Annex

• Credits
• Contribute
• External links

Credits

The following people helped in the making of Exakat : installing, coding, suggesting, using, documenting, reporting bugs, pushing us to be better.

• 陈曦 (Buck / Leon)
• 鄭蔚 (Jent / Jean)
• Gérard Ernaelsten
• Philippe Gamache
• Cyrille Granval
• Eshin Kunishima
• Alexis Van Glasow

Contribute

Exakat is an Open Source project. It is also organized to collect common knowledge and encode it in its databases.

Here are some suggestions of help you may provide to enhance your own usage of Exakat :

• Suggest PHP extensions that are missing in the list of supported extensions (see Annex)
• Suggest new analysis, with examples of target code, and examples of good code
• Suggest missing external services
• Suggest reference article for the documentation, in the section ‘See also’
• Suggestion application that may be added to the corpus of codes that we use to validate the analysis
• Provide new names and adjectives for the audit names. We like to include any first name of community members, and non-derogatory adjectives.
• Report installation or usage problems
• Report ambiguity in reports and their documentation
• Suggest interesting Coding reference, like Object Calisthenics, PSR, East-Oriented Programming, etc.
• Translate the documentation into other languages
• Suport Exakat on Windows or other OS
• Recommend article for code conception to be added in the docs
• Suggest public code source for review

Visit us on the [github repository](https://github.com/exakat/php-static-analysis-tools), or the [slack channel](https://www.exakat.io/slack-invitation/).

External links

List of external links mentionned in this documentation.

