[nycphp-talk] PHP Security: The Proper Choice Is to Do It Now

Vugranam Sreedhar vugranam at
Sat Feb 11 13:16:14 EST 2006

Interesting... I am also just starting to  look at the possibility of
annotating PHP code to improve analyzability of PHP code...Do you have
pointers to Sara's extentions?

With regards,



Research Staff Member
TJ Watson Research Center
T/L 863-7325
Ext: 914-784-7325

             Chris Shiflett                                                
             <shiflett at                                             
             >                                                          To 
             Sent by:                  NYPHP Talk <talk at>   
             talk-bounces at list                                          cc 
                                       Re: [nycphp-talk] PHP Security: The  
             02/11/2006 01:07          Proper Choice Is to Do It Now       
             Please respond to                                             
                NYPHP Talk                                                 
             <talk at lists.nyphp                                             

Vugranam Sreedhar wrote:
> BTW, are there any code analysis or static analysis tools for
> automatically detecting security problems that you describe in
> your book?

There are penetration testing tools, and these are pretty easy to write

Analyzing code is more challenging than it sounds, because your task
winds up being a substantial subset of what a code parser does - you
have to be able to reliably interpret code and what it does, tracking
data the entire time, and making educated guesses about potential
safeguards. There are some recent PHP extensions written by Sara Golemon
that can help, but it's still a very non-trivial task.

I do a fair number of PHP security audits, and most of my process still
revolves around a manual inspection of the code.


Chris Shiflett
Brain Bulb, The PHP Consultancy
New York PHP Community Talk Mailing List
New York PHP Conference and Expo 2006
Show Your Participation in New York PHP

More information about the talk mailing list