infolock wrote:niel, thanks. I do appreciate that. BUt let me explain, i'm not using global variables. I never said I would.
I simply check to see if $bob is defined. If $bob is not defined, I post that it isn't on the page. That's why there is 15 lines saying that. Sorry, I must not have been clear about that.
But no, i'm not even using $_POST data, or $_GET data. I'm simply using an undefined variable. Therefore, $bob is being called before it is defined.
Roja : if you want to believe what you've read, go ahead. That's your choice. I do not ask you to use methods I use. I do not expect you to chnage your methods. All I"m trying to do is prove that if you do use an undefined variable, it is not necessarily a security risk. So long as you valididate the variable once it is defined.
That's it. Nothing more. But to say it's unsecure is like saying passwords are unsecure. Passwords CAN be unsecure if you do not store th em with encryption, or if you do not valididate that they are correct. The same thing goes here. That's all i'm trying to say.
Deciding that undefined variables are "safe" because you can construct a script where tehy are, does not prove that they are safe in general. Yes, give your script, they are not opening you up to any security holes. However, that doesn't mean its safe to ignore those messages. Especially as it means you might ignore the message when it does matter.
Furthermore it trains you to write code that is not securely portable. If someone takes one of your scripts to a host where register_globals is on, their application is toast.
It is never good to get into a habit of ignoring warnings or notices. They exist for a reason.
If you ever had code like
Code: Select all
If ($someDefinedVariable=="something") {
$someOtherVariable=TRUE;
}
// loads of other code
if (!$someOtherVariable) {
// do something
}
Then you have at least a logic error, if not a security error. The NOTICES here will alert you to the error; hiding them or ignoring them will not.