php code analyzer

Are there analyzers under win to detect vulnerabilities in php code?

addition: let’s not limit the scope of the search: we need any program that can help find holes in the code.


Answer 1, authority 100%

You made such a farce here, but you yourself were too lazy to get into Google.


Of the commercial versions of code analyzers that check for vulnerabilities such as XSS, SQL-Injectionand less common, only CodeSecure.

Nevertheless, it is quite possible to create some pipeline of code analyzers based on non-commercial solutions.In an ideal vacuum, it makes sense to perform 3 levels of validation – static code verification without checking for vulnerabilities with a utility like lint, a specialized static vulnerability check, and an external check of the final site for security holes.

  • You can use phplint.

  • For the second one, I would choose something from Yasca, Pixyor phpsat.

  • In terms of the third frontier, there are very good commercial solutions like XSpiderand if you really care about security, perhaps buying a license will be justified.


Of course, code analyzers, as is the case, for example, with C++(PVS Studio/ lint) is by no means a panacea, except that it helps to find stupid mistakes.

Everything, as always, is in the hands of the developer.


For an excellent discussion on the topic, see stackoverflow.com


Answer 2

ZendStudio 5.5 had a static code analyzer.

But what you are asking is somewhat unrealistic, it seems to me.

Tracking a huge bunch of objects and chains of calls (including reflection) and understanding whether the variable we want to insert into the sql query has been escaped is unrealistic.

In my opinion, this does not exist.