I'm trying to perform an audit on a PHP script and am curious what kind
of software there already exists to do such things.
I think the ideal solution would be something that, for each variable,
provided a list of the functions that variable was passed through. eg.
$a = someFunction($_ GET['var']);
echo $a;
function someFunction($b ) {
return htmlspecialchar s($b);
}
Here, $_GET['var'] passes through someFunction and htmlspecialchar s
before getting passed to echo (which I suppose isn't technically a
function, but rather, a language construct).
if statements could kinda confound this, but it seems like presenting
the data in an appropriate fashion could mitigate that.
Anyway, any ideas?
of software there already exists to do such things.
I think the ideal solution would be something that, for each variable,
provided a list of the functions that variable was passed through. eg.
$a = someFunction($_ GET['var']);
echo $a;
function someFunction($b ) {
return htmlspecialchar s($b);
}
Here, $_GET['var'] passes through someFunction and htmlspecialchar s
before getting passed to echo (which I suppose isn't technically a
function, but rather, a language construct).
if statements could kinda confound this, but it seems like presenting
the data in an appropriate fashion could mitigate that.
Anyway, any ideas?
Comment