1.2.1639. parse_str() Warning¶
The parse_str() function parses a query string and assigns the resulting variables to the local scope. This may create a unexpected number of variables, and even overwrite the existing one.
Always use an empty variable a second parameter to parse_str(), so as to collect the incoming values, and then, filter them in that array.
<?php
function foo( ) {
global $a;
echo $a;
}
parse_str('a=1'); // No second parameter
foo( );
// displays 1
?>
See also parse_url() and PHP SSRF Techniques.
1.2.1639.1. Suggestions¶
Use the second parameter when calling parse_url();
Change to PHP 8.0 version, which made the second argument compulsory
1.2.1639.2. Specs¶
Short name |
Security/parseUrlWithoutParameters |
Rulesets |
|
Exakat since |
0.8.4 |
PHP Version |
With PHP 8.0 and older |
Severity |
Major |
Time To Fix |
Slow (1 hour) |
Precision |
Very high |
Features |
query-string |
ClearPHP |
|
Available in |