1.2.1639. parse_str() Warning

The parse_str() function parses a query string and assigns the resulting variables to the local scope. This may create a unexpected number of variables, and even overwrite the existing one.

Always use an empty variable a second parameter to parse_str(), so as to collect the incoming values, and then, filter them in that array.

<?php
  function foo( ) {
    global $a;

    echo $a;
  }

  parse_str('a=1'); // No second parameter
  foo( );
  // displays 1
?>

See also parse_url() and PHP SSRF Techniques.

1.2.1639.1. Suggestions

  • Use the second parameter when calling parse_url();

  • Change to PHP 8.0 version, which made the second argument compulsory

1.2.1639.2. Specs

Short name

Security/parseUrlWithoutParameters

Rulesets

All, Security

Exakat since

0.8.4

PHP Version

With PHP 8.0 and older

Severity

Major

Time To Fix

Slow (1 hour)

Precision

Very high

Features

query-string

ClearPHP

know-your-variables

Available in

Entreprise Edition, Exakat Cloud