Documentation
¶
Overview ¶
Package php provides PHP database-related patterns
Package php - frameworks.go provides PHP framework pattern registry and string-based patterns String-based pattern lists are derived dynamically from registered framework patterns
Package php provides PHP function patterns for input source detection ¶
Package php provides PHP-specific source type inference ¶
Package php provides centralized PHP patterns for semantic analysis All PHP-specific regex patterns should be defined here to avoid duplication
Package php provides PHP-specific patterns for input tracing.
Index ¶
- Constants
- Variables
- func BuildConditionalPattern(superglobal string) *regexp.Regexp
- func BuildDirectAssignPattern(propertyName string) *regexp.Regexp
- func BuildMethodCallPattern(methodName string) *regexp.Regexp
- func BuildPropertyAccessPattern(propertyName string) *regexp.Regexp
- func BuildPropertyAssignLoopPattern(propertyName, keyVar, valVar string) *regexp.Regexp
- func BuildReturnPropertyArrayPattern(propertyName string) *regexp.Regexp
- func BuildReturnPropertyPattern(propertyName string) *regexp.Regexp
- func BuildThisArrayPropertyAssignPattern(paramName string) *regexp.Regexp
- func BuildThisPropertyAssignPattern(paramName string) *regexp.Regexp
- func ContainsCurlFunction(expr string) bool
- func ContainsDeserializationFunction(expr string) bool
- func ContainsInputFunction(expr string) bool
- func ContainsNetworkFunction(expr string) bool
- func ContainsSuperglobal(text string) (bool, string)
- func DetectFrameworkFromImports(imports []string) []string
- func DetectFrameworkFromSource(source string) []string
- func DetectFrameworks(imports []string, classNames []string, source string) []string
- func GetAllPatterns() []*common.FrameworkPattern
- func GetInputFunctionSourceType(funcName string) common.SourceType
- func GetInputMethodPatterns() []string
- func GetInputPropertyPatterns() []string
- func GetPatternByID(id string) *common.FrameworkPattern
- func GetPatternsByFramework(framework string) []*common.FrameworkPattern
- func GetTypeHintPatterns(varName string) []*regexp.Regexp
- func IdentifyExternalDataSource(expr string) (common.SourceType, float64)
- func InferSourceTypeFromExpression(expr string) common.SourceType
- func InferSourceTypeFromMethodName(methodName string) common.SourceType
- func InferSourceTypeFromPropertyName(propName string) common.SourceType
- func IsContextDependentMethod(methodName string) bool
- func IsDatabaseFetchMethod(methodName string) bool
- func IsDatabaseQueryMethod(methodName string) bool
- func IsDatabaseResultObject(objName string) bool
- func IsDeserializationFunction(funcName string) bool
- func IsExcludedMethod(methodName string) bool
- func IsExternalDataFunction(funcName string) bool
- func IsInputFunction(funcName string) bool
- func IsInputMethod(methodName string) bool
- func IsInputMethodCall(expr string) bool
- func IsInputObject(objName string) bool
- func IsInputProperty(propName string) bool
- func IsInputPropertyAccess(expr string) bool
- func IsMySQLiFetchMethod(methodName string) bool
- func IsNetworkFunction(funcName string) bool
- func IsPDOFetchMethod(methodName string) bool
- func IsPHPFile(path string) bool
- func MatchesInputCarrier(objName, propOrMethodName string, isMethod bool) bool
- type ConcatMatch
- type EscapeMatch
- type FrameworkDetection
- type Matcher
- type SQLEmbeddedMatch
Constants ¶
const PHPConstructorName = "__construct"
PHPConstructorName is the name of PHP constructor methods
const PHPFileExtension = ".php"
PHPFileExtension is the file extension for PHP files
const PHPInputConstant = "php://input"
PHPInputConstant is the php://input constant value
Variables ¶
