E_NOTICE should warn of uninitialized arrays

Hello!

E_NOTICE warns of uninitialized variables but doesn't warn of adding
elements to an uninitialized array ($a[] = 5). It is a very similar
problem so E_NOTICE should warn of it either.

It's the same bad practice as working with uninitialized variables
with the same security risks and IMHO the programmer should be warned
of it.

There is a bug regarding this topic marked as bogus by Iliia:
http://bugs.php.net/bug.php?id=28151

Is current behavior really expected and wanted?

Jakub Vrana

--

This was brought up about 2 months ago with the additional point that
a notice here can alert one to possible script injections that can
occur when register_globals is on.

A simplistic example:
$auth['user'] = 'foo';
$auth['pass'] = 'bar';
if ($_REQUEST['user'] == $auth['user'] && $_REQUEST['pass'] == $auth['pass'])
{
// Do something that requires authentication
}

Which is exploitable when register_globals is on by
script.php?auth=123&user=b&pass=b

(http://www.colder.ch/news/09-09-2005/4/another-example-showing-t.html)

Of course register_globals should be off, but many hosts still
stupidly turn it on by default. Most* other code that is susceptible
to register_globals vulnerabilities will generate an E_NOTICE which
helps guard against silly mistakes of forgetting to initialize global
variables, at least.

This particular issue was brought up a year or two back when Sara
submitted a patch to add the notice which was discussed and rejected,
though the interaction with register_globals wasn't mentioned.

While I'd personally like an E_NOTICE here, I'm and outsider without
any karma so am just presenting some of the background on the issue.

• Of course it's possible to get rid of the notice while retaining the
  register_globals vulnerability by using isset($globalvar) ? $globalvar
  : '' but there's an E_NOTICE in the normal cases.

• Sharif