevin Israel - MediaWiki developer, Wikipedia editor
http://en.wikipedia.org/wiki/User:PleaseStand