Typo in code - security issue

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I made a typo in my code, instead of $_GET['username'] I typed $$_GET
['username'] which threw back an error because there was no variable
called $"thevalueof$_GET['username']", or for example, $_GET
['username'] = "billh" I got an error no variable $billh . Is there a
setting that would stop php from even trying to make a variable out of
this and instead throw a syntax error? I could have sworn I read about
it being a security issue

Bill H

Re: Typo in code - security issue

Bill H schreef:
Quoted text here. Click to load it

Hi Bill,

This is just normal behaviour of PHP.
$test = "hai";
$name = "test";
echo $$name; // echoes hai

I am unaware of a setting that disables this behaviour.
I also don't see how this can be a security issue, unless the programmer
really screws up. Do you have some reference on this being a security issue?

Solution: Don't type $$ if you mean $.

Erwin Moller

"There are two ways of constructing a software design: One way is to
make it so simple that there are obviously no deficiencies, and the
other way is to make it so complicated that there are no obvious
deficiencies. The first method is far more difficult."
-- C.A.R. Hoare

Re: Typo in code - security issue

Erwin Moller wrote:

Quoted text here. Click to load it

Me neither.

It can be when used unintended.

Quoted text here. Click to load it

I guess he understands that, him calling it is typo and all.

I once made a typo (typed one semicolon too many) which caused hundreds
of records in a production database to be invalid. Cost me 1 second to
fix the bug, 5 hours to fix the database.

Bart Blogt Beter: blog.friesoft.nl

Re: Typo in code - security issue

Bill H escribió:
Quoted text here. Click to load it

If you are really concerned about this, you can write your own error
handler and code it to exit() the script when a notice is raised:


However, you can only trap stuff like reading non-existing variables.
You can't prevent things like

$_GET['username'] = "billh"

... when there is no $_GET['username'] defined because that's how
variables are created in PHP.

-- http://alvaro.es - Álvaro G. Vicario - Burgos, Spain
-- Mi sitio sobre programación web: http://borrame.com
-- Mi web de humor satinado: http://www.demogracia.com

Re: Typo in code - security issue

On 4 May, 08:17, "=C1lvaro G. Vicario"
Quoted text here. Click to load it

I disagree. The OP's problem was that he typed in code which was not
what he intended. This would of course have been picked up by any
testing of the code. You should always write code so it doesn't
generate any warnings, and test in an environment where you can easily
see any warnings. But really the original problem is one of coding
style - as I see it, this should be picked by the code review. There
are automated tools for doing code review - PHP Lint makes PHP behave
as if it were strongly typed (which IMHO is a bit innapropriate) but
CodeSniffer is an excellent and extensible tool for style checking.


Site Timeline