• ` <https://php.watch/versions/8.1/$_FILES-full-path>`_
• #QuandLeDevALaFleme
• $_ENV
• $docs[extension_page]
• $docs[home_page]
• $GLOBALS
• $HTTP_RAW_POST_DATA variable
• `$name <$service->homepage>`_
• `$this->clearphp <https://github.com/dseguy/clearPHP/tree/master/rules/$this->clearphp.md>`_
• $x
• ‘ . $ini[‘name’] . ‘
• `' . $library->name . ' <' . $library->homepage . '>`_
• ‘ . $r[2] . $r[3] . ‘
• 10 GitHub Security Best Practices
• 1003.1-2008 - IEEE Standard for Information Technology - Portable Operating System Interface (POSIX(R))
• 7z
• ::class
• @deprecated
• [blog] array_column()
• [CVE-2017-6090]
• [HttpFoundation] Make sessions secure and lazy #24523
• `]*?>`_
• __autoload
• __get performance questions with PHP
• __set
• A PHP extension for Redis
• About circular references in PHP
• Add array_key_exists to the list of specialy compiled functions
• Add Exakat To Your CI Pipeline
• Allow a trailing comma in function calls
• Alpine Linux
• Alternative PHP Cache
• Alternative syntax
• Ambassador
• Anonymous functions
• APCU
• Argon2 Password Hash
• Arithmetic Operators
• Aronduby Dump
• Array
• Array Functions
• array_fill_keys
• array_filter
• array_key_exists() with objects
• array_map
• array_merge
• array_search
• array_slice
• array_unique
• ArrayAccess
• Arrays
• Arrays syntax
• Arrow functions
• assert
• Assignation Operators
• Autoloading Classe
• Autoloading Classes
• Avoid Else, Return Early
• Avoid nesting too deeply and return early (part 1)
• Avoid option arrays in constructors
• Avoid optional services as much as possible
• Backward incompatible changes
• Backward incompatible changes PHP 7.0
• basename
• Basics
• bazaar
• BC Math Functions
• Benoit Burnichon
• Bitmask Constant Arguments in PHP
• Bitwise Operators
• Brandon Savage
• browscap
• Bug #50887 preg_match , last optional sub-patterns ignored when empty
• Bzip2 Functions
• Cairo Graphics Library
• Calendar Functions
• Callback / callable
• Callbacks / callables
• Calling a static element on a trait
• Can you spot the vulnerability? (openssl_verify)
• Cant Use Return Value In Write Context
• Carbon
• Carnage
• cat: write error: Broken pipe
• catch
• Change the precedence of the concatenation operator
• Changes to variable handling
• Class Abstraction
• Class Constant
• Class Constants
• class_alias
• Classes abstraction
• Classes Abstraction
• Closure class
• Cmark
• Codeigniter
• COM and .Net (Windows)
• Community Edition
• compact
• Comparison Operators
• composer
• Concrete 5
• Conflict resolution
• Constant definition
• Constant Scalar Expressions
• constant()
• Constants
• Constructors and Destructors
• continue-on-error
• count
• Courier Anti-pattern
• Covariant Returns and Contravariant Parameters
• crc32()
• Cross-Site Scripting (XSS)
• Cryptography Extensions
• CSPRNG
• Ctype funtions
• curl
• Curl for PHP
• curl_version
• CVS
• CWE-484: Omitted Break Statement in Switch
• Cyrus
• Data filtering
• Data structures
• Database (dbm-style) Abstraction Layer
• Date and Time
• DCDFLIB
• Dead Code: Unused Method
• declare
• Declare
• define
• define
• Dependency Injection Smells
• Deprecate and remove continue targeting switch
• Deprecate and remove INTL_IDNA_VARIANT_2003
• Deprecate curly brace syntax
• Deprecated features in PHP 5.4.x
• Deprecated features in PHP 5.5.x
• Deprecated features in PHP 7.2.x
• Deprecation allow_url_include
• Deprecations for PHP 7.2
• Deprecations for PHP 7.4
• Destructor
• DIO
• Dir predefined constants
• directive error_reporting
• Directly calling __clone is allowed
• dl
• Do your objects talk to strangers?
• Docker
• Docker image
• Document Object Model
• Don’t pass this out of a constructor
• Don’t repeat yourself (DRY)
• Don’t turn off CURLOPT_SSL_VERIFYPEER, fix your PHP configuration
• dotdeb instruction
• Double quoted
• download
• Drupal
• Dynamically Access PHP Object Properties with $this
