Will It Vibe logoWill It Vibe?
PHP-010Medium severity-8 points

parse_str() called without the result-array argument

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.

What it detects

parse_str() with only one argument populates variables in the current scope by name, the same scope-pollution risk as extract(). It is especially dangerous when the string comes from $_SERVER['QUERY_STRING'] or other request data, but the single-argument form is unsafe regardless of source. Pass a second by-reference array argument to capture the result instead.

Why it matters

parse_str() with only one argument parses the string and creates a variable in the current scope for every key it finds, the same scope-pollution risk as extract(). If the string comes from the request, a common source is $_SERVER['QUERY_STRING'], the request can define or overwrite variables the rest of the function did not expect to be attacker-controlled.

How to fix it

Always pass the second, by-reference array argument: parse_str($queryString, $result);, then read values from $result explicitly. This keeps the parsed data in its own array instead of splattering it into the current scope.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks