On Sat, Mar 19, 2005 at 11:03:39PM +0100, Gerardo Di Giacomo wrote:
> Ok the script parses *include* so include_once is checked. But don't
> forget require and require_once! :)
D'oh.
Updated:
if ( $line =~
/\s+(include|include-once|require|require_once)\s*\(([^)]+)\)\s*;/ )
> > mysql_query( $ .. );
>
> Not so simple, because most of PHP applications uses their own mysql
> classes and you can see mysql_query few times... I think that the best
> thing is to check for "SELECT .. $ .. " and "WHERE .. $ .." even if one
> SQL query can be splitted into multiple lines.
I've just spotted this, I guess there's a hard thing to do then. If
you match 'SELECT' then you miss the lower case version - but if you
match both there are often multiple false positives.
The other thing is that my current approach is single-line only, so
multiline SQL statements are liable to be missed - I guess if anything
this suggests real parsing is the correct approach.
> There's another common PHP bug: command execution. The best thing is to
> check common functions like:
>
> passthru $
> exec $
> shell_exec $
> popen $
> system $
> ` $
Added those too now.
> (did I forget something? :)
Less than me at least ;)
Steve
--
|
