New PHP Interpreter Finds XSS, Injection Holes

rkrishardy writes "A group of researchers from MIT, Stanford, and Syracuse has developed a new program, named 'Ardilla,' which can analyze PHP code for cross-site scripting (XSS) and SQL injection attack vulnerabilities. (Here is the paper, in PDF, and a table of results from scanning six PHP applications.) Ardilla uses a modified Zend interpreter to analyze the code, trace the data, and determine whether the threat is real or not, significantly decreasing false positives." Unfortunately, license issues prevent the tool in its current form from being released as open source.

Fixed it for you

[techprophet]

New PHP Interpreter Finds XSS, Injection Holes

Fixed it for you.

Re:Fixed it for you

[EkriirkE]

You do realize its a replacement for the Zend engine - the "Findx XSS" engine? With script kiddie tools to perform injections (SQL I'm assuming)

SQL Injections?

I don't use SQL you insensitive clods!

Find X?

[eldavojohn]

New PHP Interpreter Findx XSS, Injection Holes

New PHP Interpreter Finds XSS, Injection Holes

Fixed it for you.

Clearly the title was trying to illustrate the PHP interpreter's ability to solve the pythagorean theorem.

Re:Find X?

[techprophet]

Clearly the title was trying to illustrate the PHP interpreter's ability to solve the pythagorean theorem [mit.edu].

I don't need PHP for that! Besides, the pythagorean theorem doesn't have X, just a, b, and c.

a^2 + b^2 = c^2

Re:Find X?

[eldavojohn]

Clearly the title was trying to illustrate the PHP interpreter's ability to solve the pythagorean theorem [mit.edu].

I don't need PHP for that! Besides, the pythagorean theorem doesn't have X, just a, b, and c.

a^2 + b^2 = c^2

I see you prefer short, nondescript variable names for your algorithms. I pity the person who has to maintain that bit of code. What is a? What is b? What is c?

I ascribe to a more Knuth-y self descriptive code and prefer the Pythagorean theorem to look more like:

sideAdjacentToRightAngle^2 + otherSideAdjacentToRightAngle^2 = sideOppositeRightAngle^2

Or maybe I'm just being a smartass? It's so hard to tell with developers these days ...

Re:Find X?

I think he meant quadratic equation... :P

Re:Find X?

[techprophet]

Or maybe I'm just being a smartass? It's so hard to tell with developers these days ...

You mean there's a difference?

[disclaimer]I am a developer[/disclaimer]

Re:Find X?

[MillionthMonkey]

I ascribe to a more Knuth-y self descriptive code and prefer the Pythagorean theorem to look more like: sideAdjacentToRightAngle^2 + otherSideAdjacentToRightAngle^2 = sideOppositeRightAngle^2 Or maybe I'm just being a smartass? It's so hard to tell with developers these days ...

Would you want to stare at a wall of code with otherSideAdjacentToRightAngles and sideOppositeRightAngles and sideAdjacentToRightAngles all over the place?

You could just go all the way and call them II11011I, I1IIOI1I, and II110I1I. At least call one of them "hypotenuse", christ.

Re:Find X?

[zoward]

Thanks - I needed that!

Re:Find X?

[Haeleth]

I ascribe to a more Knuth-y self descriptive code and prefer the Pythagorean theorem to look more like:

sideAdjacentToRightAngle^2 + otherSideAdjacentToRightAngle^2 = sideOppositeRightAngle^2

Magic constants?! That's dreadful! How am I supposed to know what 2 is for in that code? And, worse, what if you need to change it to something other than 2? You'd have to change it in three places. You might easily forget one and break everything.

Re:Find X?

[Spaham]

this reminds me when I was in calculus class in high school.
we had all copied some homework from each others, and of course the
teacher found out. everyone got F but I got an A... why ?
because I changed the vector names (ok, it was trigonometry, but in calc class)
I used names like Mike Joe Jay instead of AB AC CD DE like everybody else :)

Not open source?

it probably hasn't been open sourced because it's full of security holes

holy smokes batman

[sublimino]

From the results paper: "Part of Ardilla's implementation depends on modifications to the open-source Zend interpreter...made (for a different purpose) by a student while he was an intern at IBM. We have since made many more modifications, but since the original small diffs are owned by IBM, we cannot release either those original modifications or our later work that builds on them...It would be valuable for someone to re-implement the original changes, so that we could release our entire system as we would prefer. "

How would these changes be "re-implemented" - would the code have to be re-engineered, or would a trawl through the original code (patching in changes verbatim) be acceptable? Otherwise, would somebody have to find alternative syntax for implementing the same functionality? Barrel of worms methinks.

