Summary
Add PHP language support. PHP powers 77% of websites and AI tools frequently generate vulnerable PHP code.
Patterns to Detect
Security
eval(), assert() — code injectionmysqli_query() with string interpolation — SQL injection$_GET, $_POST used directly in queriesexec(), shell_exec(), system(), passthru() — command injectioninclude() / require() with user input — LFI/RFIecho $_SERVER['PHP_SELF'] — XSSpreg_replace() with /e modifierunserialize() on user input — PHP object injectionheader() redirect without exitextract() — variable injection
Hallucinations
- Non-existent PHP functions
- Invented WordPress/WooCommerce hooks
- Fake Laravel facades
- Non-existent PECL extensions
Logic
- Empty catch blocks
== instead of === (type coercion bugs)- Missing
isset() checks
- Resource leaks (unclosed DB connections, file handles)
Acceptance Criteria
Difficulty
Intermediate — PHP has consistent syntax patterns well-suited for regex analysis.
Summary
Add PHP language support. PHP powers 77% of websites and AI tools frequently generate vulnerable PHP code.
Patterns to Detect
Security
eval(),assert()— code injectionmysqli_query()with string interpolation — SQL injection$_GET,$_POSTused directly in queriesexec(),shell_exec(),system(),passthru()— command injectioninclude()/require()with user input — LFI/RFIecho $_SERVER['PHP_SELF']— XSSpreg_replace()with /e modifierunserialize()on user input — PHP object injectionheader()redirect without exitextract()— variable injectionHallucinations
Logic
==instead of===(type coercion bugs)isset()checksAcceptance Criteria
.phpfiles auto-detectedDifficulty
Intermediate — PHP has consistent syntax patterns well-suited for regex analysis.