parse_str() called without the result-array argument
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.
What it detects
parse_str() with only one argument populates variables in the current scope by name, the same scope-pollution risk as extract(). It is especially dangerous when the string comes from $_SERVER['QUERY_STRING'] or other request data, but the single-argument form is unsafe regardless of source. Pass a second by-reference array argument to capture the result instead.
Why it matters
parse_str() with only one argument parses the string and creates a variable in the current scope for every key it finds, the same scope-pollution risk as extract(). If the string comes from the request, a common source is $_SERVER['QUERY_STRING'], the request can define or overwrite variables the rest of the function did not expect to be attacker-controlled.
How to fix it
Always pass the second, by-reference array argument: parse_str($queryString, $result);, then read values from $result explicitly. This keeps the parsed data in its own array instead of splattering it into the current scope.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo