[RndTbl] PHP undefined vars / array indices
Trevor Cordes
trevor at tecnopolis.ca
Wed Jan 19 04:29:05 CST 2022
On 2022-01-13 John Lange wrote:
> As a former professional PHP programmer and current hobbyist
> programmer (not in PHP though), I agree with Trevor. (disclaimer: I
> did not go back and re-read all the PHP threads on this topic).
Thanks John! I also agree with everything you said. (Sorry for the
delayed response!)
> function Foo {
> while ( $i < 5 )
> if (!$i++) {}
> // ... (a whole bunch more lines of code go here) ..
>
> while ( $i < 5 ) // inadvertently using the same variable because $i
> is your favorite 'counter' and you forgot you already used it
> if (!$i++) { } // This line never runs
> }
Good example, but the funny part is, even this bug would not be
addressed by the new PHP initialization rules! The PHP change requires
only this:
function Foo {
$i=0; # <<<<<<<<<<<<<<<<<---------------------
while ( $i < 5 )
if (!$i++) {}
// ... (a whole bunch more lines of code go here) ..
while ( $i < 5 ) // inadvertently using the same variable because $i
if (!$i++) { } // This line never runs
}
Which doesn't help this bug at all. Of course, no language can ever
tell you you probably meant to add a second $i=0, thus proving my point
that you can only hand-hold so much. The programmer has to be expected
to be at a certain level of competency.
My other main point I made earlier, as it applies to your example is I
can't envision a way that such a bug could be a security hole: not
without coming up with a ridiculously contrived example. That's why
when the VOTE YES side says "robustness" & "safety", I'm dubious.
> But never the less the point is I agree that PHP should not have
> broken backward compatibility. By doing so it will force many sites
> to remain on PHP 7.x thereby opening up the very real possibility
> that a 7.x security vulnerability will get exploited and cause
> mass-grief (log4j anyone?).
That's a great point. I've already talked with some people who said
their solution would probably be stick with 7 as long as possible, even
past EOL date.
More information about the Roundtable
mailing list