neridaj Posted April 14, 2008 Share Posted April 14, 2008 Hello, I'm new to php and was interested in finding out how important it is to fix undefined vars. I turned on error_reporting(E_NOTICE) and noticed a lot of these warnings, is it important to fix these with isset()? I'm trying to make sure my scripts are secure and would be interested in hearing any general procedures experienced users adhere to. Thanks, Jason Link to comment https://forums.phpfreaks.com/topic/100989-php-security/ Share on other sites More sharing options...
darkfreaks Posted April 14, 2008 Share Posted April 14, 2008 please paste the warnings and your code i will tell you what you are doing wrong and how to fix Link to comment https://forums.phpfreaks.com/topic/100989-php-security/#findComment-516452 Share on other sites More sharing options...
PFMaBiSmAd Posted April 14, 2008 Share Posted April 14, 2008 If your host should change the error_reporting setting, either due to an upgrade or someone just changing the setting in php.ini (deliberately or accidentally), your variable names and server paths will get exposed. This will give a hacker more information about your code that he can attempt to use (this is less important now that register globals are off by default and will soon be eliminated in php6), along with outputting ugly error messages on your pages and get your visitors to question how well they like or trust your site. Also, the warning/notice message that is output is just the last step in the error response code. PHP must execute 20-30 times more code for every variable it encounters that is not defined at runtime, thereby slowing down the generation of your page. Code should not normally generate any errors/warnings/notices (only for unexpected and uncaught conditions, which should be few and far between.) Link to comment https://forums.phpfreaks.com/topic/100989-php-security/#findComment-516480 Share on other sites More sharing options...
discomatt Posted April 14, 2008 Share Posted April 14, 2008 please paste the warnings and your code i will tell you what you are doing wrong and how to fix Read the problem. He's wondering if using undeclared variables directly in the script is a security issue. Personally, I don't see this as being a problem. PHP allows declaration of variables on the fly, so I don't see how attempting to reference an undeclared variable on the fly could be an issue. It's designed to work this way. It is still good practice to declare all variables that will be used before using them. If i'm wrong, i'd love to be corrected. Link to comment https://forums.phpfreaks.com/topic/100989-php-security/#findComment-516481 Share on other sites More sharing options...
neridaj Posted April 14, 2008 Author Share Posted April 14, 2008 Notice: Undefined index: pa in output_fns.php on line 286 line 286: $propadd = $_GET['pa']; // I'm assuming cleanse the var 'pa' and do an if(isset($_GET['pa'])) before assigning to $proppadd. Notice: Undefined variable: _SESSION in output_fns.php on line 287 line 287: $userfolder = $_SESSION['valid_user']; // // I'm assuming cleanse the var 'valid_user' and do an if(isset($_SESSION['valid_user'])) before assigning to $userfolder. Is it standard to just cleanse vars with RegEx? Thanks for the advice, Jason Link to comment https://forums.phpfreaks.com/topic/100989-php-security/#findComment-516919 Share on other sites More sharing options...
discomatt Posted April 14, 2008 Share Posted April 14, 2008 Regex is a great way to validate and sanitize a variable's contents. Link to comment https://forums.phpfreaks.com/topic/100989-php-security/#findComment-516926 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.