var ( // InputMethodPattern matches method names that ALWAYS indicate user input // Pattern matches: // - Explicit input getters: input, get_input, getInput, get_var, variable // - HTTP method getters: getPost, getQuery, getCookie, getHeader, etc. // - PSR-7 methods: getQueryParams, getParsedBody, getCookieParams, etc. // - All input: all() InputMethodPattern = regexp.MustCompile(`(?i)^(get_?)?(input|var|variable|query_?params?|parsed_?body|cookie_?params?|server_?params?|uploaded_?files?|headers?|all)$|^(get_?)?(post|cookie|param)s?$`) // InputPropertyPattern matches property names that typically hold user input // (for array access patterns like ->input['key']) // Matches: input, request, params, query, cookies, headers, body, data, args, post, get, files, server InputPropertyPattern = regexp.MustCompile(`(?i)^(input|request|params?|query|cookies?|headers?|body|data|args?|post|get|files?|server|attributes?|payload)s?$`) // InputObjectPattern matches object/variable names that suggest the object is an input carrier // Also matches chain calls like "->getRequest()" or "Factory::getApplication()->getInput()" InputObjectPattern = regexp.MustCompile(`(?i)(request|input|req|params?|http|ctx|context|getRequest\(\)|getApplication\(\))`) // ExcludeMethodPattern matches method names to EXCLUDE from input detection (false positive prevention) // These are methods that might match patterns but aren't typically user input ExcludeMethodPattern = regexp.MustCompile(`(?i)^(getData|getBody|getContent|fetch|find|load|read)$`) // ContextDependentMethodPattern matches methods like getVal, getText, getInt, getBool // used in MediaWiki on request objects but also on many other objects // Only detect these when the object looks like a request ContextDependentMethodPattern = regexp.MustCompile(`(?i)^(get_?)?(val|text|int|bool|array|raw_?val|check)$`) )
var ( // SQLCurlyBracePattern matches '{$var->prop['key']}' - curly brace interpolation in SQL SQLCurlyBracePattern = regexp.MustCompile(`\{\s*\$(\w+)->(\w+)\s*\[\s*['"]([^'"]+)['"]\s*\]\s*\}`) // SQLSimpleCurlyPattern matches simple property in curly braces {$var->prop} SQLSimpleCurlyPattern = regexp.MustCompile(`\{\s*\$(\w+)->(\w+)\s*\}`) // SQLNoCurlyPattern matches "...$var->prop..." without curly braces in strings SQLNoCurlyPattern = regexp.MustCompile(`"\s*[^"]*\$(\w+)->(\w+)\s*\[\s*['"]([^'"]+)['"]\s*\]`) )
var ( // ConcatPattern matches "' . $var->prop['key'] . '" or similar concatenations ConcatPattern = regexp.MustCompile(`\.\s*\$(\w+)->(\w+)\s*\[\s*['"]([^'"]+)['"]\s*\]\s*\.`) // SimpleConcatPattern matches simple property concatenation '. $var->prop .' SimpleConcatPattern = regexp.MustCompile(`\.\s*\$(\w+)->(\w+)\s*\.`) )
var ( // EscapeWithPropArrayPattern matches escape_string($var->prop['key']) or $db->escape_string($var->prop['key']) EscapeWithPropArrayPattern = regexp.MustCompile(`(\w*escape\w*)\s*\(\s*\$(\w+)->(\w+)\s*\[\s*['"]([^'"]+)['"]\s*\]\s*\)`) // EscapeSimplePropPattern matches escape functions with simple property EscapeSimplePropPattern = regexp.MustCompile(`(\w*escape\w*)\s*\(\s*\$(\w+)->(\w+)\s*\)`) // EscapeVarPattern matches escape with variable EscapeVarPattern = regexp.MustCompile(`(\w*escape\w*)\s*\(\s*\$(\w+)\s*\)`) )
var ( // GlobalsPattern matches $GLOBALS['varname'] or $GLOBALS["varname"] GlobalsPattern = regexp.MustCompile(`\$GLOBALS\[['"](\w+)['"]\]`) // DIContainerPattern matches DI container pattern: $var->get('service') DIContainerPattern = regexp.MustCompile(`\$\w+->get\(['"]([^'"]+)['"]\)`) )
var ( // ThisMethodCallPattern matches $this->methodName($arg) ThisMethodCallPattern = regexp.MustCompile(`\$this->(\w+)\(([^)]*)\)`) // PropertyAssignLoopPattern builds a pattern for $this->property[$key] = $val // Use BuildPropertyAssignLoopPattern for dynamic keys PropertyAssignLoopPatternTemplate = `\$this->(%s)\[\$%s\]\s*=\s*\$%s` // ForeachPattern matches foreach($array as $key => $val) ForeachPattern = regexp.MustCompile(`foreach\s*\(\s*\$(\w+)\s+as\s+\$(\w+)\s*=>\s*\$(\w+)\s*\)`) // DirectAssignPatternTemplate for $this->property = $something // Use BuildDirectAssignPattern for specific properties DirectAssignPatternTemplate = `\$this->%s\s*=\s*([^;]+)` // ConditionalPatternTemplate for if($_SUPERGLOBAL[anything]) // Use BuildConditionalPattern for specific superglobals ConditionalPatternTemplate = `if\s*\(\s*%s\[['"]?(\w+)['"]?\]` )
