scanner/modules/scanner_variables.php

<?php
class VariableModule extends ScannerModule {
	private $assigned_variables = array();
	private $captured = array();
	
	function VariableModule() {
		$this->ScannerModule();
	}
	function parserCallback( $object ) {
		$pattern = '/\$[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*/';
		$matches = array();
		$variable = preg_match($pattern, $object['name'], $matches) > 0 ? $matches[0] : false;
		$scope = "{$object['in_class']}::{$object['in_function']}";
		if (!isset($this->assigned_variables[$scope] ) )
			$this->assigned_variables[$scope] = array();
		if ($object['type'] == PHPPARSER_ASSIGNMENT) {
			list($var, $value) = explode('=', $object['name']);
			if ($variable == $var) {
				// Regular variable assignment
				//$this->fault($object, 0, "Assignment: {$object['name']}");
				$this->assigned_variables[$scope][] = $var;
			} else {
				// Array index assignment
				//$this->fault($object, 0, "Array index assignment: [{$variable}] {$object['name']}");
				if (
					!in_array($variable, $this->assigned_variables[$scope])
					&& (empty($object['in_class']) && $variable == '$this')
				) {
					$this->fault($object, FAULT_MINOR, "Array key assignment on previously undefined variable: $var");
				}
				$this->assigned_variables[$scope][] = $variable;
			}
		}
		if (
			$object['type'] == PHPPARSER_VARIABLE
			// Cannot yet accurately scan the global scope, so functions only
			&& !empty($object['in_function'])
			&& !in_array($variable, $this->assigned_variables[$scope])
			&& !in_array($variable, array(
				// Superglobals are exempt, obviously
				'$GLOBALS', '$_SERVER', '$_GET', '$_POST', '$_FILES', '$_COOKIE', '$_SESSION', '$_REQUEST', '$_ENV'
			))
			&& (empty($object['in_class']) && $variable == '$this')
		) {
			$this->fault($object, FAULT_MEDIUM, "Undefined Variable: $variable");
		}
	}
}

addModule( new VariableModule() );
?>