Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:27374 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 45725 invoked by uid 1010); 11 Jan 2007 17:45:48 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 45710 invoked from network); 11 Jan 2007 17:45:48 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 11 Jan 2007 17:45:48 -0000 Authentication-Results: pb1.pair.com smtp.mail=derick@php.net; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=derick@php.net; sender-id=unknown Received-SPF: error (pb1.pair.com: domain php.net from 82.94.239.5 cause and error) X-PHP-List-Original-Sender: derick@php.net X-Host-Fingerprint: 82.94.239.5 jdi.jdi-ict.nl Linux 2.5 (sometimes 2.4) (4) Received: from [82.94.239.5] ([82.94.239.5:53348] helo=jdi.jdi-ict.nl) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 6A/C4-15642-BC776A54 for ; Thu, 11 Jan 2007 12:45:47 -0500 Received: from localhost (localhost [127.0.0.1]) by jdi.jdi-ict.nl (8.13.7/8.12.11) with ESMTP id l0BHjisx029431; Thu, 11 Jan 2007 18:45:44 +0100 Date: Thu, 11 Jan 2007 18:44:35 +0100 (CET) X-X-Sender: derick@localhost To: Alain Williams cc: Ilia Alshanetsky , PHP Developers Mailing List In-Reply-To: <20070111172942.GI15998@mint.phcomp.co.uk> Message-ID: References: <20070111144144.GV15998@mint.phcomp.co.uk> <80C94C6E-4646-459E-B695-B072F14378F0@prohost.org> <20070111171152.GH15998@mint.phcomp.co.uk> <20070111172942.GI15998@mint.phcomp.co.uk> X-Face: "L'&?Ah3MYF@FB4hU'XhNhLB]222(Lbr2Y@F:GE[OO;"F5p>qtFBl|yVVA&D{A(g3[C}mG:199P+5C'v.M/u@Z\![0b:Mv.[l6[uWl' MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: [PHP-DEV] Comments on PHP security From: derick@php.net (Derick Rethans) On Thu, 11 Jan 2007, Alain Williams wrote: > On Thu, Jan 11, 2007 at 12:26:17PM -0500, Ilia Alshanetsky wrote: > > > > On 11-Jan-07, at 12:11 PM, Alain Williams wrote: > > >The discussion is how PHP can help them to discover problems in their > > >scripts. This is what led to Wietse Venema's suggestion about tainting > > >a few weeks ago. These may be things that members of this forum do not > > >feel that they need, but the ''quality'' of the majority of PHP > > >programmers is such that they would be of benefit. > > > > > >To an extent it is an accolade to PHP that novice/... programmers can > > >use it do create applications, it just puts a greater burden on us > > >to do > > >what we can to protect them from their own problems. > > > > The tools already exist, look at E_NOTICE for example. A good number > > of PHP exploits are caused by register_globals + un-initialized vars. > > If the developers of those apps tried to run their code with that > > error reporting method enabled there would be far fewer security bugs > > all around. > > E_NOTICE flags up attempts to use an uninitialised variable, it is not > helpful if you assign to a typeo. This people do and can be hard to find, > especially if it is not in an often used code path. That is why there is a concept called "testing" [1] and code coverage [2]. [1]. http://phpunit.de/ [2]. http://sebastian-bergmann.de/archives/578-Code-Coverage-Reports-with-PHPUnit-3.html regards, Derick