var ( // ThisPropertyAssignPattern matches $this->property = ... // Used to detect constructor/method parameter flow to properties ThisPropertyAssignPattern = regexp.MustCompile(`\$this->(\w+)\s*=`) // ThisArrayPropertyAssignPattern matches $this->property[...] = ... // Used to detect array property assignments ThisArrayPropertyAssignPattern = regexp.MustCompile(`\$this->(\w+)\[.*\]\s*=`) // ArrayKeyAccessPattern matches ['key'] or ["key"] // Used to extract array keys from expressions ArrayKeyAccessPattern = regexp.MustCompile(`\[['"](\w+)['"]\]`) // VariableKeyAccessPattern matches [$variable] // Used to extract variable-based array access VariableKeyAccessPattern = regexp.MustCompile(`\[(\$\w+)\]`) // ReturnThisPropertyPrefix is the static prefix for return $this->property patterns // Use BuildReturnPropertyPattern for dynamic patterns with specific property names ReturnThisPropertyPrefix = `return\s+\$this->` // MethodCallSuffix is the suffix pattern for method calls MethodCallSuffix = `\(` )
var AllDatabaseFetchMethods = map[string]bool{ "fetch": true, "fetchAll": true, "fetchColumn": true, "fetchObject": true, "fetch_array": true, "fetch_assoc": true, "fetch_row": true, "fetch_object": true, "fetch_all": true, }
AllDatabaseFetchMethods combines all database fetch method names
var DatabaseQueryMethods = map[string]bool{ "query": true, "exec": true, "prepare": true, "execute": true, "real_query": true, "multi_query": true, "send_query": true, "real_escape_string": true, }
DatabaseQueryMethods are methods that execute database queries (sinks)
var DatabaseResultObjectPatterns = []string{
"result",
"stmt",
"statement",
"query",
"res",
"row",
"rows",
}
DatabaseResultObjectPatterns matches object names that are likely database results
var DeserializationFunctions = []string{
"unserialize",
"json_decode",
"simplexml_load_string",
"simplexml_load_file",
"yaml_parse",
"yaml_parse_file",
"yaml_parse_url",
"msgpack_unpack",
"igbinary_unserialize",
"parse_str",
"mb_parse_str",
}
DeserializationFunctions are functions that deserialize external data The data being deserialized may come from untrusted sources
var DeserializationFunctionsMap = func() map[string]bool { m := make(map[string]bool) for _, fn := range DeserializationFunctions { m[fn] = true } return m }()
DeserializationFunctionsMap provides O(1) lookup
var FrameworkDetectionPatterns = map[string]FrameworkDetection{ "laravel": { ImportPatterns: []string{"illuminate", "laravel"}, SourcePatterns: []string{"Illuminate\\", "Laravel\\"}, }, "symfony": { ImportPatterns: []string{"symfony"}, SourcePatterns: []string{"Symfony\\"}, }, }
FrameworkDetectionPatterns maps framework names to detection patterns Each framework has patterns to match in imports and source code Note: Only Laravel and Symfony are supported
var InputFunctions = []string{
"file_get_contents",
"fgets",
"fread",
"fgetc",
"fgetss",
"fgetcsv",
"file",
"readfile",
"stream_get_contents",
"getenv",
"getallheaders",
"apache_request_headers",
"readline",
"fscanf",
"fpassthru",
}
InputFunctions are functions that read external data These are sources of potentially untrusted data
var InputFunctionsMap = func() map[string]bool { m := make(map[string]bool) for _, fn := range InputFunctions { m[fn] = true } return m }()
InputFunctionsMap provides O(1) lookup
var MethodNamePatterns = map[string]common.SourceType{ "cookie": common.SourceHTTPCookie, "header": common.SourceHTTPHeader, "server": common.SourceHTTPHeader, "post": common.SourceHTTPPost, "body": common.SourceHTTPPost, "parsed": common.SourceHTTPPost, "query": common.SourceHTTPGet, "get": common.SourceHTTPGet, "file": common.SourceHTTPBody, "upload": common.SourceHTTPBody, }
MethodNamePatterns maps patterns in method names to their source types
var MySQLiFetchMethods = map[string]bool{ "fetch_array": true, "fetch_assoc": true, "fetch_row": true, "fetch_object": true, "fetch_all": true, }
MySQLiFetchMethods contains MySQLi result fetch methods
var NetworkFunctions = []string{
"curl_exec",
"curl_multi_getcontent",
"curl_multi_exec",
"file_get_contents",
"fopen",
"fsockopen",
"pfsockopen",
"http_get",
"http_post",
"http_request",
"socket_read",
"socket_recv",
"socket_recvfrom",
"stream_socket_recvfrom",
"stream_get_contents",
}
NetworkFunctions are functions that fetch external network data
var NetworkFunctionsMap = func() map[string]bool { m := make(map[string]bool) for _, fn := range NetworkFunctions { m[fn] = true } return m }()
