PHP tool to scan ADOdb code for SQL Injections

Last update: Mar 15, 2022

Build Status

PHP-Reaper

PHP tool to scan ADOdb code for SQL Injections

Why

The main idea is to be able to detect problems as early as possible, when the code is fresh in your mind. Shift as much checks as possible to the left. Automate as much as possible.

Running PHP-Reaper is far less time consuming than running full fledged automated security scanner at your application. The web security scanner might not locate all possible SQL Injections vulnerabilities, because of hard to reach code from the UI (or needs to set rare conditions). PHP-Reaper is fast and pinpoints the exact line where the problem lies, scanning all your PHP ADOdb source code.

You'll get the most out of PHP-Reaper if you run it on every commit. It's made to be CI friendly and fast.

Examples

Because of laziness, pressure or just ignorance, php developers using ADOdb are making such mistakes.

Vulnerable SQL query #1:

$dbConn->GetRow("SELECT * FROM users WHERE id = $user_id");

Correct SQL query #1:

$dbConn->GetRow("SELECT * FROM users WHERE id = ?", array(‘$user_id’));

Vulnerable SQL Query #2:

$ids = join(',', $ids);
$dbConn->GetAll("SELECT * FROM campaigns WHERE id IN ({$ids})");

Correct SQL query #2:

$dbConn->GetAll('SELECT * FROM campaigns WHERE FIND_IN_SET (id, ' . $dbConn->Param('') . ')', array(join(',', $ids)));

Usage

Recursively scan directory with php files:

php php-reaper -d directory_with_php_files

or scan a single file:

php php-reaper -f single_file.php

Tests

The tests are located in tests directory. To run them, once in tests directory, type:

phpunit .

If you extend this tool, make sure that the tests are passing before submitting pull request. Better yet, add new test files and unit tests. Look at example files directory, what types of SQL Injections are detected.

Continuous Integration

PHP-Reaper is CI friendly. On error it will exit with -1 status, so it's easy to hook it to your CI jobs.

Exclude from warnings

You can ignore the warnings by PHP-Reaper, if you're absolutely sure that the code does not contain SQL Injection. Comment the line above the ADOdb function with:

// safesql
$result_set = $dbConn->getAll('SELECT * FROM ' . $this->usersTable);

You need to be absolutely sure $this->usersTable variable cannot be controller by an attacker.

Dangerous ADOdb Methods

The following ADOdb methods are considered dangerous and are scanned for potential SQL injections: getone(), getrow(), getall(), getcol(), getassoc(), execute(), replace(). Note that autoexecute() is immune, because it automatically escapes all the parameters. If you have methods in your code base with the same names e.g. execute() - non ADOdb method, you may see false positives. The solution is to rename your methods to be with names different than the default ADODb methods - e.g. executeTask(). PHP-Reaper is written in such a way because PHP is pretty dynamic and static analysis cannot reliably tell us the class of the instantiated object.

PHP Parser

PHP-Reaper is using the excellent php parser with the same name: PHP-Parser. It currently uses version 1.4.1.

GitHub

https://github.com/emanuil/php-reaper
You might also like...

Dead Code Detector (DCD) for PHP code.

This project is no longer maintained and its repository is only kept for archival purposes. PHP Dead Code Detector (PHPDCD) phpdcd is a Dead Code Dete

Jun 26, 2022

⚗️ Adds code analysis to Laravel improving developer productivity and code quality.

⚗️ Adds code analysis to Laravel improving developer productivity and code quality.

⚗️ About Larastan Larastan was created by Can Vural and Nuno Maduro, got artwork designed by @Caneco, is maintained by Can Vural, Nuno Maduro, and Vik

Jun 29, 2022

Free ZIP Code API - Free Access to Worldwide Postal Code Data

About Zipcodebase - Free Zip Code API Zipcodebase is a zip code API that was founded in 2019 to solve common issues with postal code data. As we have

Nov 17, 2021

Preload your sweet sweet code to opcache with a composer command, making your code faster to run.

Composer Preload Preload your sweet sweet code to opcache with a composer command, making your code run faster. Composer Preload is a composer plugin

May 24, 2022

The SensioLabs DeprecationDetector runs a static code analysis against your project's source code to find usages of deprecated methods, classes and interfaces

SensioLabs DeprecationDetector CAUTION: This package is abandoned and will no longer receive any updates. The SensioLabs DeprecationDetector runs a st

Jun 7, 2022

PHP Parallel Lint - This tool check syntax of PHP files faster than serial check with fancier output

PHP Parallel Lint - This tool check syntax of PHP files faster than serial check with fancier output

PHP Parallel Lint This application checks syntax of PHP files in parallel. It can output in plain text, colored text, json and checksyntax formats. Ad

Apr 24, 2022

A PHP sitemap generation tool.

Cartographer A sitemap generation tool for PHP following the Sitemap Protocol v0.9. Cartographer can handle Sitemaps of any size. When generating site

Feb 24, 2022

This tool check syntax of PHP files faster than serial check with fancier output.

This tool check syntax of PHP files faster than serial check with fancier output.

