PHP tool to scan ADOdb code for SQL Injections

Overview

Build Status

PHP-Reaper

PHP tool to scan ADOdb code for SQL Injections

Why

The main idea is to be able to detect problems as early as possible, when the code is fresh in your mind. Shift as much checks as possible to the left. Automate as much as possible.

Running PHP-Reaper is far less time consuming than running full fledged automated security scanner at your application. The web security scanner might not locate all possible SQL Injections vulnerabilities, because of hard to reach code from the UI (or needs to set rare conditions). PHP-Reaper is fast and pinpoints the exact line where the problem lies, scanning all your PHP ADOdb source code.

You'll get the most out of PHP-Reaper if you run it on every commit. It's made to be CI friendly and fast.

Examples

Because of laziness, pressure or just ignorance, php developers using ADOdb are making such mistakes.

Vulnerable SQL query #1:

$dbConn->GetRow("SELECT * FROM users WHERE id = $user_id");

Correct SQL query #1:

$dbConn->GetRow("SELECT * FROM users WHERE id = ?", array(‘$user_id’));

Vulnerable SQL Query #2:

$ids = join(',', $ids);
$dbConn->GetAll("SELECT * FROM campaigns WHERE id IN ({$ids})");

Correct SQL query #2:

$dbConn->GetAll('SELECT * FROM campaigns WHERE FIND_IN_SET (id, ' . $dbConn->Param('') . ')', array(join(',', $ids)));

Usage

Recursively scan directory with php files:

php php-reaper -d directory_with_php_files

or scan a single file:

php php-reaper -f single_file.php

Tests

The tests are located in tests directory. To run them, once in tests directory, type:

phpunit .

If you extend this tool, make sure that the tests are passing before submitting pull request. Better yet, add new test files and unit tests. Look at example files directory, what types of SQL Injections are detected.

Continuous Integration

PHP-Reaper is CI friendly. On error it will exit with -1 status, so it's easy to hook it to your CI jobs.

Exclude from warnings

You can ignore the warnings by PHP-Reaper, if you're absolutely sure that the code does not contain SQL Injection. Comment the line above the ADOdb function with:

// safesql
$result_set = $dbConn->getAll('SELECT * FROM ' . $this->usersTable);

You need to be absolutely sure $this->usersTable variable cannot be controller by an attacker.

Dangerous ADOdb Methods

The following ADOdb methods are considered dangerous and are scanned for potential SQL injections: getone(), getrow(), getall(), getcol(), getassoc(), execute(), replace(). Note that autoexecute() is immune, because it automatically escapes all the parameters. If you have methods in your code base with the same names e.g. execute() - non ADOdb method, you may see false positives. The solution is to rename your methods to be with names different than the default ADODb methods - e.g. executeTask(). PHP-Reaper is written in such a way because PHP is pretty dynamic and static analysis cannot reliably tell us the class of the instantiated object.

PHP Parser

PHP-Reaper is using the excellent php parser with the same name: PHP-Parser. It currently uses version 1.4.1.

You might also like...
PHP_Depend is an adaptation of the established Java development tool JDepend. This tool shows you the quality of your design in terms of extensibility, reusability and maintainability.

PHP Depend Documentation PHP Depend for enterprise Available as part of the Tidelift Subscription. The maintainers of PHP Depend and thousands of othe

Tool to remove code based on specific comments.

PHP-DEL Tool to remove code based on specific comments. Configuration Create php-del.json in the root directory of the project { "dirs": [ "src"

Blacksmith is a code generation tool which automates the creation of common files that you'd typically create for each entity in your application.
Blacksmith is a code generation tool which automates the creation of common files that you'd typically create for each entity in your application.

Blacksmith is a code generation tool which automates the creation of common files that you'd typically create for each entity in your application.

Result of our code-along meetup writing PHP 8.1 code

PHP 8.1 Demo Code This code demonstrates various PHP 8.0 and 8.1 features in a realistic, functional (but incomplete) codebase. The code is part of so

Dead Code Detector (DCD) for PHP code.

This project is no longer maintained and its repository is only kept for archival purposes. PHP Dead Code Detector (PHPDCD) phpdcd is a Dead Code Dete

⚗️ Adds code analysis to Laravel improving developer productivity and code quality.
⚗️ Adds code analysis to Laravel improving developer productivity and code quality.

⚗️ About Larastan Larastan was created by Can Vural and Nuno Maduro, got artwork designed by @Caneco, is maintained by Can Vural, Nuno Maduro, and Vik

Free ZIP Code API - Free Access to Worldwide Postal Code Data

About Zipcodebase - Free Zip Code API Zipcodebase is a zip code API that was founded in 2019 to solve common issues with postal code data. As we have

Preload your sweet sweet code to opcache with a composer command, making your code faster to run.

