Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:27373
Return-Path: <addw@phcomp.co.uk>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 42489 invoked by uid 1010); 11 Jan 2007 17:29:43 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 42474 invoked from network); 11 Jan 2007 17:29:43 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 11 Jan 2007 17:29:43 -0000
Authentication-Results: pb1.pair.com smtp.mail=addw@phcomp.co.uk; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=addw@phcomp.co.uk; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain phcomp.co.uk designates 213.152.38.186 as permitted sender)
X-PHP-List-Original-Sender: addw@phcomp.co.uk
X-Host-Fingerprint: 213.152.38.186 freshmint.phcomp.co.uk Linux 2.5 (sometimes 2.4) (4)
Received: from [213.152.38.186] ([213.152.38.186:62167] helo=mint.phcomp.co.uk)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 0F/44-15642-60476A54 for <internals@lists.php.net>; Thu, 11 Jan 2007 12:29:43 -0500
Received: from addw by mint.phcomp.co.uk with local (Exim 4.66)
	(envelope-from <addw@phcomp.co.uk>)
	id 1H53kE-00007V-2X; Thu, 11 Jan 2007 17:29:42 +0000
Date: Thu, 11 Jan 2007 17:29:42 +0000
To: Ilia Alshanetsky <ilia@prohost.org>
Cc: Alain Williams <addw@phcomp.co.uk>, internals@lists.php.net
Message-ID: <20070111172942.GI15998@mint.phcomp.co.uk>
References: <20070111144144.GV15998@mint.phcomp.co.uk> <80C94C6E-4646-459E-B695-B072F14378F0@prohost.org> <20070111171152.GH15998@mint.phcomp.co.uk> <B2D45430-0CAB-4384-83DB-114464524D26@prohost.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <B2D45430-0CAB-4384-83DB-114464524D26@prohost.org>
User-Agent: Mutt/1.4.1i
Organization: Parliament Hill Computers Ltd
Subject: Re: [PHP-DEV] Comments on PHP security
From: addw@phcomp.co.uk (Alain Williams)

On Thu, Jan 11, 2007 at 12:26:17PM -0500, Ilia Alshanetsky wrote:
> 
> On 11-Jan-07, at 12:11 PM, Alain Williams wrote:
> >The discussion is how PHP can help them to discover problems in their
> >scripts. This is what led to Wietse Venema's suggestion about tainting
> >a few weeks ago. These may be things that members of this forum do not
> >feel that they need, but the ''quality'' of the majority of PHP
> >programmers is such that they would be of benefit.
> >
> >To an extent it is an accolade to PHP that novice/... programmers can
> >use it do create applications, it just puts a greater burden on us  
> >to do
> >what we can to protect them from their own problems.
> 
> The tools already exist, look at E_NOTICE for example. A good number  
> of PHP exploits are caused by register_globals + un-initialized vars.  
> If the developers of those apps tried to run their code with that  
> error reporting method enabled there would be far fewer security bugs  
> all around.

E_NOTICE flags up attempts to use an uninitialised variable, it is not
helpful if you assign to a typeo. This people do and can be hard to find,
especially if it is not in an often used code path.

-- 
Alain Williams
Linux Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer.
+44 (0) 787 668 0256  http://www.phcomp.co.uk/
Parliament Hill Computers Ltd. Registration Information: http://www.phcomp.co.uk/contact.php
#include <std_disclaimer.h>