php-reaper: PHP tool to scan ADOdb code for SQL Injections

by do son · February 7, 2018

PHP-Reaper

PHP tool to scan ADOdb code for SQL Injections

Why

The main idea is to be able to detect problems as early as possible when the code is fresh in your mind. Shift as many checks as possible to the left. Automate as much as possible.

Running PHP-Reaper is far less time consuming than running full-fledged automated security scanner at your application. The web security scanner might not locate all possible SQL Injections vulnerabilities, because of hard to reach code from the UI (or needs to set rare conditions). PHP-Reaper is fast and pinpoints the exact line where the problem lies, scanning all your PHP ADOdb source code.

You’ll get the most out of PHP-Reaper if you run it on every commit. It’s made to be CI friendly and fast.

Examples
Because of laziness, pressure or just ignorance, php developers using ADOdb are making such mistakes.

Vulnerable SQL query #1:

$dbConn->GetRow(“SELECT * FROM users WHERE id = $user_id”);

Correct SQL query #1:

$dbConn->GetRow(“SELECT * FROM users WHERE id = ?”, array(‘$user_id’));

Vulnerable SQL Query #2:

$ids = join(‘,’, $ids);
$dbConn->GetAll(“SELECT * FROM campaigns WHERE id IN ({$ids})”);

Correct SQL query #2:

$dbConn->GetAll(‘SELECT * FROM campaigns WHERE FIND_IN_SET (id, ‘ . $dbConn->Param(”) . ‘)’, array(join(‘,’, $ids)));

Dangerous ADOdb Methods

The following ADOdb methods are considered dangerous and are scanned for potential SQL injections: getone(), getrow(), getall(), getcol(), getassoc(), execute(), replace(). Note that autoexecute() is immune because it automatically escapes all the parameters. If you have methods in your code base with the same names e.g. execute() – non ADOdb method, you may see false positives. The solution is to rename your methods to be with names different than the default ADODb methods – e.g. executeTask(). PHP-Reaper is written in such a way because PHP is pretty dynamic and static analysis cannot reliably tell us the class of the instantiated object.

PHP Parser

PHP-Reaper is using the excellent php parser with the same name: PHP-Parser. It currently uses version 1.4.1.

Download