Re:holy smokes batman

[Enuratique]

Yeah, makes me wonder if open-sourcing this project was a primary goal at the beginning of the project. If so, they should have known about this wrinkle and had the intern re-write what he did for IBM. Seems like an oversight to build so much functionality only to, at the end, go "oh crap"...

Re:holy smokes batman

[nacturation]

It's only copyright and nobody would get harmed from sharing it. Let's get Jammie Thomas to release the source.

Re:holy smokes batman

[Tanktalus]

Um, why not just ask the former-intern's IBM manager for permission? Or is it that IBM doesn't open-source anything?

Probably for the best

[JNSL]

Although it would be nice to be able to use this, I'd imagine there'd be lots of damage following from widespread release of this program without a quick turnaround on fixing vulnerable sites.

Re:Probably for the best

[tirerim]

Not really, unless those sites already have other serious security problems. The PHP code only runs on the server, and is thus invisible to the end user: all they see is the generated HTML. If your PHP code is exposed to the outside world, you're doing something wrong.

Already made one

[Norsefire]

And mine is open source:

open( my $code, '<', @ARGV ) or die 'File not found';
while( <$code> ) {
if( /php/i ) {
print "Exploit found\n";
}
}

Re:Already made one

[BabyDave]

/me turns on short_open_tag in php.ini, then cackles maniacally ...

Re:Already made one

If my team released half the mistakes that you have in the past few months, we'd all be fired and probably end up working for you

Fixed that for you.

This somehow ...

[xmff]

... reminds me on Perl's taint mode where all external input data is traced until it was explicitly checked through a regular expression or similar.

Re:This somehow ...

[adamgundy]

for a 'taint mode' in PHP, try this: http://wiki.php.net/rfc/taint

You are an awful programmer

Same program, just in one line, hence easier to understand: perl -nE'say q(Exploit found) if /php/i' *

Re:You are an awful programmer

[damien_kane]

easier to understand:perl

This particular grouping of words should not ever be used outside the privacy of your own home...

Re:You are an awful programmer

[psyclone]

easier to understand: perl

This particular grouping of words should not ever be used outside the privacy of your own home...

Unless you are wanting to do some Practical Extracting and Reporting (with a programming language)

closed version available?

[markybob]

i cant even find where to download a closed source version of it. is it available at all?

Re:closed version available?

It's PHP of course there's not a "closed version" available for download.

Re:closed version available?

Erm, why "of course"? There's plenty of commercial closed-source PHP software out there. Just because you can *read* the source doesn't mean you have any rights to redistribute it.

And if you really want to be a dick, I'm sure you can find PHP obfuscators out there.

Re:closed version available?

[tolan-b]

I think he meant 'it's PHP' as in it's a patched version of the PHP interpreter, not that it's an app written in PHP. As PHP is open source you can't redistribute a patched version as closed source,

Re:closed version available?

I think he meant 'it's PHP' as in it's a patched version of the PHP interpreter, not that it's an app written in PHP.

Highly unlikely, as that would have required him to understand what the article about, and this is Slashdot.

As PHP is open source you can't redistribute a patched version as closed source,

The PHP licence isn't copyleft.

Re:closed version available?

[tolan-b]

Interesting. Don't know why I assumed it was.

PHP Frameworks

[ukyoCE]

The basic issue here is that most PHP code does not currently use Frameworks, and many PHP developers aren't exactly experienced enough to know what XSS or SQL Injection are.

The problem will never really be fixed in PHP until some framework or at least methodology wins out as the PHP framework of choice.

It'd be nice if the PHP guys picked one and put their backing behind it, maybe even included it by default like they did APC for caching.

Re:PHP Frameworks

[Opportunist]

The problem will never really be fixed in PHP until the average PHP programmer at least cares about security.

Sorry to everyone who uses PHP for a living, there are actually very good PHP programmers. Unfortunately, though, they are the exception. Easy syntax and being the server sided language of choice for many cheap webspace providers, every other PHP based page you stumble upon has glaring security holes due to someone programming it who barely knows enough PHP to make it work at all, and as soon as it "works" it's also "done". Security? Pfffft, who'd hack my little club webpage.

And this, kids, is where drive-by infections come from.

Re:PHP Frameworks

[Ash+Vince]

The problem will never really be fixed in PHP until some framework or at least methodology wins out as the PHP framework of choice.

