DCL33-PL. Declare identifiers before using them

Perl provides the my() and our() functions specifically for declaring variables:

However, Perl allows any variable to be referenced, even if it is not declared or initialized. If an uninitialized value is requested, Perl supplies a default undef value. Depending on the context, the undef value may be interpreted as 0, false, or an empty string.

Because Perl programs are typically not explicitly compiled before they are run, they can suffer from typographical errors in variable names. A variable whose name is typed wrongly will appear as an undeclared variable to the Perl interpreter, and will therefore contain the undef value, as opposed to the value of the intended variable.

Due to the hazard of mistyped variables, all variables should be declared before use.

Perl's -w command-line option will cause a warning to be issued for any variable name in the code that appears exactly once in the code, as this might indicate a mistyped variable name.

Noncompliant Code Example

This noncompliant code example contains a typo in its print statement.

my $result = compute_number();
print "The result is $reuslt\n";   # oops!

This causes the program to print the useless output:

The result is

and continue execution.

Compliant Solution

This compliant solution corrects the typo, causing the program to correctly print the result of compute_number().

my $result = compute_number();
print "The result is $result\n";

Related Guidelines

CERT C Secure Coding Standard: DCL31-C. Declare identifiers before using them

Risk Assessment

Using undeclared variables usually can lead to incorrect results and surprising program behavior.

Automated Detection

Bibliography

[seccode:Wall 2011] perldiag, perlfunc

EXP11-C. Do not apply operators expecting one type to data of an incompatible type      03. Expressions (EXP)      EXP13-C. Treat relational and equality operators as if they were nonassociative