Page History

Opening Use opening and closing braces for if, for, or and while statements should always be used even if when the statement's body contains only a single statement. Braces improve the uniformity and readability of code.

More important, when inserting an additional statement it is easy to forget to add braces when inserting additional statements into a body containing only a single statement, it is easy to forget to add braces because the conventional indentation gives strong (but misleading) guidance to the structure.

...

This noncompliant code example uses authenticates a user with an if statement without braces to authenticate the user.that lacks braces:

int login;

if (invalid_login())
  login = 0;
else
  login = 1;

A This program behaves as expected. However, a maintainer might subsequently add a debug statement or other logic but forget to add opening and closing braces.:

int login;

if (invalid_login())
  login = 0;
else
  // Debug line added below
  System.out.println("Login is valid\n");
  // debuggingThe next line is addedalways executed here
  login login = 1;                               // this line always gets executed regardless of a valid login!

The code's indentation disguises the functionality of the program, potentially leading to a security breach.

Compliant Solution

In this This compliant solution , uses opening and closing braces are used even when though the body is a single statement.of the if and else bodies of the if statement are single statements:

int login;

if (invalid_login()) {
  login = 0;
} else {
  login = 1;
}

...

This noncompliant code example nests an if statement within another if statement, without braces around the if and else bodies.:

int privileges;

if (invalid_login())
  if (allow_guests())
    privileges = GUEST;
else
  privileges = ADMINISTRATOR;

The indentation might lead the programmer to believe that a user is given users are granted administrator privileges only when the user's their login is valid. However, the else statement actually attaches binds to the inner if statement:

int privileges;

if (invalid_login())
  if (allow_guests())
    privileges = GUEST;
  else
    privileges = ADMINISTRATOR;

This is a vulnerability because Consequently, this defect allows unauthorized users can to obtain administrator privileges.

Compliant Solution

In this This compliant solution , adding uses braces removes to remove the ambiguity and ensures , consequently ensuring that privileges are correctly assigned.:

int privileges;

if (invalid_login()) {
  if (allow_guests()) {
    privileges = GUEST;
  } 
} else {
  privileges = ADMINISTRATOR;
}

Risk Assessment

Related Guidelines

CERT C Secure Coding Standard: EXP19-C. Use braces for the body of an if, for, or while statement

Bibliography

Applicability

Failure to enclose the bodies of if, for, or while statements in braces makes code error prone and increases maintenance costs.

Automated Detection

Bibliography

...

EXP51-J. Do not perform assignments in conditional statements      02. Expressions (EXP)      Image Added Image Added Image Modified