False positive php:S1854 when using prepared SQL statements

Hey, I’m using SonarLint in VSCode and I have a false positive for php:S1854 when using a PDO prepared statement with variable reassigning. Here is an example code:

$results = [];
$variable = null;
$statement->bind_param('s', $variable);
foreach ($list as $item) {
    $variable = $item;
    $results[$item] = $statement->get_result()->fetch_all(MYSQLI_ASSOC);

When binding a parameter to a statement, it uses references, meaning that when I reassign the variable and execute the statement again, it fetches new data for that item. This is not a useless assignment, so it’s a false positive.

Detecting this is in fact correct may be hard and also using raw statements in a PHP application is not the most common approach I guess, but it still is a false positive, so I wanted to report it.


Hi @Goues,

Welcome to the community.
I’m not able to reproduce an S1854 DeadStore issue with your code snippet. Can you provide a reproducer and explain in which line you do not expect an issue?