2021-04-28 16:49:39 +02:00
While PHP variables obligingly spring into existence the first time you use them, relying on this behavior is a bad idea for two reasons. First, relying on the default value of an uninitialized variable can cause problems in some cases. Second, and more importantly, it can pose a security risk when ``++register_globals++`` is enabled. (Note that ``++register_globals++`` is deprecated in PHP 5.3 and removed in PHP 5.4.)
2021-04-28 18:08:03 +02:00
2021-04-28 16:49:39 +02:00
== Noncompliant Code Example
2022-02-04 17:28:24 +01:00
[source,php]
2021-04-28 16:49:39 +02:00
----
$a = $b + 4; // Noncompliant; this initializes $a, but $b is uninitialized
if (authenticated($user)) {
$authorized = true; // Noncompliant. What value does $authorized have if the user is not authenticated?
}
----
2021-04-28 18:08:03 +02:00
2021-04-28 16:49:39 +02:00
== Compliant Solution
2022-02-04 17:28:24 +01:00
[source,php]
2021-04-28 16:49:39 +02:00
----
$b = doSomething();
$a = $b + 4;
$authorized = false;
if (authenticated($user)) {
$authorized = true;
}
----
2021-04-28 18:08:03 +02:00
2021-04-28 16:49:39 +02:00
== See
2022-04-07 08:53:59 -05:00
* https://cwe.mitre.org/data/definitions/457[MITRE, CWE-457] - Use of Uninitialized Variable
2021-04-28 18:08:03 +02:00
2021-06-02 20:44:38 +02:00
2021-06-03 09:05:38 +02:00
ifdef::env-github,rspecator-view[]
2021-09-20 15:38:42 +02:00
'''
== Implementation Specification
(visible only on this page)
include::message.adoc[]
2021-06-08 15:52:13 +02:00
'''
2021-06-02 20:44:38 +02:00
== Comments And Links
(visible only on this page)
include::comments-and-links.adoc[]
2021-06-03 09:05:38 +02:00
endif::env-github,rspecator-view[]