NetworkFunctionsMap provides O(1) lookup
var PDOFetchMethods = map[string]bool{ "fetch": true, "fetchAll": true, "fetchColumn": true, "fetchObject": true, }
PDOFetchMethods contains PDO statement fetch methods These are object methods called on PDOStatement objects
var PHPFileExtensions = []string{".php", ".php5", ".php7", ".phtml"}
PHPFileExtensions contains all PHP file extensions
var PHPInputFunctions = []string{
"file_get_contents",
"fread",
"fgets",
"fgetc",
"stream_get_contents",
"readfile",
}
PHPInputFunctions contains common PHP functions that read input
var PHPInputProperties = []string{"input", "cookies", "query", "request", "files", "server", "headers"}
PHPInputProperties contains common PHP input carrier property names
var PHPNodeTypes = struct { // Class and function nodes ClassDeclaration string MethodDeclaration string FunctionDefinition string PropertyDeclaration string DeclarationList string // Variable and expression nodes VariableName string SubscriptExpression string MemberAccessExpression string MemberCallExpression string FunctionCallExpression string ScopedCallExpression string AssignmentExpression string BinaryExpression string ParenthesizedExpression string EncapsedString string // Parameter types SimpleParameter string VariadicParameter string PropertyPromotionParameter string // Statement nodes ForeachStatement string ReturnStatement string // Field names FieldName string FieldBaseClause string FieldBody string FieldObject string FieldIndex string FieldLeft string FieldRight string FieldFunction string // Modifier types VisibilityModifier string StaticModifier string // Visibility values VisibilityPublic string VisibilityProtected string VisibilityPrivate string }{ ClassDeclaration: "class_declaration", MethodDeclaration: "method_declaration", FunctionDefinition: "function_definition", PropertyDeclaration: "property_declaration", DeclarationList: "declaration_list", VariableName: "variable_name", SubscriptExpression: "subscript_expression", MemberAccessExpression: "member_access_expression", MemberCallExpression: "member_call_expression", FunctionCallExpression: "function_call_expression", ScopedCallExpression: "scoped_call_expression", AssignmentExpression: "assignment_expression", BinaryExpression: "binary_expression", ParenthesizedExpression: "parenthesized_expression", EncapsedString: "encapsed_string", SimpleParameter: "simple_parameter", VariadicParameter: "variadic_parameter", PropertyPromotionParameter: "property_promotion_parameter", ForeachStatement: "foreach_statement", ReturnStatement: "return_statement", FieldName: "name", FieldBaseClause: "base_clause", FieldBody: "body", FieldObject: "object", FieldIndex: "index", FieldLeft: "left", FieldRight: "right", FieldFunction: "function", VisibilityModifier: "visibility_modifier", StaticModifier: "static_modifier", VisibilityPublic: "public", VisibilityProtected: "protected", VisibilityPrivate: "private", }
PHPNodeTypes contains PHP-specific AST node type strings
var PropertyNamePatterns = map[string]common.SourceType{ "cookie": common.SourceHTTPCookie, "cookies": common.SourceHTTPCookie, "header": common.SourceHTTPHeader, "headers": common.SourceHTTPHeader, "server": common.SourceHTTPHeader, "post": common.SourceHTTPPost, "body": common.SourceHTTPPost, "query": common.SourceHTTPGet, "get": common.SourceHTTPGet, "file": common.SourceHTTPBody, "files": common.SourceHTTPBody, }
PropertyNamePatterns maps patterns in property names to their source types
var Registry = common.NewFrameworkPatternRegistry("php")
Registry is the global PHP framework pattern registry
