NYCPHP Meetup

NYPHP.org

[nycphp-talk] Any PHP Analysis Tools?

Jon Baer jonbaer at jonbaer.com
Fri Apr 28 14:01:27 EDT 2006 

You could try RATS ...

http://www.securesoftware.com/resources/download_rats.html

Below is a quick sample output ... basically there is a /usr/local/ 
share/rats-php.xml file which lists a bunch of vulnerabilities.  I  
believe the app was mainly conceived for C which you can tell by the  
# of entries it has.  This app needs a Chris Shiflett to pump a few  
hundred entries into that XML file :-)

iMac-G5:~/Work/rats-2.1 jonbaer$ ./rats ./test.php
Entries in perl database: 33
Entries in python database: 62
Entries in c database: 334
Entries in php database: 55
Analyzing ./test.php
./test.php:3: High: mail
Arguments 1, 2, 4 and 5 of this function may be passed to an external  
program. (Usually sendmail). Under Windows, they will be passed to a  
remote email server. If these values are derived from user input,  
make sure they are properly formatted and contain no unexpected  
characters or extra data.

Total lines analyzed: 10
Total time 0.004717 seconds
2119 lines per second
iMac-G5:~/Work/rats-2.1 jonbaer$

- Jon

On Apr 28, 2006, at 10:27 AM, Keith Casey wrote:

> I just got a steaming pile of PHP dropped in my lap which - as far as
> I can tell - has no classes, 100+ functions, lots of globals, nothing
> resembling security and/or input filtering, a rather large user base,
> and a hitlist of new requirements/requests.  Help!
>
> Alright, got that out of the way...
>
> Now I'm trying to do some analysis to figure out which functions and
> variables are/aren't being used, the general flow of the code, and
> some basic metrics.  Something like PMD or Perl::Critic (I think)
> would be the ideal, but now I'd just be happy with something beyond my
> mediocre grepping skills.
>
> I've dug around and found this -
> http://dev.eclipse.org/newslists/news.eclipse.tools.php/msg00038.html
> - which doesn't bode well, but I thought maybe someone around here
> would know some more...  ideas?
>
> --
> Keith Casey
> CEO, http://CaseySoftware.com
>
> 2006 DC PHP Conference Details: http://dcphpconference.com/
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
> New York PHP Conference and Expo 2006
> http://www.nyphpcon.com
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php
>

More information about the talk mailing list