It'd be nice if the PHP guys picked one and put their backing behind it, maybe even included it by default like they did APC for caching.

Does the Zend Framework count as a framework? In which case they have picked one, it has just not been universally excepted yet.

There is however another issue. Languages like PHP and ASP were originally designed to make creating a server side code driven web site fairly easy. They succeeded so people who were not well grounded in writing code started dabbling in projects that were over their head, they just did not know it. These people had never heard of things like buffer overruns so they tended to trust the inputs their program was given. The program worked when given the correct inputs, and you validated all the inputs in JavaScript so it must be fine.

We now have to deal with the legacy of this which is many developers in the marketplace with years of experience at writing code and have no idea they are missing a large part of their education.

As an example, I saw some lovely code recently where the developer had used prepared statements all through his code, but still left it wide open to SQL injection by not using variables in the prepared statements. He just prepared entire strings already containing the relevant form variables concatenated with the SQL. Genius.

The fact is that programming in any language is complex, and takes many years to learn how to do well. To tell between a good developer and a bad developer though also takes years, since you have to learn the pitfalls to recognise them.

Re:PHP Frameworks

[ukyoCE]

As an example, I saw some lovely code recently where the developer had used prepared statements all through his code, but still left it wide open to SQL injection by not using variables in the prepared statements. He just prepared entire strings already containing the relevant form variables concatenated with the SQL. Genius.

I almost said in my post that they should require prepared statements - but then I thought of that scenario and decided against saying that =D

Just teach people how to code

[loufoque]

Just teach people how to code. When a function or subsystem expects a certain format as a precondition on its input, you actually have to make sure you enforce that precondition (in the case of PHP applications, you simply need to apply trivial conversions such as htmlspecialchars() or mysql_escape_char() depending on whether you want to use that input to generate HTML or XML or to include it into a MySQL request -- this is enough to get rid of XSS and SQL injections completely).

There would be no need for such tools if PHP developers actually were software engineers rather than kiddies surfing on the web hype that barely understand the tools they're manipulating.

Re:Just teach people how to code

Just teach people how to code. [...] in the case of PHP applications, you simply need to apply trivial conversions such as htmlspecialchars() [...] this is enough to get rid of XSS [...] injections completely

Is Mr. Experience speaking?

Using htmlspecialchars doesn't help if the user agent interprets the bytestream differently. IE6 & UTF-8 is a match made in hell.

Re:Just teach people how to code

[slummy]

Fuck that. Teaching people how to code the correct way creates equals.

Messy spaghetti code is always a pain in the ass to fix, but does help us consultants rack up the hours.

Keep the crappy PHP code coming boys!

Re:Just teach people how to code

[loufoque]

htmlspecialchars converts < to &lt;, > to &gt;, & to &amp; and " to &quot;, simply because those characters have special meanings in HTML and XML and therefore require to be properly escaped. (strictly speaking, converting " is only required in attributes where the value is between quotes itself, but that's the default behaviour of the function to be more general-purpose).
As you can see, the character encoding of the string is irrelevant here -- assuming it is ASCII-compatible --, since the function only replaces some ASCII sequences by other ASCII sequences. Why the string has an additional argument to handle encoding is beyond me. (to prevent replacements of said characters within grapheme clusters perhaps? Or to handle non ASCII compatible encodings?)

Of course, handling character encoding is a real issue, but a different one. It's fairly trivial, however: you have to transfer your data in the character encoding that you declared your document was in.

Maybe you're actually talking of the issue that user agents will encode data not supported by the character set they're supposed to use as sequences? There are different approach on this issue, but the best way is arguably to ask the user agent to send its data in UTF-8. I don't remember any problem with IE6 for that (sure, it ignores the attribute made for that purpose in forms, but it will send the data in the character encoding of the page).

Re:Just teach people how to code

That isn't good enough. If you use UTF-8 you also need to make sure it is valid. Suppose a user is able to insert 0xC0 in your output. IE 6 will interpret this byte as the start of a multibyte character, effectively swallowing subsequent characters (eg a quote) and allowing the user to escape the attribute context.

Re:Just teach people how to code

[strimpster]

Unfortunately you are incorrect at how easy it is to prevent these issues. In some examples, you want the input to come through as HTML that is allowed to be displayed back to the end users. An example of this is MySpace.com (or even the commenting system here). Do you remember the Samy worm that crawled through their system? The techniques you have given would not have worked. An advanced parser that validates the input is necessary to prevent that (by stripping out the bad portions of the data). I was tasked with creating such a parser for a website I worked on (emerciv.com) to prevent the XSS attacks like that from occurring (and also the problem with invalid HTML that can break page flow). Furthermore, mysql_escape_char is not the industry preferred method of preventing MySQL injection attacks as it still allows some to occur; the preferred method is to use PDO. You might want to study up on those...

Oh, and by the way, I am a software engineer (finishing up my Master of Science in Software Engineering with a focus on Knowledge and Information Engineering from the University of Michigan's Dearborn campus at the end of the summer and have been asked by the Electrical and Computer Engineering department chair to create new curriculum for the undergraduates in interactive web development, and will be teaching it as well) and I consider myself a PHP developer (amongst other languages) and take offense to that ;)

Re:Just teach people how to code

[loufoque]

Suppose a user is able to insert 0xC0 in your output. IE 6 will interpret this byte as the start of a multibyte character, effectively swallowing subsequent characters (eg a quote) and allowing the user to escape the attribute context.

Good point. I suppose that is why htmlspecialchars actually takes a character encoding argument. That way it will check the input string is valid UTF-8.

My bad, I relied on some properties of UTF-8 which only hold if the string is in valid UTF-8, which is certainly not guaranteed.

Re:Just teach people how to code

[loufoque]

Unfortunately you are incorrect at how easy it is to prevent these issues

Sure it is easy to circumvent XSS, I just gave a way that always works. I never said that way covered all uses you may want to do of your input, however.
Indeed, if you want to treat your input as a HTML fragment to include verbatim into your document (which in my opinion, is a terrible idea, just look at how annoying that is on slashdot, this messed up my message elsewhere in this thread because I naively wrote & instead of &amp; -- but why not), you must ensure that the code, when included into your document, may only lead to 100% valid HTML and that it may not contain certain "harmful" facilities of HTML (i.e. JavaScript that gets access to cookies and forwards the session information contained in them to an external server which in turns exploits any account reading the page).
This is no different that if you used a wiki-like or bbcode-syntax, which is what I'd call a saner approach for text-based content management. You have a given format in entry, you must parse it, validate it, and convert it if relevant, in order to enforce the conditions your output has to validate.

Furthermore, mysql_escape_char is not
the industry preferred method of preventing MySQL injection attacks as it still allows some to occur

No, it doesn't allow any to occur.
Of course, using libraries that generate the query for you and do the necessary conversions is easier, but that is irrelevant.
Yes I know of PDO, I actually implemented similar tools (well, it was more similar to PEAR::MDB2, but you get the point) way before it made it to PHP, like any sane programmer used back then. Concatenating string literals and results of mysql_(real_)?escape_char directly isn't really what I'd call maintainable.

I consider myself a PHP developer (amongst other languages) and take offense to that ;)

I'm afraid you'll have to live with it.
The fact that most PHP developers are extremely bad is a mere fact, inherently giving bad reputation to that language (which isn't really unmotivated, the language did take quite a few bad design decisions in the first place), and even to the whole field of web development to an extent.
I know of several businesses that purposely chose J2EE in order to cater to more serious developers, for example.

Thankfully thanks to the Web 2.0 hype, you should still be able to find jobs without any real issue.

Re:Just teach people how to code

[strimpster]

Saying that a user should not be able to put in html is a cop out. As a versed software engineer, you should be completely perfect with parsing data and validating it. In fact, if you have a degree from a university (which I'm assuming that you do), you should have had to deal with grammars in one of your classes. It sounds like you don't recognize the need for this, as you are most likely not what one would classify as a "web developer". That is fine, but some applications require the use of this. One very realistic example is a CMS controlled by a company. They need this type of control. Creating your own language (bbcode or wiki-code) defeats the purpose of the standards that are out there (HTML), especially to the extent that a CMS needs.

Well, you attempted to fix your problem in this response but my first statement is correct. mysql_escape_string does have some problems. You have to use mysql_real_escape_string to be sure if you are inserting binary data into the database as there can be potential injection attacks done otherwise.

If you think that most PHP developers are extremely bad, I think that you need to look around at all developers. You find really bad code in all languages, and pretty often (go to thedailywtf.com for some examples). I would hardly look at my fellow developers (you know the real ones...) building frameworks like Drupal and call them extremely bad. You can say this is a minority, but I think that you are sadly mistaken, especially if you think this "Web 2.0" thing is a hype. Wait a few more years and look at the technology that is built around the web browser (regardless of the back-end technology).

PHP has won out as the language of choice on the web, its a fact. PHP is not what it used to be, prior to version 5.2. It is a robust language that can create very rich and scalable Internet technologies. I work with Fortune 500 companies who are completely satisfied with using PHP over Java. A "serious developer" should be comfortable in any language (whether PHP, Java, Ruby, Python, etc.). In fact a "serious" web developer must be versed in many languages, as they piece together systems in different languages.

Re:Just teach people how to code

[jonaskoelker]

in the case of PHP applications, you simply need to apply trivial conversions such as htmlspecialchars() or mysql_escape_char()

Let's see. You have to

• Know to do it.
• Remember to do it.
• Be careful to only do it once.
• Actually type the characters.

One of them is incredibly easy.

The rest could be made a lot easier with a static type system where you can create a type HtmlString and offer htmlspecialchars() as the only conversion from String to HtmlString, and only allow instances of HtmlString to be output. Similarly for SQL.

Doing things the hard way instead of the easy way (and insisting others also do it the hard way) for no good reason is not something to be proud of.

Now, don't get me wrong. I don't like typing type names all the time. Which is why type inference is for the win. It's a shame it hasn't become popular outside the ML family (ML, OCaml, Haskell, probably others).

Re:Just teach people how to code

[loufoque]

Saying that a user should not be able to put in html is a cop out. As a versed software engineer, you should be completely perfect with parsing data and validating it

I never said it was problematic to implement, I said it was a terrible idea from an usability point of view, and this was between parentheses, which shows it was nothing more than a side note.
Can't you read at all? I said that if you wanted to allow this, you should parse, which you should do anyway if you used a different input format than HTML.

Creating your own language (bbcode or wiki-code) defeats the purpose of the standards that are out there (HTML), especially to the extent that a CMS needs.

I find HTML, just like XML, totally ill-suited to content writing using a plain-text medium, and I'm not alone.
ReST and wiki-like syntaxes are so much more practical. To write documentation, for example, I use Quickbook which is basically Docbook (XML) with a wiki-like syntax, and it is really much more comfortable.
I also write my emails, messages to Usenet, mailing lists, etc. in plain text using wiki-like syntax that some user agents know how to render and that degrade gracefully if they don't.

Even LaTeX is much nicer to use than XML.

Well, you attempted to fix your problem in this response but my first statement is correct. mysql_escape_string does have some problems. You have to use mysql_real_escape_string to be sure if you are inserting binary data into the database as there can be potential injection attacks done otherwise.

I said mysql_escape_string like I could have said sqlite_escape_string or your_rdbms_escape_string. The actual function name matters little.

If you think that most PHP developers are extremely bad, I think that you need to look around at all developers. You find really bad code in all languages

In my experience, the average C++ programmer is very bad. Yet he is way better than the average Java programmer, which is in turn way better than the average PHP programmer.
It seems that the more the language requires skill to use, the more the actual average programmer is skilled (this is obviously a big generalization).

As a matter of fact, I doubt the average PHP programmer is able to parse some data according to some grammar (PHP doesn't even have built-in support for lex/yacc-like functionality, so it does not make it any easier).
If the average PHP programmer even understands PCRE, he's above average. (as a matter of fact, a lot of PHP applications implement parsers using them, even when they're totally ill-suited and far from asymptotically optimal -- a potential justification is that PHP is so slow it's much faster to rely on an engine coded in C anyway)

I think that you are sadly mistaken, especially if you think this "Web 2.0" thing is a hype

It's a new name for a concept that is not new at all, the web has always been like this, people are just rediscovering it.
Hence it is nothing more than a buzz.

Re:Just teach people how to code

[loufoque]

The rest could be made a lot easier with a static type system where you can create a type HtmlString and offer htmlspecialchars() as the only conversion from String to HtmlString, and only allow instances of HtmlString to be output. Similarly for SQL.

Could be interesting.
I guess you could implement that approach in any language with support for user-defined implicit conversions (C++ comes to mind, albeit I've heard Scala does it too).

Now, don't get me wrong. I don't like typing type names all the time.

Typing the types explicitly is only possible for statically typed variables, and PHP is dynamically typed (well, it does allow to add explicit type information, but it's nothing more than a runtime check).

Which is why type inference is for the win. It's a shame it hasn't become popular outside the ML family (ML, OCaml, Haskell, probably others).

Type inference (lambda calculus style) is not really compatible with implicit conversions, if I remember correctly.
That is why for example you need to explicit upcast objects in OCaml, for example.

Re:Just teach people how to code

[Waccoon]

It would also help if PHP had a decent built-in template engine. PHP is supposed to be a template language, but (supposedly) up to PHP 6, it can't even handle UTF-8 encoding.

Anything in PEAR isn't much use, either, because my scripts are designed to be redistributed and run on shared servers. These servers usually don't have any PEAR modules installed.

DarkReading!

[jginspace]

TFA is just blog spam. See source.

And I wonder, are the maintainers of schoolmate and webchess now frantically patching their code? None of the articles gives dates - although the PDF is more than 18 months old.

Re:DarkReading!

[jginspace]

And this linked page is from June 2.

(In the above post I meant 9 months, not 18 months.)

fire the editor

"A group of researchers from MIT, Stanford, and Syracuse has developed a new program, named 'Ardilla,' which can analyze PHP code for cross-site scripting (XSS) and SQL injection attack vulnerabilities. (Here is the paper, in PDF, and a table of results from scanning six PHP applications.) Ardilla uses a modified Zend interpreter to analyze the code, trace the data, and determine whether the threat is real or not, significantly decreasing false positives."

They've written a program named: 'Ardilla,', complete with a comma in the name. Complete sentences in parenthesis. misspelled word in headline. Seriously kdawson, it's not like you're going for "frist post". Take a minute or two to fucking edit.

Re:Looks Like We Have A New Champion...

Megan Fox's Tits

Or the lack thereof..

Similar tool

[PrecorInc]

There is a similar tool available under a BSD license called PHPAudit, but it does seem to generate a few more false positives than the one linked in this article... It's site is http://phpaudit.precor-incorporated.com/

Re:Similar tool

[bakaorg]

Did you actually follow that link? It goes to a junk page.

Perhaps one of these tools will be more useful:

• http://code.google.com/p/ratproxy/
• http://developer.spikesource.com/wiki/index.php/Projects:phpsecaudit
• http://pixybox.seclab.tuwien.ac.at/pixy/

Re:Similar tool

[bakaorg]

Grrrr. I didn't notice the lack of linking during preview.

Did you actually follow that link? It goes to a junk page.

Perhaps one of these tools will be more useful:

• http://code.google.com/p/ratproxy/
• http://developer.spikesource.com/wiki/index.php/Projects:phpsecaudit
• http://pixybox.seclab.tuwien.ac.at/pixy/

Re:Similar tool

[jginspace]

He just spammed that domain in another thread as well. So desperate...

Why not fix PHP instead?

How many XSS and SQL vulnerabilities would be a non-issue if the PHP language made it impossible for these to occur by default without
explicit indication that it should be allowed?

Don't tell me its impossible or even hard because I've been there done that.

not possible

[Lord+Ender]

I agree that it is possible (but difficult) to identify sql injection vulnerabilities with automated code inspection. I do not think XSS can be identified so easily. In a web app, user-submitted text is added to a database. Then who-knows-what happens to it. Eventually, something based on that text is submitted as output, at which time special characters must be escaped.

The only way to accurately identify XSS in such a scenario is to track the input from the user, into the database, and back out, so that you know the special characters are escaped. That's not something software could accurately do for a general case, without tons of false positives.

Re:not possible

Ardilla attempts to do exactly what you propose with (2nd-order) XSS attacks - track tainted input from the user, into the database, and back out

Closed != Bad

[Celeste+R]

Unfortunately, license issues prevent the tool in its current form from being released as open source.

The existence of a tool (even if it's pricey) is invaluable; especially when compared to inferior tools. If we want a FOSS solution, all that's stopping us is ourselves.

That's oversimplistic

[Chuck+Chunder]

If people aren't using escaping functions like that at all then this tool isn't really needed, a simple parser could see the functions aren't being called. This tool seems like it may be useful for catching occasional cases where something has mistakenly being omitted. Ie because people are imperfect, not because they are clueless.

That said I don't think it's really something that developers should have to care about. PHP is primarily a language for interacting with databases and web browsers and as such should make this easier (to the extent of not requiring any code at all). I work on PHP applications and we have a heap of code using all the escaping functions and it makes an ugly, overly verbose mess. I'm currently near the end of a DB layer which takes care of escaping automatically (the layer 'knows' the DB schema and uses that knowledge to validate and escape input automatically).

The coder shouldn't need to state that data going to the DB needs escaping, it should happen automatically.

Similarly I'm disappointed that things like Smarty need special instruction in order to escape variables heading to the browser. Almost everything in a web app should be escaped, Smarty should do that be default and require a special modifier to be set in the rare instances it isn't desired.