var TaintPatterns = struct { // ThisArrayPattern matches $this->prop[$key] = assignments ThisArrayPattern *regexp.Regexp // DynamicPropPattern matches $this->$key = $val assignments DynamicPropPattern *regexp.Regexp // ReturnThisPattern matches return $this->prop statements ReturnThisPattern *regexp.Regexp // SuperglobalKeyPattern extracts keys from superglobal access SuperglobalKeyPattern *regexp.Regexp // LoopVariablePattern matches foreach loop variable assignments LoopVariablePattern *regexp.Regexp // ForeachValueOnlyPattern matches foreach($x as $value) without key ForeachValueOnlyPattern *regexp.Regexp // ThisPropertyOptionalArrayPattern matches $this->prop or $this->prop[...] ThisPropertyOptionalArrayPattern *regexp.Regexp // ReturnThisPropertyArrayPattern matches return $this->prop[...] ReturnThisPropertyArrayPattern *regexp.Regexp }{ ThisArrayPattern: regexp.MustCompile(`\$this->(\w+)\[\$\w+\]\s*=`), DynamicPropPattern: regexp.MustCompile(`\$this->\$(\w+)\s*=`), ReturnThisPattern: regexp.MustCompile(`return\s+\$this->(\w+)`), SuperglobalKeyPattern: regexp.MustCompile(`\$_[A-Z]+\s*\[\s*['"]([^'"]+)['"]\s*\]`), LoopVariablePattern: regexp.MustCompile(`as\s+\$(\w+)\s*=>\s*\$(\w+)`), ForeachValueOnlyPattern: regexp.MustCompile(`as\s+\$(\w+)\s*\)`), ThisPropertyOptionalArrayPattern: regexp.MustCompile(`\$this->(\w+)(?:\[[^\]]*\])?`), ReturnThisPropertyArrayPattern: regexp.MustCompile(`return\s+\$this->(\w+)\[`), }
TaintPatterns contains pre-compiled regex patterns for PHP taint analysis
Functions ¶
func BuildConditionalPattern ¶
BuildConditionalPattern creates a pattern for conditional based on superglobal
func BuildDirectAssignPattern ¶
BuildDirectAssignPattern creates a pattern for direct property assignment
func BuildMethodCallPattern ¶
BuildMethodCallPattern creates a pattern for ->methodName(
func BuildPropertyAccessPattern ¶
BuildPropertyAccessPattern creates a pattern for $var->property or $var->property[
func BuildPropertyAssignLoopPattern ¶
BuildPropertyAssignLoopPattern creates a pattern for property assignment in loop
func BuildReturnPropertyArrayPattern ¶
BuildReturnPropertyArrayPattern creates a pattern for return $this->propertyName[
func BuildReturnPropertyPattern ¶
BuildReturnPropertyPattern creates a pattern for return $this->propertyName
func BuildThisArrayPropertyAssignPattern ¶
BuildThisArrayPropertyAssignPattern creates a pattern for $this->property[...] = ... paramName
func BuildThisPropertyAssignPattern ¶
BuildThisPropertyAssignPattern creates a pattern for $this->property = ... paramName
func ContainsCurlFunction ¶
ContainsCurlFunction specifically checks for cURL functions
func ContainsDeserializationFunction ¶
ContainsDeserializationFunction checks if expression contains deserialization
func ContainsInputFunction ¶
ContainsInputFunction checks if expression contains any input function call
func ContainsNetworkFunction ¶
ContainsNetworkFunction checks if expression contains network function call
func ContainsSuperglobal ¶
ContainsSuperglobal checks if text contains any PHP superglobal
func DetectFrameworkFromImports ¶
DetectFrameworkFromImports detects frameworks based on import statements
func DetectFrameworkFromSource ¶
DetectFrameworkFromSource detects frameworks based on source code content
func DetectFrameworks ¶
DetectFrameworks detects all frameworks using import and source detection methods The classNames parameter is kept for API compatibility but is unused
func GetAllPatterns ¶
func GetAllPatterns() []*common.FrameworkPattern
GetAllPatterns returns all registered framework patterns
func GetInputFunctionSourceType ¶
func GetInputFunctionSourceType(funcName string) common.SourceType
GetInputFunctionSourceType returns the source type for an input function
func GetInputMethodPatterns ¶
func GetInputMethodPatterns() []string
GetInputMethodPatterns returns method patterns derived from registered framework patterns Built lazily on first access to ensure all framework patterns are registered
func GetInputPropertyPatterns ¶
func GetInputPropertyPatterns() []string
GetInputPropertyPatterns returns property patterns derived from registered framework patterns Built lazily on first access to ensure all framework patterns are registered
func GetPatternByID ¶
func GetPatternByID(id string) *common.FrameworkPattern
GetPatternByID returns a pattern by its ID
func GetPatternsByFramework ¶
func GetPatternsByFramework(framework string) []*common.FrameworkPattern
GetPatternsByFramework returns patterns for a specific framework
func GetTypeHintPatterns ¶
TypeHintPatterns returns patterns for PHPDoc @var type hints Pattern 1: /* @var $varname \namespace\classname */ Pattern 2: /* @var \namespace\classname $varname */
func IdentifyExternalDataSource ¶
