[RndTbl] PHP undefined vars / array indices

Trevor Cordes trevor at tecnopolis.ca
Wed Jan 19 04:29:05 CST 2022 

On 2022-01-13 John Lange wrote:
> As a former professional PHP programmer and current hobbyist
> programmer (not in PHP though), I agree with Trevor. (disclaimer: I
> did not go back and re-read all the PHP threads on this topic).

Thanks John!  I also agree with everything you said.  (Sorry for the
delayed response!)

> function Foo {
>  while ( $i < 5 )
>   if (!$i++) {}
>   // ... (a whole bunch more lines of code go here) ..
> 
>  while ( $i < 5 ) // inadvertently using the same variable because $i
> is your favorite 'counter' and you forgot you already used it
>   if (!$i++) {  } // This line never runs
> }

Good example, but the funny part is, even this bug would not be
addressed by the new PHP initialization rules!  The PHP change requires
only this:

function Foo {
 $i=0; # <<<<<<<<<<<<<<<<<---------------------
 while ( $i < 5 )
  if (!$i++) {}
  // ... (a whole bunch more lines of code go here) ..

 while ( $i < 5 ) // inadvertently using the same variable because $i
  if (!$i++) {  } // This line never runs
}

Which doesn't help this bug at all.  Of course, no language can ever
tell you you probably meant to add a second $i=0, thus proving my point
that you can only hand-hold so much.  The programmer has to be expected
to be at a certain level of competency.

My other main point I made earlier, as it applies to your example is I
can't envision a way that such a bug could be a security hole: not
without coming up with a ridiculously contrived example.  That's why
when the VOTE YES side says "robustness" & "safety", I'm dubious.

> But never the less the point is I agree that PHP should not have
> broken backward compatibility. By doing so it will force many sites
> to remain on PHP 7.x thereby opening up the very real possibility
> that a 7.x security vulnerability will get exploited and cause
> mass-grief (log4j anyone?).

That's a great point.  I've already talked with some people who said
their solution would probably be stick with 7 as long as possible, even
past EOL date.

More information about the Roundtable mailing list