1.2.367. Don’t Change Incomings

PHP hands over a lot of information using special variables like $_GET, $_POST, etc… Modifying those variables and those values inside variables means that the original content is lost, while it will still look like raw data, and, as such, will be untrustworthy. It is recommended to put the modified values in another variable, and keep the original one intact.

<?php

// filtering and keeping the incoming value.
$_DATA'id'] = (int) $_GET['id'];

// filtering and changing the incoming value.
$_GET['id'] = strtolower($_GET['id']);

?>

1.2.367.2. Connex PHP features

1.2.367.2.1. Suggestions

  • Set the value to another variable and apply modifications to that variable

1.2.367.2.2. Specs

Short name

Structures/NoChangeIncomingVariables

Rulesets

All, Analyze, Changed Behavior

Exakat since

0.8.4

PHP Version

All

Severity

Minor

Time To Fix

Slow (1 hour)

Precision

High

Available in

Entreprise Edition, Exakat Cloud