← Back to glossary

assert() — Code Execution Risk

Q: What is a common misconception about assert() — Code Execution Risk?

assert() in PHP is equivalent to assertions in other languages. PHP's assert() evaluates a string as PHP code in older versions, which is a security risk if user input reaches it. In PHP 8, string assertions are deprecated — use if/throw guards or a proper testing framework instead.

Q: Why does assert() — Code Execution Risk matter?

PHP's assert() has context-dependent behaviour that makes it dangerous for security validation — in older PHP it evaluated string arguments as code, and it can be disabled entirely in production php.ini.

Q: How do I fix assert() — Code Execution Risk?

Use assert() with a callback message in development to document and enforce invariants — disable in production with zend.assertions=-1 for zero overhead

php CWE-95 OWASP A3:2021 CVSS 9.8 PHP 5.0+ Intermediate

debt(d7/e3/b3/t7)

d7 Detectability Operational debt — how invisible misuse is to your safety net

Closest to 'only careful code review or runtime testing' (d7). PHPStan (per detection_hints) can flag some misuse but assert() being disabled in production or used for security validation is largely invisible to default tooling — runtime behaviour depends on zend.assertions ini setting.

e3 Effort Remediation debt — work required to fix once spotted

Closest to 'simple parameterised fix' (e3). Per quick_fix and common_mistakes: replace assert() used for validation with explicit if/throw guards, or swap string-expression assert() for callable form. Pattern replacement across affected call sites, not architectural.

b3 Burden Structural debt — long-term weight of choosing wrong

Closest to 'localised tax' (b3). assert() usage is typically scattered defensive checks; applies_to web/cli but doesn't shape system architecture — it's a local idiom choice rather than load-bearing infrastructure.

t7 Trap Cognitive debt — how counter-intuitive correct behaviour is

Closest to 'serious trap' (t7). Per misconception: PHP's assert() contradicts assertion semantics in other languages — it historically evaluated strings as code (RCE), can be globally disabled via ini, and behaves unlike Python/Java/C assert. A developer's reasonable cross-language intuition is wrong.

About DEBT scoring → scored by claude-opus-4-7 · 2026-05-06 · reviewed by human

Also Known As

assert() PHP assert runtime assertion

TL;DR

Passing a string to assert() causes PHP to evaluate it as code, equivalent to eval() if the argument is user-controlled.

Explanation

In PHP < 8, assert() accepts a string argument and evaluates it as PHP code — making it functionally equivalent to eval() when called with user input. Even in PHP 8 where assert() no longer evaluates strings by default, legacy codebases and misconfigured environments remain vulnerable. Never pass user-controlled strings to assert(); use strict_types and proper exception-based error handling instead. In production, disable assert via the assert.active=0 INI setting.

Common Misconception

✗ assert() in PHP is equivalent to assertions in other languages. PHP's assert() evaluates a string as PHP code in older versions, which is a security risk if user input reaches it. In PHP 8, string assertions are deprecated — use if/throw guards or a proper testing framework instead.

Why It Matters

PHP's assert() has context-dependent behaviour that makes it dangerous for security validation — in older PHP it evaluated string arguments as code, and it can be disabled entirely in production php.ini.

Common Mistakes

Using assert() for input validation or security checks — it can be disabled with zend.assertions = -1.
Passing string expressions to assert() in PHP 7 — deprecated and removed in PHP 8, but was RCE in older versions.
Relying on assert() for unit test assertions instead of a proper testing framework.
Not using assert() at all for legitimate defensive programming — it is appropriate for verifying invariants during development.

Code Examples

✗ Vulnerable

assert($_GET['test']); // evaluates user input as PHP code in PHP < 8

✓ Fixed

// Use proper conditionals or throw exceptions; never pass user data to assert()

References

Tags

php debugging testing

Added 15 Mar 2026

Edited 22 Mar 2026

Curated in Warsaw under one editorial standard. 1,445 terms, single voice. About this reference →

Rate this term

No ratings yet

🤖 AI Guestbook educational data only

| |

Last 30 days

Agents 1

Amazonbot 1

Amazonbot 10 Perplexity 4 Ahrefs 3 Unknown AI 2 Google 1

Also referenced

extract() — Dangerous Variable Injection 40 Eval Injection 29

How they use it

crawler 19 pre-tracking 1

Related categories

php 6.6k security 4.2k

⚡ DEV INTEL Tools & Severity

🟢 Low ⚙ Fix effort: Low

⚡ Quick Fix

Use assert() with a callback message in development to document and enforce invariants — disable in production with zend.assertions=-1 for zero overhead

📦 Applies To

PHP 5.0+ web cli

🔗 Prerequisites

Defensive Programming Design by Contract PHP Error Levels & error_reporting

🔍 Detection Hints

Invariants documented in comments but not enforced in code; assert() not used for developer-facing invariant checking

Auto-detectable: ✗ No phpstan

⚠ Related Problems

Defensive Programming Design by Contract Fail Fast Principle

🤖 AI Agent

Confidence: Medium False Positives: Medium ✗ Manual fix Fix: Medium Context: Function Tests: Update

CWE-617