[nycphp-talk] Any PHP Analysis Tools?
Keith Casey
mailinglists at caseysoftware.com
Fri Apr 28 12:29:37 EDT 2006
On 4/28/06, Daniel Convissor <danielc at analysisandsolutions.com> wrote:
> The likelyhood they'll properly clean up the code and resolve security
> issues is VERY low. Wouldn't be surprised if the reason the thing is a
> "steaming pile" is the people who wrote it in the first place were
> interns.
>From talking to some of the other people involved (non-technical), I
think this assessment was accurate. It appears the bulk of the code
was written 2-3 years ago by a handful of people who were working on
their first non-academic project. They didn't appear to be using
version control either, so there are huge sections commented out
instead of deleted... and the communication was poor, so there are
differing implementations for the same things.
The security aspect is one of the larger ones to me... as a test this
morning, I submitted some simple javascript alerts and sql-injection
and they made it through no problem.
Thanks for the tip on Zend Studio, I'll look into that first.
--
Keith Casey
CEO, http://CaseySoftware.com
2006 DC PHP Conference Details: http://dcphpconference.com/
More information about the talk
mailing list