Will It Vibe logoWill It Vibe?
PHP-009Medium severity-8 points

assert() called with a string argument

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.

What it detects

Before PHP 8, assert() evaluates a string argument as PHP code (the same class of risk as eval), so assert("$input == 1") can execute attacker-controlled code if $input ever reaches it. PHP 8 removed the eval-string behavior, but plenty of code still runs on 7.x, and the call site itself is a red flag regardless of version.

Why it matters

Before PHP 8.0, assert() evaluates a string argument as PHP code, exactly like eval(). assert("$input == 1") runs $input as code if it ever contains anything else, the same code-execution risk as eval() dressed up as a validation check. PHP 8 removed that behavior, but the call site still suggests the codebase may depend on it or may run on an older PHP version somewhere.

How to fix it

Replace the string assertion with a real boolean expression, and ideally replace assert() entirely with explicit validation and a thrown exception, since assert() is commonly stripped from production via the zend.assertions setting and should never be relied on for real validation.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks