By DeepSource

Audit required: Presence of debug function found PHP-A1012

Debugging functions such as var_dump, print_r or var_export should not be kept in production code. These functions display information about the variable, which can be helpful during development. However, if they contain any sensitive information, the presence of these functions in production code can expose that. Therefore, it is advised to avoid using it in production.

Audit required: Use of insecure eval() function found PHP-A1000

eval() function allows execution of an arbitrary PHP code. Executing code dynamically is security-sensitive and should be avoided.

Audit required: Use of an insecure cipher PHP-A1007

Cipher algorithm used to encrypt data is not strong. Using weak cipher algorithm such as RC2, RC4, DES, MD5, etc. for encrypting sensitive data can be vulnerable to several attacks.

Audit required: Insecure use of logger PHP-A1011

Logging user-provided values directly can put application vulnerable to multiple attack vectors. Superglobal variables contains values specified by the user, which are considered as tainted and untrusted. Therefore, it is discouraged to pass these variables directly to the logger.

Audit required: Include statements might be vulnerable to injection attacks PHP-A1001

The include (or require) statements are used to include and copy all the text/code/markup from an external file into the file that uses the include statement. This issue flags the use of this statement when a user-provided value is directly used in it.

Using user-provided values to construct the include/require statement can allow an attacker to control which files are included, giving them the ability to execute arbitrary code.

Audit required: SQL query might be vulnerable to injection attacks PHP-A1002

Using user-provided data while executing an SQL query can lead to SQL injection attacks. An SQL injection attack consists of the insertion or "injection" of a malformed SQL query via the input data given to an application. It is a prevalent attack vector and causes significant damage if the incoming data is not properly sanitized.

Directory created with insecure permissions PHP-A1006

Excessive permissions are granted when creating a directory. This issue is raised when permission greater than 0755 is given, or permissions argument is not specified when creating a directory using mkdir() function. By default, mkdir() function gives universal access(0777) to created folders.

The permission number can be a 3 or 4-digit numeric, where the first digit states permissions for the file owner, the second digit is for the file group, and the last digit states the permission all other users. Each write, read, and execute permissions have the following number value:

  • r (read) = 4
  • w (write) = 2
  • x (execute) = 1
  • no permissions = 0

So as an example, to give full permission to file owner and read permission to the group and all other users, use 0744 while creating a directory.

Audit required: Function may be vulnerable to arbitrary commands execution PHP-A1009

Using exec, passthru, shell_exec or, system functions to execute command can make the application vulnerable to arbitrary commands execution, if the user-supplied data is escaped or sanitized properly before passing them.

Though functions like escapeshellarg and escapeshellcmd exists which can be used to escape the command and shell argument. But the lack of cross-operating system compatibility of these functions relying on it is discouraged.

Use of deprecated libxml_disable_entity_loader() PHP-W1086

The libxml_disable_entity_loader() function has been deprecated since PHP 8.0.0. Relying on this function is highly discouraged. It is recommended to use libxml_set_external_entity_loader() to suppress loading of external entities.