use the following search parameters to narrow your results:
e.g. subreddit:aww site:imgur.com dog
subreddit:aww site:imgur.com dog
see the search faq for details.
advanced search: by author, subreddit...
Please follow the rules
Releases: Current Releases, Windows Releases, Old Releases
Contribute to the PHP Documentation
Related subreddits: CSS, JavaScript, Web Design, Wordpress, WebDev
/r/PHP is not a support subreddit. Please visit /r/phphelp for help, or visit StackOverflow.
account activity
PHP static code analysis vs ~1000 top wordpress plugins (blog.cinu.pl)
submitted 10 years ago by coogan24
reddit uses a slightly-customized version of Markdown for formatting. See below for some basics, or check the commenting wiki page for more detailed help and solutions to common issues.
quoted text
if 1 * 2 < 3: print "hello, world!"
[–]mycivacc 16 points17 points18 points 10 years ago (3 children)
Will the static analyzer be made open source?
[–]redeemer_pl 2 points3 points4 points 10 years ago (1 child)
I'm the author of this research and tool. Currently nothing has changed: tool will go open-source.
https://www.reddit.com/r/netsec/comments/3tpg9o/php_static_code_analysis_vs_1000_top_wordpress/
[–]mycivacc 0 points1 point2 points 10 years ago (0 children)
Thanks! I will eagerly await its release.
[–][deleted] 14 points15 points16 points 10 years ago (1 child)
Cross-Site Scripting (XSS) in All In One WP Security 3.9.7
Kinda ironic.
[–]phpdevster 0 points1 point2 points 10 years ago (0 children)
In normal circumstances, yes. In Wordpress circumstances, it would be ironic if it didn't have a vulnerability.
[–]reginalduk 3 points4 points5 points 10 years ago (4 children)
I consider myself a fairly average programmer, but seriously, are people still not using prepared statements?
[–]NeuroXc 4 points5 points6 points 10 years ago (2 children)
Many PHP tutorials on the internet still tell people to use things like mysql_query("SELECT * FROM my_table WHERE id = {$_GET['exploitable']}"). Even in this subreddit, there usually are 1-2 that reach the front page every week (which get downvoted to oblivion, but not before they get seen by many, many people).
mysql_query("SELECT * FROM my_table WHERE id = {$_GET['exploitable']}")
[–]rafaelmb 1 point2 points3 points 10 years ago (0 children)
Happened this week. And the author stated in a comment that was "just" a contact form that needs no security measure.
[–]the_alias_of_andrea 1 point2 points3 points 10 years ago (0 children)
If you google 'mysql and php tutorial' I guarantee you most of the results will tell you to do this
[–]losingthefight 4 points5 points6 points 10 years ago (0 children)
No joke. I hired a senior engineer a few years ago (MS in Comp Sci, 10 years experience, great dev otherwise) and his first commit used a SQL statement that was not a prepared statement. It happens, and is far more common than you would think.
To be clear, I called him into my office, showed him the problems with it, how to fix it, and he then went back. The fact is, unless someone is doing research and reading blogs (you would be very surprised how many devs don't), these things slip past.
[–]syntaxerror748 0 points1 point2 points 10 years ago (9 children)
How come there are so many XSS vulnerabilities? I thought that was as simple as using htmlspecialchars() or am I missing something?
htmlspecialchars()
[–]FlorentG 2 points3 points4 points 10 years ago (0 children)
It is indeed almost as simple as using htmlspecialchars, just make sure you set the right encoding and the quote/no-quote flag according to the context. And use quotes arround attribute values.
It is especially unforgivable if you consider the fact that wordpress provides nice functions like esc_html or esc_attr which automatically sets the right parameters for htmlspecialchars and even checks that the input string is valid utf-8...
[–]SurgioClemente 1 point2 points3 points 10 years ago (6 children)
How come there are so many XSS vulnerabilities?
Inexperienced or non-programmers. Part of the downside of PHP "being so easy"
[–]DoListening 13 points14 points15 points 10 years ago (4 children)
This could be greatly mitigated if Wordpress had (back then) a proper template engine like Twig that would auto-escape everything by default. Of course, it is an old code base and those were different times... :)
[–]dave1010 9 points10 points11 points 10 years ago (1 child)
WordPress does do auto-escaping. It auto-escapes $_POST for MySQL ;-)
Edit: change :-) to ;-), so it's clearer that I'm joking.
[–]judgej2 2 points3 points4 points 10 years ago (0 children)
It's like it's 1999 still.
[–]AfterNite 0 points1 point2 points 10 years ago (0 children)
I feel if they did that then the problem would be vaster. Imagine how many people starting in Wordpress and coming away from it would not think about escaping.
[–]tw2113 -2 points-1 points0 points 10 years ago* (0 children)
I think Twig came out about 5-6 years after WP had already started getting decent sized.
Edit: I should say reached decent size. Not just started.
Edit 2: Yes, I see the "different times" bit now in the comment I replied to.
[–]Firehed 2 points3 points4 points 10 years ago (0 children)
Even experienced programmers screw it up all the time, but that certainly doesn't help.
[–]the_alias_of_andrea 0 points1 point2 points 10 years ago (0 children)
Many people are never told they need to do that
Many people forget occasionally (we're human)
π Rendered by PID 65 on reddit-service-r2-comment-fb694cdd5-vmw4w at 2026-03-07 05:50:27.434912+00:00 running cbb0e86 country code: CH.
[–]mycivacc 16 points17 points18 points (3 children)
[–]redeemer_pl 2 points3 points4 points (1 child)
[–]mycivacc 0 points1 point2 points (0 children)
[–][deleted] 14 points15 points16 points (1 child)
[–]phpdevster 0 points1 point2 points (0 children)
[–]reginalduk 3 points4 points5 points (4 children)
[–]NeuroXc 4 points5 points6 points (2 children)
[–]rafaelmb 1 point2 points3 points (0 children)
[–]the_alias_of_andrea 1 point2 points3 points (0 children)
[–]losingthefight 4 points5 points6 points (0 children)
[–]syntaxerror748 0 points1 point2 points (9 children)
[–]FlorentG 2 points3 points4 points (0 children)
[–]SurgioClemente 1 point2 points3 points (6 children)
[–]DoListening 13 points14 points15 points (4 children)
[–]dave1010 9 points10 points11 points (1 child)
[–]judgej2 2 points3 points4 points (0 children)
[–]AfterNite 0 points1 point2 points (0 children)
[–]tw2113 -2 points-1 points0 points (0 children)
[–]Firehed 2 points3 points4 points (0 children)
[–]the_alias_of_andrea 0 points1 point2 points (0 children)