Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Testing PHP files

5 views
Skip to first unread message

astral

unread,
Jun 10, 2010, 8:07:54 AM6/10/10
to
Is there Windows32 application for offline testing PHP files for potential
vulnerabilities and bugs (mysql injection, etc), without installing PHP.

Thanks.

Johannes Keßler

unread,
Jun 10, 2010, 8:09:43 AM6/10/10
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Would you test drive a car without the driver ?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)

iEYEARECAAYFAkwQ1gcACgkQE++2Zdc7Etd5jgCfdD8AIWL4YDBL+BZWq5Cxv6Vd
BmsAoJHTWUy6hvrxBtVk/p+xfQNOEhAK
=u84G
-----END PGP SIGNATURE-----

rf

unread,
Jun 10, 2010, 9:21:59 AM6/10/10
to

"astral" <ast...@news.eternal-september.org> wrote in message
news:huqkiu$f1s$1...@news.eternal-september.org...

> Is there Windows32 application for offline testing PHP files for potential
> vulnerabilities and bugs (mysql injection, etc), without installing PHP.

No.

Jerry Stuckle

unread,
Jun 10, 2010, 9:31:34 AM6/10/10
to

Yes. It's called "Intelligence". The major prereq is "Brain". Other
prereqs include "Knowledge" and "Understanding".

In short - there is no application which will check for vulnerabilities
or bugs, in PHP or any other language. About all such a program can do
is flag common syntax mistakes like "if ($a=3)" (using "=" instead of "==".

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstu...@attglobal.net
==================

Adrienne Boswell

unread,
Jun 13, 2010, 1:39:34 PM6/13/10
to
Gazing into my crystal ball I observed "astral"
<ast...@news.eternal-september.org> writing in
news:huqkiu$f1s$1...@news.eternal-september.org:

Yes, it's called IIS. Enable IIS, and install PHP and MySQL. Then you
can do your testing/hacking on your local server.

As far as MySQL injection, the most important thing to remember is not
to trust anything coming from the client. Validate ALL input from the
client, where from a form or a querystring. Try not to do dynamic
queries, use parameterized queries or use stored procedures. Use
mysql_real_escape_string where applicable.

--
Adrienne Boswell at Home
Arbpen Web Site Design Services
http://www.cavalcade-of-coding.info
Please respond to the group so others can share

Beauregard T. Shagnasty

unread,
Jun 13, 2010, 4:13:52 PM6/13/10
to
Adrienne Boswell wrote:

> Yes, it's called IIS. Enable IIS, and install PHP and MySQL. Then
> you can do your testing/hacking on your local server.

WAMP or XAMPP is easier... ;-)

--
-bts
-Four wheels carry the body; two wheels move the soul

Raymond Schmit

unread,
Jun 13, 2010, 6:01:52 PM6/13/10
to
On Sun, 13 Jun 2010 17:39:34 +0000 (UTC), Adrienne Boswell
<arb...@yahoo.com> wrote:

>Gazing into my crystal ball I observed "astral"
><ast...@news.eternal-september.org> writing in
>news:huqkiu$f1s$1...@news.eternal-september.org:
>
>> Is there Windows32 application for offline testing PHP files for
>> potential vulnerabilities and bugs (mysql injection, etc), without
>> installing PHP.
>>
>> Thanks.
>>
>
>Yes, it's called IIS. Enable IIS, and install PHP and MySQL. Then you
>can do your testing/hacking on your local server.
>

The question was *without* installing PHP :-)
BTW any webserver can be used ... not only IIS ...

J.O. Aho

unread,
Jun 14, 2010, 12:53:42 AM6/14/10
to
Adrienne Boswell wrote:
> Gazing into my crystal ball I observed "astral"
> <ast...@news.eternal-september.org> writing in
> news:huqkiu$f1s$1...@news.eternal-september.org:
>
>> Is there Windows32 application for offline testing PHP files for
>> potential vulnerabilities and bugs (mysql injection, etc), without
>> installing PHP.

You need PHP to validate the PHP code, there aren't any tool that will check
bad coding and warn you when you do something stupid. Let someone else review
your code.

There are some frameworks that adds some checking into the code which can be
used to doe some checking, take a look for "PHP Assertion Unit Framework", but
then you need to install LAMP/WAMP/MAMP, I do recommend the first one.


> Yes, it's called IIS. Enable IIS, and install PHP and MySQL. Then you
> can do your testing/hacking on your local server.

As majority of todays web-servers running Apache, it can bee a poor solution
to use iis, which don't work as well with php as Apache.
As Raymond wrote, you still need to install PHP, which was the criteria.


> As far as MySQL injection, the most important thing to remember is not
> to trust anything coming from the client. Validate ALL input from the
> client, where from a form or a querystring. Try not to do dynamic
> queries, use parameterized queries or use stored procedures. Use
> mysql_real_escape_string where applicable.

Even better to use mysqli.


--

//Aho

0 new messages