1.2.364. Don’t Change Incomings

PHP hands over a lot of information using special variables like $_GET, $_POST, etc… Modifying those variables and those values inside variables means that the original content is lost, while it will still look like raw data, and, as such, will be untrustworthy.

It is recommended to put the modified values in another variable, and keep the original one intact.

<?php

// filtering and keeping the incoming value.
$_DATA'id'] = (int) $_GET['id'];

// filtering and changing the incoming value.
$_GET['id'] = strtolower($_GET['id']);

?>

1.2.364.1. Suggestions

  • Set the value to another variable and apply modifications to that variable

1.2.364.2. Specs

Short name

Structures/NoChangeIncomingVariables

Rulesets

All, Analyze

Exakat since

0.8.4

PHP Version

All

Severity

Minor

Time To Fix

Slow (1 hour)

Precision

High

Features

incoming-data, outgoing-data

Available in

Entreprise Edition, Exakat Cloud