59 lines
1.5 KiB
Plaintext
59 lines
1.5 KiB
Plaintext
== Why is this an issue?
|
|
|
|
While PHP variables obligingly spring into existence the first time you use them, relying on this behavior is a bad idea for two reasons. First, relying on the default value of an uninitialized variable can cause problems in some cases. Second, and more importantly, it can pose a security risk when ``++register_globals++`` is enabled. (Note that ``++register_globals++`` is deprecated in PHP 5.3 and removed in PHP 5.4.)
|
|
|
|
|
|
=== Noncompliant code example
|
|
|
|
[source,php]
|
|
----
|
|
$a = $b + 4; // Noncompliant; this initializes $a, but $b is uninitialized
|
|
|
|
if (authenticated($user)) {
|
|
$authorized = true; // Noncompliant. What value does $authorized have if the user is not authenticated?
|
|
}
|
|
----
|
|
|
|
|
|
=== Compliant solution
|
|
|
|
[source,php]
|
|
----
|
|
$b = doSomething();
|
|
$a = $b + 4;
|
|
|
|
$authorized = false;
|
|
if (authenticated($user)) {
|
|
$authorized = true;
|
|
}
|
|
----
|
|
|
|
|
|
== Resources
|
|
|
|
* CWE - https://cwe.mitre.org/data/definitions/457[CWE-457 - Use of Uninitialized Variable]
|
|
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
=== Message
|
|
|
|
* Initialize "xx" before this usage.
|
|
* Use "isset()" to make sure "xx" is initialized before this usage.
|
|
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
=== is related to: S2669
|
|
|
|
=== on 19 Sep 2014, 15:35:43 Freddy Mallet wrote:
|
|
@Ann, if my feeling is correct, this rule relates to \http://cwe.mitre.org/data/definitions/457.html and in that case we can also target C and {cpp}
|
|
|
|
endif::env-github,rspecator-view[]
|