Re: Re: Dynamic Variable Names?

... but security is only an argument if you use data from the untrusted environment as variable names.

Really?

Whenever code does not behave as expected, there is a real possibility of an unexpected consequence that compromises security. Therefore any programming practice that leads to bugs is also a source of potential security flaws, even if it is not obvious how to get there.

Comment on Re: Re: Dynamic Variable Names?

Replies are listed 'Best First'.
Re: Dynamic Variable Names? by Abigail-II (Bishop) on Jul 24, 2002 at 08:37 UTC
The only coding practice that doesn't lead to bugs is to not code at all. eval()s are as dangerous as code written with vi - you can make the same mistakes. Abigail	[reply]
Re: Re: Dynamic Variable Names? by Anonymous Monk on Jul 25, 2002 at 00:36 UTC
You can make the same mistakes with any coding practice - agreed. Which leads to the question of how often you make them, and how quickly you catch them. I submit that liberal usage of eval for most people leads to more mistakes, and more difficulty in tracking them down and debugging them. (Particularly if you don't religiously check $@.) Given its power it is sometimes worth going there. But not when there are built-in constructs for doing the same thing you are trying to do.	[reply]