func IdentifyExternalDataSource(expr string) (common.SourceType, float64)
IdentifyExternalDataSource identifies the source type from an expression Returns the source type and confidence level
func InferSourceTypeFromExpression ¶
func InferSourceTypeFromExpression(expr string) common.SourceType
InferSourceTypeFromExpression determines source type from a full expression e.g., "$request->getCookieParams()" -> SourceHTTPCookie
func InferSourceTypeFromMethodName ¶
func InferSourceTypeFromMethodName(methodName string) common.SourceType
InferSourceTypeFromMethodName determines the source type based on method name patterns This centralizes the logic previously in pkg/semantic/analyzer/php/analyzer.go
func InferSourceTypeFromPropertyName ¶
func InferSourceTypeFromPropertyName(propName string) common.SourceType
InferSourceTypeFromPropertyName determines the source type based on property name patterns This centralizes the logic previously in pkg/semantic/analyzer/php/analyzer.go
func IsContextDependentMethod ¶
IsContextDependentMethod returns true if the method needs object context to determine if it's input
func IsDatabaseFetchMethod ¶
IsDatabaseFetchMethod returns true if the method name is a database fetch method This checks object-oriented fetch methods (PDO, MySQLi object style)
func IsDatabaseQueryMethod ¶
IsDatabaseQueryMethod returns true if method is a database query method (sink)
func IsDatabaseResultObject ¶
IsDatabaseResultObject checks if an object name looks like a database result
func IsDeserializationFunction ¶
IsDeserializationFunction returns true if the function deserializes data
func IsExcludedMethod ¶
IsExcludedMethod returns true if the method should be excluded from input detection
func IsExternalDataFunction ¶
IsExternalDataFunction checks if a function reads external data (any type)
func IsInputFunction ¶
IsInputFunction returns true if the function name is a known input function
func IsInputMethod ¶
IsInputMethod returns true if the method name matches input method patterns and is not excluded (false positive prevention)
func IsInputMethodCall ¶
IsInputMethodCall checks if an expression matches an input method pattern
func IsInputObject ¶
IsInputObject returns true if the object/variable name suggests an input carrier
func IsInputProperty ¶
IsInputProperty returns true if the property name matches input property patterns
func IsInputPropertyAccess ¶
IsInputPropertyAccess checks if an expression matches an input property pattern
func IsMySQLiFetchMethod ¶
IsMySQLiFetchMethod returns true if the method is a MySQLi fetch method
func IsNetworkFunction ¶
IsNetworkFunction returns true if the function fetches network data
func IsPDOFetchMethod ¶
IsPDOFetchMethod returns true if the method is a PDO fetch method
func MatchesInputCarrier ¶
MatchesInputCarrier returns true if the expression matches patterns suggesting user input This checks object name, property name, and method name combinations
Types ¶
type ConcatMatch ¶
ConcatMatch represents a matched concatenated expression
func ExtractConcatenatedExpressions ¶
func ExtractConcatenatedExpressions(line string) []ConcatMatch
ExtractConcatenatedExpressions extracts expressions from string concatenation
type EscapeMatch ¶
EscapeMatch represents a matched escaped expression
func ExtractEscapedExpressions ¶
func ExtractEscapedExpressions(line string) []EscapeMatch
ExtractEscapedExpressions extracts expressions wrapped in escape functions
type FrameworkDetection ¶
type FrameworkDetection struct {
ImportPatterns []string // Patterns to match in import/use statements
SourcePatterns []string // Patterns to match in source code
}
FrameworkDetection contains patterns for detecting a framework
type Matcher ¶
type Matcher struct {
*common.BaseMatcher
}
Matcher matches PHP user input sources
func NewMatcher ¶
func NewMatcher() *Matcher
NewMatcher creates a new PHP source matcher combining all definition groups.
type SQLEmbeddedMatch ¶
SQLEmbeddedMatch represents a matched SQL embedded expression
func ExtractSQLEmbeddedExpressions ¶
func ExtractSQLEmbeddedExpressions(line string) []SQLEmbeddedMatch
ExtractSQLEmbeddedExpressions extracts expressions from SQL strings
Source Files