While PHP variables obligingly spring into existence the first time you use them, relying on this behavior is a bad idea for two reasons. First, relying on the default value of an uninitialized variable can cause problems in some cases. Second, and more importantly, it can pose a security risk when ``++register_globals++`` is enabled. (Note that ``++register_globals++`` is deprecated in PHP 5.3 and removed in PHP 5.4.)

== Noncompliant Code Example

----
$a = $b + 4;  // Noncompliant; this initializes $a, but $b is uninitialized

if (authenticated($user)) {
  $authorized = true;  // Noncompliant. What value does $authorized have if the user is not authenticated?
}
----

== Compliant Solution

----
$b = doSomething();
$a = $b + 4;

$authorized = false;
if (authenticated($user)) {
  $authorized = true;
}
----

== See

* http://cwe.mitre.org/data/definitions/457.html[MITRE, CWE-457] - Use of Uninitialized Variable