A simple, fast, and standalone tool to find potential security vulnerabilities in PHP code.
The PHP Security Analyzer is a static code analysis tool designed to help developers identify common security issues in their PHP applications, with a primary focus on Cross-Site Scripting (XSS) vulnerabilities. It scans your code for unsanitized user inputs from superglobals ($_GET, $_POST, $_REQUEST, etc.) and provides actionable suggestions for how to fix them.
This tool can be used as a standalone web interface for quick scans or integrated into your projects as a Composer library for automated checks.
- Core Analysis Logic: A modular PHP class that performs static analysis on your code.
- Simple Web UI: A user-friendly web interface to scan an entire directory and view a detailed report.
- Automated Fix Suggestions: Provides specific code snippets to secure vulnerable lines.
- Flexible Detection: Capable of tracing variables from superglobals even after they are assigned to other variables.
This tool and its web interface are designed exclusively for local development and testing environments.
DO NOT upload the public/index.php file or the entire analyzer directory to a live production server. Doing so could expose your server and its files to unauthorized access and security risks.
- Clone the repository:
git clone https://github.com/dlongopinc/php-security-analyzer.git cd php-security-analyzer - Install Composer dependencies:
composer install
- Access the web interface by navigating to
public/index.phpin your local web server.
Install the package in your project using Composer:
composer require dlongopinc/php-security-analyzer<?php
require 'vendor/autoload.php';
use Dlongopinc\SecurityAnalyzer\SecurityAnalyzer;
$analyzer = new SecurityAnalyzer();
$issues = $analyzer->checkFile('path/to/your/file.php');
// $issues will be an array of found vulnerabilities.
// You can iterate through it to process the results.
if (!empty($issues)) {
foreach ($issues as $issue) {
echo "Found issue on line " . $issue['line'] . ": " . $issue['code'] . "\n";
echo "Suggested fix: " . $issue['fix'] . "\n";
}
}<?php
require 'vendor/autoload.php';
use Dlongopinc\SecurityAnalyzer\SecurityAnalyzer;
$analyzer = new SecurityAnalyzer();
$files = $analyzer->analyzePhpFiles('path/to/your/project');
$allIssues = [];
foreach ($files as $file) {
$issues = $analyzer->checkFile($file);
if (!empty($issues)) {
$allIssues[$file] = $issues;
}
}
// $allIssues is an associative array where keys are file paths and values are issue arrays.
print_r($allIssues);To use the web interface on your own project, copy the index.php file from the public directory of this package to the root of your project. Then, run composer install in your project and open index.php in your browser.
To ensure your development environment is clean and doesn't accidentally commit unnecessary files, make sure your .gitignore file includes the following entries:
vendor/: This directory contains all Composer dependencies and should not be committed to your repository.composer.lock: This file is automatically generated by Composer. It's best practice to commit it in applications, but for a library, it's often ignored to allow consuming applications to manage their own dependency versions.
Example .gitignore:
/vendor
/composer.lock
We welcome contributions! If you find a bug or have an idea for a new feature, please open a new issue or submit a pull request.
This project is licensed under the MIT License. See the LICENSE file for details.
For any questions or suggestions, feel free to contact me at setiyariyan19@gmail.com.