32 lines
921 B
Plaintext
32 lines
921 B
Plaintext
While PHP variables obligingly spring into existence the first time you use them, relying on this behavior is a bad idea for two reasons. First, relying on the default value of an uninitialized variable can cause problems in some cases. Second, and more importantly, it can pose a security risk when ``register_globals`` is enabled. (Note that ``register_globals`` is deprecated in PHP 5.3 and removed in PHP 5.4.)
|
|
|
|
|
|
== Noncompliant Code Example
|
|
|
|
----
|
|
$a = $b + 4; // Noncompliant; this initializes $a, but $b is uninitialized
|
|
|
|
if (authenticated($user)) {
|
|
$authorized = true; // Noncompliant. What value does $authorized have if the user is not authenticated?
|
|
}
|
|
----
|
|
|
|
|
|
== Compliant Solution
|
|
|
|
----
|
|
$b = doSomething();
|
|
$a = $b + 4;
|
|
|
|
$authorized = false;
|
|
if (authenticated($user)) {
|
|
$authorized = true;
|
|
}
|
|
----
|
|
|
|
|
|
== See
|
|
|
|
* http://cwe.mitre.org/data/definitions/457.html[MITRE, CWE-457] - Use of Uninitialized Variable
|
|
|