False positive php:S1854 when using prepared SQL statements

Goues · November 27, 2022, 10:53am

Hey, I’m using SonarLint in VSCode and I have a false positive for php:S1854 when using a PDO prepared statement with variable reassigning. Here is an example code:

$results = [];
$variable = null;
$statement->bind_param('s', $variable);
foreach ($list as $item) {
    $variable = $item;
    $statement->execute();
    $results[$item] = $statement->get_result()->fetch_all(MYSQLI_ASSOC);
}

When binding a parameter to a statement, it uses references, meaning that when I reassign the variable and execute the statement again, it fetches new data for that item. This is not a useless assignment, so it’s a false positive.

Detecting this is in fact correct may be hard and also using raw statements in a PHP application is not the most common approach I guess, but it still is a false positive, so I wanted to report it.

Thanks

Nils_Werner · November 29, 2022, 8:00am

Hi @Goues,

Welcome to the community.
I’m not able to reproduce an S1854 DeadStore issue with your code snippet. Can you provide a reproducer and explain in which line you do not expect an issue?

Best,
Nils

Topic		Replies	Views
False-positive s1854 Report False-positive / False-negative... csharp , visualstudio , sonarqube-ide , sonarqube-cloud	5	490	April 24, 2023
False positive for php:S125 - commented out code Report False-positive / False-negative... php , vscode , sonarqube-ide	5	1060	December 1, 2020
False positive (S2695) on prepareStatement Report False-positive / False-negative... java , sonarqube	6	2604	January 21, 2022
False positive for "Local variables should not be declared and then immediately returned or thrown (php:S1488)"? Report False-positive / False-negative... php , sonarqube-ide	6	962	April 19, 2021
False positive on rule csharpsquid:S1854 Report False-positive / False-negative...	1	531	October 27, 2022

False positive php:S1854 when using prepared SQL statements

Related topics