Write your tests before you fix the bugs: A shining example from PHP


I went to upgrade our PHP install today, but found that:

PHP 5.2.7 has been removed from distribution

Due to a security bug found in the PHP 5.2.7 release, it has been removed from distribution. The bug affects configurations where magic_quotes_gpc is enabled, because it remains off even when set to on. In the meantime, use PHP 5.2.6 until PHP 5.2.8 is later released.

This is one of those cases of "you write a test for anything that has ever gone wrong." If the PHP guys have any clue at all, they will have written many tests of all the possible ways that magic_quotes_gpc can get set incorrectly, before fixing a single line of source code.

(For those unfamiliar with this peculiar misfeature of PHP, magic_quotes_gpc lets you automagically instantiate global variables based on GET and POST variables, which allows bad guys to muck with your code by passing in parameters that they know will mess with your code when turned into globals.)


Actually, magic_quotes_gpc makes sure the data in COOKIE, GET and POST variables is escaped first. What you're referring to are the global vars (register_globals).

Nonetheless magic_quotes_gpc is a horrible invention.

Htbaa is right, you're confusing it with register_globals. They are both rather evil features though.

I agree with Andy that this is very sloppy work. A problematic feature as this should be tested properly.

True, both register_globals and magic_quotes_gpc are evil. If you've build an application that requires magic_quotes_gpc on (which is being lazy and irresponsible) than you're in some trouble with the above stated bug. I'd say welcome the SQL Injections :-).

Leave a comment

Job hunting for programmers

Land the Tech Job You Love, Andy Lester's guide to job hunting for programmers and other technical professionals, is available in PDF, ePub and .mobi formats, all DRM-free, as well as good old-fashioned paper.