• E_WARNING for invalid container read array-access
• Eaccelerator
• elseif/else if
• empty
• Empty Catch Clause
• Empty interfaces are bad practice
• empty()
• Enchant spelling library
• Entreprise Edition
• Ereg
• Error Control Operators
• Error reporting
• Escape sequences
• Ev
• eval
• Event
• Exakat
• Exakat cloud
• Exakat Cloud
• Exakat SAS
• exakat/exakat
• Exception::__construct
• Exceptions
• Exchangeable image information
• Execution Operators
• expect
• explode
• ext-async repository
• ext-http
• ext/ast
• ext/gender manual
• ext/hash extension
• ext/hrtime manual
• ext/inotify manual
• ext/leveldb on Github
• ext/lua manual
• ext/mbstring
• ext/memcached manual
• ext/OpenSSL
• ext/readline
• ext/recode
• ext/SeasLog on Github
• ext/sqlite
• ext/sqlite3
• ext/uopz
• ext/varnish
• ext/zookeeper
• Extension Apache
• extension mcrypt
• extract
• Ez
• Factory (object-oriented programming)
• FAM
• FastCGI Process Manager
• FDF
• ffmpeg-php
• file_get_contents
• filesystem
• Filinfo
• Final Keyword
• Firebase / Interbase
• Flag Argument
• FlagArgument
• Floating point numbers
• Floats
• Fluent Interfaces in PHP
• fopen
• foreach
• Foreign Function Interface
• Frederic Bouchery
• From assumptions to assertions
• FuelPHP
• Function arguments
• Functions
• Gearman on PHP
• Generalize support of negative string offsets
• Generator delegation via yield from
• Generator Syntax
• Generators overview
• GeoIP
• George Peter Banyard
• get_class
• get_object_vars script on 3V4L
• Gettext
• Git
• Github Action
• Github upload
• Github.com/exakat/exakat
• global namespace
• GMP
• Gnupg Function for PHP
• Goto
• graphviz
• Gremlin server
• Group Use Declaration RFC
• GRPC
• Handling file uploads
• Hardening Your HTTP Security Headers
• hash
• HASH Message Digest Framework
• hash_algos
• hash_file
• Heredoc
• Holger Woltersdorf
• How many parameters is too many ?
• How to fix Headers already sent error in PHP
• How to pick bad function and variable names
• htmlentities
• htmlspecialchars
• https://hub.docker.com/r/exakat/exakat-ga
• https://www.exakat.io/
• https://www.exakat.io/versions/index.php?file=latest
• IBM Db2
• Iconv
• iconv()
• ICU
• Ideal regex delimiters in PHP
• idn_to_ascii
• IERS
• igbinary
• IIS Administration
• Image Processing and GD
• Imagick for PHP
• IMAP
• Implement ZEND_ARRAY_KEY_EXISTS opcode to speed up array_key_exists()
• Implicit incompatible float to int conversions
• implode
• In a PHP5 class, when does a private constructor get called?
• in_array()
• include
• include_once
• Info Predefined Constants
• Insecure Transportation Security Protocol Supported (TLS 1.0)
• Installing Exakat to monitor several projects
• Instanceof
• Integer overflow
• Integer syntax
• Integer Syntax
• Integers
• Interfaces
• Internal Constructor Behavior
• Is it a bad practice to have multiple classes in the same file?
• Isset
• Isset Ternary
• It is the 31st again
• iterable pseudo-type
• Iterables
• Joomla
• json_decode
• Judy C library
• Kafka client for PHP
• Kerberos V
• Lapack
• Laravel
• Late Static Bindings
• Least Privilege Violation
• libeio
• libevent
• libmongoc
• libuuid
• libxml
• Lightweight Directory Access Protocol
• list
• List of function aliases
• List of HTTP header fields
• List of HTTP status codes
• List of Keywords
• List of other reserved words
• List of TCP and UDP port numbers
• list() Reference Assignment
• Logical Expressions in C/C++. Mistakes Made by Professionals
• Logical Operators
• Loosening Reserved Word Restrictions
• lzf
• Magic Constants
• Magic Hashes
• Magic Method
• Magic Methods
• Magic methods
• mail
• Mail related functions
• Marco Pivetta tweet
• match
• Match expression V2
• Match()
• Math predefined constants
• Mathematical Functions
• mb_encoding_detect
• Mbstring
• mcrypt_create_iv()
• MD5
• Memcache on PHP
• mercurial
• Method overloading
• mhash
• Microsoft SQL Server