Composer Preload Preload your sweet sweet code to opcache with a composer command, making your code run faster. Composer Preload is a composer plugin

The SensioLabs DeprecationDetector runs a static code analysis against your project's source code to find usages of deprecated methods, classes and interfaces

SensioLabs DeprecationDetector CAUTION: This package is abandoned and will no longer receive any updates. The SensioLabs DeprecationDetector runs a st

Comments
  • PHP Fatal error

    PHP Fatal error

    PHP Notice:  Undefined property: PhpParser\Node\Expr\MethodCall::$expr in /home/dengolius/php-reaper/SecurityChecks.php on line 235
    PHP Fatal error:  Uncaught Error: Call to a member function getType() on null in /home/dengolius/php-reaper/SecurityChecks.php:235
    Stack trace:
    #0 /home/dengolius/php-reaper/SecurityChecks.php(268): SecurityChecks->investigateVariable(Object(PhpParser\Node\Expr\MethodCall), 'httpRequest')
    #1 /home/dengolius/php-reaper/SecurityChecks.php(178): SecurityChecks->checkTheArgument(Object(PhpParser\Node\Expr\MethodCall), Object(PhpParser\Node\Expr\MethodCall))
    #2 /home/dengolius/php-reaper/SecurityChecks.php(421): SecurityChecks->checkExpressionOrAssign(Object(PhpParser\Node\Expr\MethodCall))
    #3 /home/dengolius/php-reaper/SecurityChecks.php(195): SecurityChecks->checkNonAssignAndMethodCallStatements(Object(PhpParser\Node\Stmt\Return_))
    #4 /home/dengolius/php-reaper/SecurityChecks.php(52): SecurityChecks->mainCycle(Object(PhpParser\Node\Stmt\ClassMethod))
    #5 /home/dengolius/php-reaper/SecurityChecks.php(114): SecurityChecks->checkFile('/var/www/vhosts...')
    #6 /home/dengolius/php-reaper/php-reaper.php(21): SecurityChecks->checkDirector in /home/dengolius/php-reaper/SecurityChecks.php on line 235
    
    
    opened by denisgolius 0
  • Use PHP Parser and other library.

    Use PHP Parser and other library.

    Hello.

    You said in your document, use php parser and parse code after analysis. php parser not be able to recognize include, require and etc expression. I want to know, how dose your program recognize path? Did you use other library or tools? or did you develop this part in your app?

    Thank you.

    opened by Rivendall 3
Releases(v1.0)
Owner
Emanuil Slavov
Optimizing for happiness.
Emanuil Slavov
Webman quickly creates a verification code tool similar to Google verification code

webman-captcha-grid webman quickly creates a verification code tool similar to Google verification code webman 快速创建一个类似于 Google 点图验证码的本地验证码扩展 介绍 webma

听风吹雨 6 Dec 5, 2022
A bot written in PHP which attempts to link IRC with SQL database, allowing for integration between platforms

Valeyard IRC-SQL-GateWay A bot written in PHP which attempts to link IRC with SQL database, allowing for integration between platforms. This bot is mo

Valerie Pond 10 Oct 6, 2022
CRUD PHP, SQL PDO

PHP-Mastering CRUD em PHP usando MySQL PDO; Configure a ficheiro config.php de acordo com a sua configuração da base de dados PHP CRUD using PDO MySQL

BaltonCome 4 Jun 2, 2022
A lightweight php class for formatting sql statements. Handles automatic indentation and syntax highlighting.

A lightweight php class for formatting sql statements. Handles automatic indentation and syntax highlighting.

Doctrine 1.4k Dec 29, 2022
First SQL Project - HTML, Bootstrap, PHP enabling CRUD from web

DB-Project First SQL Project with HTML, Bootstrap, PHP enabling CRUD from web Java for mocking data, enabling .csv input Idea This model corresponds t

null 2 Jun 16, 2022
World countries - available in multiple languages, in CSV, JSON, PHP, SQL and XML formats

Constantly updated lists of world countries and their associated alpha-2, alpha-3 and numeric country codes as defined by the ISO 3166 standard, available in CSV, JSON , PHP, SQL and XML formats, in multiple languages and with national flags included; also available are the ISO 3166-2 codes of provinces/ states associated with the countries

Stefan Gabos 1k Dec 29, 2022
Dobren Dragojević 6 Jun 11, 2023
A lightweight SQL generation library.

Atlas A lightweight SQL builder library without any query execution or database connection requirements. The primary goals of this package are: To pro

RebelCode 1 May 11, 2022
Provides an object-oriented API to query in-memory collections in a SQL-style.

POQ - PHP Object Query Install composer require alexandre-daubois/poq 1.0.0-beta2 That's it, ready to go! ?? Usage Here is the set of data we're going

Alexandre Daubois 16 Nov 29, 2022
Application with SQL Injection vulnerability and possible privilege escalation

Application with SQL Injection vulnerability and possible privilege escalation. Free vulnerable app for ethical hacking / penetration testing training.

Filip Karczewski 56 Nov 18, 2022