1.2.1649. var_dump()… Usage

var_dump(), print_r() or var_export() should not be left in any production code. They are debugging functions.

They may be tolerated during development time, but must be removed so as not to have any chance to be run in production.

<?php

if ($error) {
    // Debugging usage of var_dump
    // And major security problem
    var_dump($query);

    // This is OK : the $query is logged, and not displayed
    $this->log(print_r($query, true));
}

?>

1.2.1649.1. Suggestions

  • Remove usage of var_dump(), print_r(), var_export() without second argument, and other debug functions.

  • Push all logging to an external file, instead of the browser.

1.2.1649.2. Specs

Short name

Structures/VardumpUsage

Rulesets

All, Analyze, CE, CI-checks, Security

Exakat since

0.8.4

PHP Version

All

Severity

Critical

Time To Fix

Instant (5 mins)

Precision

Very high

Features

debug

ClearPHP

no-debug-code

Examples

Tine20, Piwigo

Available in

Entreprise Edition, Community Edition, Exakat Cloud