• Microsoft SQL Server Driver
• Migration80
• Ming (flash)
• mixed
• MongoDB driver
• move_uploaded_file
• msgpack for PHP
• MySQL Improved Extension
• mysqli
• Named Arguments
• Ncurses Terminal Screen Control
• Nested Ternaries are Great
• Net SNMP
• New Classes and Interfaces
• New custom object serialization mechanism
• New object type
• Newt
• No Dangling Reference
• Nowdoc
• Null and True
• Null Coalescing Operator
• Null Object Pattern
• Object Calisthenics, rule # 2
• Object Calisthenics, rule # 5
• Object cloning
• Object Inheritance
• Object Interfaces
• Objects and references
• ODBC (Unified)
• OPcache functions
• opencensus
• OpennSSL [PHP manual]
• openssl_random_pseudo_byte
• Operator Precedence
• Operators Precedence
• Optimization: How I made my PHP code run 100 times faster
• Optimize array_unique()
• Option to make json_encode and json_decode throw exceptions on errors
• Oracle OCI8
• original idea
• Original MySQL API
• Output Buffering Control
• Overload
• pack
• Packagist
• parent
• Parentheses around function arguments no longer affect behaviour
• Parsekit
• Parsing and Lexing
• Passing arguments by reference
• Passing by reference
• Password Hashing
• Password hashing
• Pattern Modifiers
• PCOV
• PCRE
• PEAR
• pecl crypto
• PECL ext/xxtea
• pg_last_error
• Phalcon
• phar
• PHP - Fatal error: Unsupported operand types [duplicate]
• PHP 7 performance improvements (3/5): Encapsed strings optimization
• PHP 7.0 Backward incompatible changes
• PHP 7.0 Removed Functions
• PHP 7.1 no longer converts string to arrays the first time a value is assigned with square bracket notation
• PHP 7.2’s switch optimisations
• PHP 7.3 Removed Functions
• PHP 7.3 UPGRADE NOTES
• PHP 7.4 Removed Functions
• PHP
• PHP class name constant case sensitivity and PSR-11
• PHP Classes containing only constants
• PHP Clone and Shallow vs Deep Copying
• PHP Constants
• PHP Data Object
• PHP Decimal
• PHP extension for libsodium
• PHP for loops and counting arrays
• PHP gmagick
• PHP Options And Information
• PHP Options/Info Functions
• PHP return(value); vs return value;
• PHP RFC: Allow a trailing comma in function calls
• PHP RFC: Allow trailing comma in parameter list
• PHP RFC: Arrow Functions
• PHP RFC: Convert numeric keys in object/array casts
• PHP RFC: Deprecate and Remove Bareword (Unquoted) Strings
• PHP RFC: Deprecate left-associative ternary operator
• PHP RFC: Deprecations for PHP 7.2 : Each()
• PHP RFC: Deprecations for PHP 7.4
• PHP RFC: Deprecations for PHP 8.1
• PHP RFC: First-class callable syntax
• PHP RFC: get_debug_type
• PHP RFC: noreturn type
• PHP RFC: Nullsafe operator
• PHP RFC: Scalar Type Hints
• PHP RFC: Static variables in inherited methods
• PHP RFC: str_contains
• PHP RFC: Syntax for variadic functions
• PHP RFC: Unicode Codepoint Escape Syntax
• PHP RFC: Union Types 2.0
• PHP RFC: Variable Syntax Tweaks
• PHP Tags
• PHP why pi() and M_PI
• php-ext-wasm
• php-vips-ext
• php-zbarcode
• PHP: When is /tmp not /tmp?
• phpsdl
• PhpStorm 2020.3 EAP #4: Custom PHP 8 Attributes
• phpstorm-stubs/meta/attributes/Immutable.php
• plantuml
• PMB
• PostgreSQL
• Predefined Constants
• Predefined Exceptions
• Predefined Variables
• preg_filter
• Prepare for PHP 7 error messages (part 3)
• Prepare for PHP migration with Exakat
• Prepared Statements
• printf
• Process Control
• proctitle
• Properties
• Pspell
• PSR-11 : Dependency injection container
• PSR-13 : Link definition interface
• PSR-16 : Common Interface for Caching Libraries
• PSR-3 : Logger Interface
• PSR-3
• PSR-6 : Caching
• Putting glob to the test
• RabbitMQ AMQP client library
• rar
• Rar archiving
• Refactoring code
• References
• Reflection
• Reflection export() methods
• Regular Expressions (Perl-Compatible)
• Resource to object migration
• resources
• Restrict $GLOBALS usage
• return
• Return Inside Finally Block
• Return Type Declaration
• Returning values
