16f6c0aecf
Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in.
59 lines
1.5 KiB
Plaintext
59 lines
1.5 KiB
Plaintext
== Why is this an issue?
|
|
|
|
While PHP variables obligingly spring into existence the first time you use them, relying on this behavior is a bad idea for two reasons. First, relying on the default value of an uninitialized variable can cause problems in some cases. Second, and more importantly, it can pose a security risk when ``++register_globals++`` is enabled. (Note that ``++register_globals++`` is deprecated in PHP 5.3 and removed in PHP 5.4.)
|
|
|
|
|
|
=== Noncompliant code example
|
|
|
|
[source,php]
|
|
----
|
|
$a = $b + 4; // Noncompliant; this initializes $a, but $b is uninitialized
|
|
|
|
if (authenticated($user)) {
|
|
$authorized = true; // Noncompliant. What value does $authorized have if the user is not authenticated?
|
|
}
|
|
----
|
|
|
|
|
|
=== Compliant solution
|
|
|
|
[source,php]
|
|
----
|
|
$b = doSomething();
|
|
$a = $b + 4;
|
|
|
|
$authorized = false;
|
|
if (authenticated($user)) {
|
|
$authorized = true;
|
|
}
|
|
----
|
|
|
|
|
|
== Resources
|
|
|
|
* https://cwe.mitre.org/data/definitions/457[MITRE, CWE-457] - Use of Uninitialized Variable
|
|
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
=== Message
|
|
|
|
* Initialize "xx" before this usage.
|
|
* Use "isset()" to make sure "xx" is initialized before this usage.
|
|
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
=== is related to: S2669
|
|
|
|
=== on 19 Sep 2014, 15:35:43 Freddy Mallet wrote:
|
|
@Ann, if my feeling is correct, this rule relates to \http://cwe.mitre.org/data/definitions/457.html and in that case we can also target C and {cpp}
|
|
|
|
endif::env-github,rspecator-view[]
|