PHP Security: Revision 5 / Dobrica Pavlinušić's random unstructured stuff

Dobrica Pavlinušić's random unstructured stuff

PHP Security: Revision 5

Oxymoron, right? Well for somebody who loves perl so much, it is. Anyway here it is...

{toc: }

^ One-liners

^^ show phpinfo from shell

.pre
echo '<? phpinfo() ?>' | php5
.pre

^ Security scanning

^^ Spike PHP Security Audit Tool

http://developer.spikesource.com/projects/phpsecaudit/

.pre
sudo apt-get install php5-xslt
.pre

Small list of checked expressions, quite difficult to browse.

^^ Pixky

http://pixybox.seclab.tuwien.ac.at/pixy/

Enables taint analysis of code. Doesn't handle ISO-8859-2 chars well, and breaks with terrifing error, but it's a very promising tool (in Java, sigh)

^^ phc

http://www.phpcompiler.org/

Great tool to get php's AST tree. Used by "Plumhead"<http://www.perlfoundation.org/parrot/index.cgi?plumhead>

^ Links

{fetchrss: http://del.icio.us/rss/dpavlin/php+security full}