false positive: parsing/display issue
Free Static Code Analysis Tool for PHP Applications
Status: Beta
Brought to you by:
fluxreiners
Menu
▾
▴
#1 false positive: parsing/display issue
closed-fixed
nobody
None
5
2012-03-20
2010-05-25
Anonymous
No
I tried out your parser on some of my code, and it displayed this:
* 822: eval eval($run_mode . '_mode();');
o 813: $run_mode = (isset($_REQUEST['openid_mode'])
Which looked pretty concerning until I looked at the actual code in question:
$run_mode = (isset($_REQUEST['openid_mode'])
&& in_array($_REQUEST['openid_mode'], $known['openid_modes']))
? $_REQUEST['openid_mode']
: 'no';
If your parser could display the whole block, that would help. (I'm not really asking for you not to think it is insecure - I'm not sure if you could really do that with a static parser)
thank you for your feedback. as you assumed for a static parser its not possible to determine if a value is in an array or not because the array can change at runtime.
but I'll try to fix the problem with displaying statements that include multiple lines, thanks for pointing out!
fixed in RIPS 0.50