1.2.802. No Hardcoded Path¶
It is not recommended to use hardcoded literals when designating files. Full paths are usually tied to one file system organization. As soon as the organisation changes or must be adapted to any external constraint, the path is not valid anymore.
Either use __FILE__ and __DIR__ to make the path relative to the current file; use a DOC_ROOT as a configuration constant that will allow the moving of the script to another folder; finally functions like sys_get_temp_dir() produce a viable temporary folder.
Relative paths are relative to the current execution directory <https://www.php.net/`directory>`_, and not the current file. This means they may differ depending on the location of the start of the application, and are sensitive to chdir() and chroot() usage.
<?php
// This depends on the current executed script
file_get_contents('token.txt');
// Exotic protocols are ignored
file_get_contents('jackalope://file.txt');
// Some protocols are ignored : http, https, ftp, ssh2, php (with memory)
file_get_contents('http://www.php.net/');
file_get_contents('php://memory/');
// glob() with special chars * and ? are not reported
glob('./*/foo/bar?.txt');
// glob() without special chars * and ? are reported
glob('/foo/bar/');
?>
1.2.802.1. Suggestions¶
Add __DIR__ before the path to make it relative to the current file
Add a configured prefix before the path to point to any file in the system
Use sys_get_temp_dir() for temporary data
Use
include_pathargument function, such as fie_get_contents(), to have the file located in configurable directories.
1.2.802.2. Specs¶
Short name |
Structures/NoHardcodedPath |
Rulesets |
|
Exakat since |
0.8.4 |
PHP Version |
All |
Severity |
Major |
Time To Fix |
Slow (1 hour) |
Precision |
Very high |
Features |
path, hardcoded |
ClearPHP |
|
Examples |
|
Available in |