PHP Parallel Lint This application checks syntax of PHP files in parallel. It can output in plain text, colored text, json and checksyntax formats. Ad

Jun 26, 2022

PHPCheckstyle is an open-source tool that helps PHP programmers adhere to certain coding conventions.

PHPCheckstyle Overview PHPCheckstyle is an open-source tool that helps PHP programmers adhere to certain coding conventions. The tools checks the inpu

May 1, 2022
Comments
  • 1. PHP Fatal error

    PHP Notice:  Undefined property: PhpParser\Node\Expr\MethodCall::$expr in /home/dengolius/php-reaper/SecurityChecks.php on line 235
    PHP Fatal error:  Uncaught Error: Call to a member function getType() on null in /home/dengolius/php-reaper/SecurityChecks.php:235
    Stack trace:
    #0 /home/dengolius/php-reaper/SecurityChecks.php(268): SecurityChecks->investigateVariable(Object(PhpParser\Node\Expr\MethodCall), 'httpRequest')
    #1 /home/dengolius/php-reaper/SecurityChecks.php(178): SecurityChecks->checkTheArgument(Object(PhpParser\Node\Expr\MethodCall), Object(PhpParser\Node\Expr\MethodCall))
    #2 /home/dengolius/php-reaper/SecurityChecks.php(421): SecurityChecks->checkExpressionOrAssign(Object(PhpParser\Node\Expr\MethodCall))
    #3 /home/dengolius/php-reaper/SecurityChecks.php(195): SecurityChecks->checkNonAssignAndMethodCallStatements(Object(PhpParser\Node\Stmt\Return_))
    #4 /home/dengolius/php-reaper/SecurityChecks.php(52): SecurityChecks->mainCycle(Object(PhpParser\Node\Stmt\ClassMethod))
    #5 /home/dengolius/php-reaper/SecurityChecks.php(114): SecurityChecks->checkFile('/var/www/vhosts...')
    #6 /home/dengolius/php-reaper/php-reaper.php(21): SecurityChecks->checkDirector in /home/dengolius/php-reaper/SecurityChecks.php on line 235
    
    
    Reviewed by denisgolius at 2018-03-12 08:06
  • 2. Use PHP Parser and other library.

    Hello.

    You said in your document, use php parser and parse code after analysis. php parser not be able to recognize include, require and etc expression. I want to know, how dose your program recognize path? Did you use other library or tools? or did you develop this part in your app?

    Thank you.

    Reviewed by Rivendall at 2017-01-23 06:26
Webman quickly creates a verification code tool similar to Google verification code
Webman quickly creates a verification code tool similar to Google verification code

webman-captcha-grid webman quickly creates a verification code tool similar to Google verification code webman 快速创建一个类似于 Google 点图验证码的本地验证码扩展 介绍 webma

Apr 30, 2022
A bot written in PHP which attempts to link IRC with SQL database, allowing for integration between platforms

Valeyard IRC-SQL-GateWay A bot written in PHP which attempts to link IRC with SQL database, allowing for integration between platforms. This bot is mo

Jan 31, 2022
CRUD PHP, SQL PDO

PHP-Mastering CRUD em PHP usando MySQL PDO; Configure a ficheiro config.php de acordo com a sua configuração da base de dados PHP CRUD using PDO MySQL

Jun 2, 2022
A lightweight php class for formatting sql statements. Handles automatic indentation and syntax highlighting.

A lightweight php class for formatting sql statements. Handles automatic indentation and syntax highlighting.

Jun 28, 2022
First SQL Project - HTML, Bootstrap, PHP enabling CRUD from web
First SQL Project - HTML, Bootstrap, PHP enabling CRUD from web

DB-Project First SQL Project with HTML, Bootstrap, PHP enabling CRUD from web Java for mocking data, enabling .csv input Idea This model corresponds t

Jun 16, 2022
A lightweight SQL generation library.

Atlas A lightweight SQL builder library without any query execution or database connection requirements. The primary goals of this package are: To pro

May 11, 2022
PHP_Depend is an adaptation of the established Java development tool JDepend. This tool shows you the quality of your design in terms of extensibility, reusability and maintainability.

PHP Depend Documentation PHP Depend for enterprise Available as part of the Tidelift Subscription. The maintainers of PHP Depend and thousands of othe

Jun 22, 2022
Tool to remove code based on specific comments.

PHP-DEL Tool to remove code based on specific comments. Configuration Create php-del.json in the root directory of the project { "dirs": [ "src"

Apr 12, 2022
Blacksmith is a code generation tool which automates the creation of common files that you'd typically create for each entity in your application.
Blacksmith is a code generation tool which automates the creation of common files that you'd typically create for each entity in your application.

Blacksmith is a code generation tool which automates the creation of common files that you'd typically create for each entity in your application.

Feb 10, 2022
Result of our code-along meetup writing PHP 8.1 code

PHP 8.1 Demo Code This code demonstrates various PHP 8.0 and 8.1 features in a realistic, functional (but incomplete) codebase. The code is part of so

Nov 14, 2021