...
This noncompliant code example uses an if statement without braces to authenticate a the user.
| Code Block | ||
|---|---|---|
| ||
int login; if (invalid_login()) login = 0; else login = 1; |
A developer might add a debugging statement to determine when the login is validauthenticate the user, but forget to add opening and closing braces.
| Code Block | ||
|---|---|---|
| ||
int login;
if (invalid_login())
login = 0;
else
System.out.println("Login is valid\n"); // debugging line added here
login = 1; // this line always gets executed, regardless of a valid login!
|
Due to the indentation The code indentation disguises the functionality of the code, it is difficult to tell that the code will not function as intended by the programmer, program, potentially leading to a security breach.
...
This noncompliant code example has nests an if statement nested in within another if statement without braces around if and else bodies.
| Code Block | ||
|---|---|---|
| ||
int privileges;
if (invalid_login())
if (allow_guests())
privileges = GUEST;
else
privileges = ADMINISTRATOR;
|
The indentation could might lead the programmer to believe that a user is given administrator privileges only when the user's login is valid. However, the else statement actually attaches to the inner if statement:
| Code Block | ||
|---|---|---|
| ||
int privileges;
if (invalid_login())
if (allow_guests())
privileges = GUEST;
else
privileges = ADMINISTRATOR;
|
This is a security loopholevulnerability, as because unauthorized users with invalid logins can still obtain administrator privileges.
...