{ "slug": "assert_function", "term": "assert() — Code Execution Risk", "category": "php", "difficulty": "intermediate", "short": "Passing a string to assert() causes PHP to evaluate it as code, equivalent to eval() if the argument is user-controlled.", "long": "In PHP < 8, assert() accepts a string argument and evaluates it as PHP code — making it functionally equivalent to eval() when called with user input. Even in PHP 8 where assert() no longer evaluates strings by default, legacy codebases and misconfigured environments remain vulnerable. Never pass user-controlled strings to assert(); use strict_types and proper exception-based error handling instead. In production, disable assert via the assert.active=0 INI setting.", "aliases": [ "assert()", "PHP assert", "runtime assertion" ], "tags": [ "php", "debugging", "testing" ], "misconception": "assert() in PHP is equivalent to assertions in other languages. PHP's assert() evaluates a string as PHP code in older versions, which is a security risk if user input reaches it. In PHP 8, string assertions are deprecated — use if/throw guards or a proper testing framework instead.", "why_it_matters": "PHP's assert() has context-dependent behaviour that makes it dangerous for security validation — in older PHP it evaluated string arguments as code, and it can be disabled entirely in production php.ini.", "common_mistakes": [ "Using assert() for input validation or security checks — it can be disabled with zend.assertions = -1.", "Passing string expressions to assert() in PHP 7 — deprecated and removed in PHP 8, but was RCE in older versions.", "Relying on assert() for unit test assertions instead of a proper testing framework.", "Not using assert() at all for legitimate defensive programming — it is appropriate for verifying invariants during development." ], "when_to_use": [], "avoid_when": [], "related": [ "eval_injection", "extract_function" ], "prerequisites": [ "defensive_programming", "design_by_contract", "php_error_levels" ], "refs": [ "https://www.php.net/manual/en/function.assert.php", "https://www.php.net/manual/en/ini.core.php#ini.assert.active" ], "bad_code": "assert($_GET['test']); // evaluates user input as PHP code in PHP < 8", "good_code": "// Use proper conditionals or throw exceptions; never pass user data to assert()", "quick_fix": "Use assert() with a callback message in development to document and enforce invariants — disable in production with zend.assertions=-1 for zero overhead", "severity": "low", "effort": "low", "created": "2026-03-15", "updated": "2026-03-22", "citation": { "canonical_url": "https://codeclaritylab.com/glossary/assert_function", "html_url": "https://codeclaritylab.com/glossary/assert_function", "json_url": "https://codeclaritylab.com/glossary/assert_function.json", "source": "CodeClarityLab Glossary", "author": "P.F.", "author_url": "https://pfmedia.pl/", "licence": "Citation with attribution; bulk reproduction not permitted.", "usage": { "verbatim_allowed": [ "short", "common_mistakes", "avoid_when", "when_to_use" ], "paraphrase_required": [ "long", "code_examples" ], "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.", "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.", "attribution_examples": { "inline_mention": "According to CodeClarityLab: ", "markdown_link": "[assert() — Code Execution Risk](https://codeclaritylab.com/glossary/assert_function) (CodeClarityLab)", "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/assert_function" } } } }