Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:27360
Return-Path: <addw@phcomp.co.uk>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 51211 invoked by uid 1010); 11 Jan 2007 16:13:21 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 51196 invoked from network); 11 Jan 2007 16:13:21 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 11 Jan 2007 16:13:21 -0000
Authentication-Results: pb1.pair.com header.from=addw@phcomp.co.uk; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=addw@phcomp.co.uk; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain phcomp.co.uk designates 213.152.38.186 as permitted sender)
X-PHP-List-Original-Sender: addw@phcomp.co.uk
X-Host-Fingerprint: 213.152.38.186 freshmint.phcomp.co.uk Linux 2.5 (sometimes 2.4) (4)
Received: from [213.152.38.186] ([213.152.38.186:61363] helo=mint.phcomp.co.uk)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id B4/61-42349-02266A54 for <internals@lists.php.net>; Thu, 11 Jan 2007 11:13:21 -0500
Received: from addw by mint.phcomp.co.uk with local (Exim 4.66)
	(envelope-from <addw@phcomp.co.uk>)
	id 1H52YK-00089m-5M; Thu, 11 Jan 2007 16:13:20 +0000
Date: Thu, 11 Jan 2007 16:13:20 +0000
To: Rasmus Lerdorf <rasmus@lerdorf.com>, internals@lists.php.net
Message-ID: <20070111161320.GA15998@mint.phcomp.co.uk>
References: <20070111144144.GV15998@mint.phcomp.co.uk> <45A65B19.40900@lerdorf.com> <20070111155929.GY15998@mint.phcomp.co.uk> <45A66078.7060403@lerdorf.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <45A66078.7060403@lerdorf.com>
User-Agent: Mutt/1.4.1i
Organization: Parliament Hill Computers Ltd
Subject: Re: [PHP-DEV] Comments on PHP security
From: addw@phcomp.co.uk (Alain Williams)

On Thu, Jan 11, 2007 at 08:06:16AM -0800, Rasmus Lerdorf wrote:
> Alain Williams wrote:
> > On Thu, Jan 11, 2007 at 07:43:21AM -0800, Rasmus Lerdorf wrote:
> >> Alain Williams wrote:
> >>> This has just appeared:
> >>>
> >>> 	http://www.theregister.co.uk/2007/01/11/php_apps_security/
> >> There are some concrete suggestions in the article that we addressed a
> >> while ago.  Things like:
> >> ...
> > 
> > One of the biggest things that I would like is to be able to insist that
> > variables are declared, as in perl 'use strict'. I did raise a bug for
> > it, but this seems to have been lost:
> > 
> > 	http://bugs.php.net/bug.php?id=39091
> 
> Catching typos on variable assignment doesn't really do much for
> security as far as I am concerned.

It causes program correctness problems, which can impact on security.

One problem that I see persistently have is forgetting to declare variable 'global'
in a function ... you only find out that something is wrong when the program
misbehaves. Forcing variable declaration would help here.

I write PHP scripts, I also occasionally teach PHP classes, so I get to see
the problems that PHP newbies have. I also write & teach perl and appreciate
what 'use strict' does.

Would it really be that hard to add ? Ideally on a file by file basis so as to not
break included stuff that isn't your own.

-- 
Alain Williams
Linux Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer.
+44 (0) 787 668 0256  http://www.phcomp.co.uk/
Parliament Hill Computers Ltd. Registration Information: http://www.phcomp.co.uk/contact.php
#include <std_disclaimer.h>