Static Detection of Un-Trusted Variables in PHP Web Applications

Web applications support more and more our daily activities, it´s important to improve their reliability and security. The content which users input to Web applications´ server-side is named un-trusted content. Un-trusted content has a significant impact on the reliability and security of Web applications, so detecting the un-trusted variables in server-side program is important for improving the quality of Web applications. The previous methods have poor performance on weak typed and none typed server-side programs. To address this issue, this paper proposed a new technique for detecting un-trusted variables in PHP web applications (PHP is a weak typed server- side language). The technique is based upon a two phases static analysis algorithm. In the first phase, we extract modules from the Web application. Then un-trusted variables are detected from modules in the second phase. An implementation of the proposed techniques DUVP was also presented in the paper and it´s successfully applied to detect un-trusted variables in large-scale PHP web application.