• RFC 7159
• RFC 7230
• RFC 822 (MIME)
• RFC 959
• RFC : Arrow functions
• RFC Preload
• RFC: Return Type Declarations
• runkit
• Salted Password Hashing - Doing it Right
• Scalar type declarations
• Scope Resolution Operator (::)
• Semaphore, Shared Memory and IPC
• Session
• session_regenerateid()
• Sessions
• Set-Cookie
• set_error_handler
• setcookie
• setlocale
• shell_exec
• SimpleXML
• Single Function Exit Point
• SOAP
• Sockets
• Specification pattern
• Sphinx Client
• Spread Operator in Array Expression
• Spread Operator in Array Expression
• sqlite3
• SQLite3::escapeString
• SSH2 functions
• Standard PHP Library (SPL)
• Static anonymous functions
• Static Keyword
• Strict typing
• String access and modification by character
• String functions
• strip_tags
• strpos not working correctly
• strtr
• Structuring PHP Exceptions
• Subpatterns
• substr
• Suhosin.org
• Sun, iPlanet and Netscape servers on Sun Solaris
• Superglobals
• Supported PHP Extensions
• Supported Protocols and Wrappers
• SVM
• Svn
• Swoole
• Symfony
• Syntax
• Ternary Operator
• tetraweb/php
• Text
• The Basics
• The basics of Fluent interfaces in PHP
• The Closure Class
• The Definitive 2019 Guide to Cryptographic Key Sizes and Algorithm Recommendations
• The Linux NIS(YP)/NYS/NIS+ HOWTO
• The main PPA for PHP (8.0, 7.4, 7.3, 7.2, 7.1, 7.0, 5.6)
• The “never” Return Type for PHP
• Throw Expression
• Throwable
• Tidy
• tokenizer
• tokyo_tyrant
• trader (PECL)
• Trailing Comma In Closure Use List
• Trailing Commas In List Syntax
• Traits
• Traversable
• trigger_error
• trim
• Tutorial 1: Let’s learn by example
• Type array
• Type Casting
• Type Declaration
• Type declarations
• Type declarations
• Type hinting for interfaces
• Type Juggling
• Type juggling
• Type Operators
• Typo3
• Unbinding $this from non-static closures
• Understanding Dependency Injection
• Unicode block
• Unicode spaces
• Uniform Resource Identifier
• unserialize()
• unset
• Unset casting
• UPGRADING 7.3
• UPGRADING PHP 8.1
• upload artifact
• Use of Hardcoded IPv4 Addresses
• Using namespaces: Aliasing/Importing
• Using namespaces: Aliasing/Importing ¶
• Using namespaces: fallback to global function/constant
• Using non-breakable spaces in test method names
• Using single characters for variable names in loops/exceptions
• Using static variables
• V8 Javascript Engine
• Vagrant file
• Variable functions
• Variable scope
• Variable Scope
• Variable variables
• Variables
• Visibility
• Visibility from other objects
• Vladimir Reznichenko
• Void functions
• Warn when counting non-countable types
• Wddx on PHP
• Weak references
• What are the best practices for catching and re-throwing exceptions?
• What’s all this ‘immutable date’ stuff, anyway?
• When empty is not empty
• When to declare classes final
• Why 777 Folder Permissions are a Security Risk
• Why is subclassing too much bad (and hence why should we use prototypes to do away with it)?
• Why, php? WHY???
• wikidiff2
• Wincache extension for PHP
• Wordpress
• workflow_dispatch
• www.exakat.io
• xattr
• xcache
• Xdebug
• xdiff
• XHprof Documentation
• XML External Entity
• XML Parser
• XML-RPC
• xmlreader
• XMLWriter
• XSL extension
• YAML Ain’t Markup Language
• Yii
• Yoda Conditions
• Zend Monitor - PHP API
• ZeroMQ
• zip
• Zip
• Zlib

Training Database

A number of applications are regularly scanned in order to find real life examples of patterns. They are listed here :

• ChurchCRM
• Cleverstyle
• Contao
• Dolibarr
• Dolphin
• Edusoho
• ExpressionEngine
• FuelCMS
• HuMo-Gen
• LiveZilla
• Magento
• Mautic
• MediaWiki
• NextCloud
• OpenConf
• OpenEMR
• Phinx
• PhpIPAM
• Phpdocumentor
• Piwigo
• PrestaShop
• SPIP
• SugarCrm
• SuiteCrm
• TeamPass
• Thelia
• ThinkPHP
• Tikiwiki
• Tine20
• Traq
• Typo3
• Vanilla
• Woocommerce
• WordPress
• XOOPS
• Zencart
• Zend-Config
• Zurmo
• opencfp
• phpMyAdmin
• phpadsnew
• shopware
• xataface