llScanTool
Try Free for 15 Days No Credit Card Required

For the r/PHP Community

Scan the PHP before it hits production.

We scan, then we forget. You keep what you want.

You already know the PHP threat model better than most — unsanitised input reaching $wpdb or PDO, eval() and dynamic includes that should never have shipped, file uploads that trust the extension, and legacy code that predates prepared statements. Knowing the patterns is one thing; catching every one of them across a plugin, a custom app, or a backend you inherited at 2am is another. AllScanTool is a fast second pass for exactly that. Paste your PHP and the Delivery-Layer Engine flags SQL injection, unsafe eval() and command execution, risky upload and include handling, weak hashing, and hardcoded credentials — each with the line number, a severity, and a concrete fix. It runs in your browser and forgets your code the moment you leave. No logs. No storage. No retention. Your code stays private.

You know the PHP footguns. The hard part is catching every one.

These are the recurring ways PHP code ships with a vulnerability still in it — the exact patterns a line-by-line scan is built to surface before deploy.

Unsanitised input reaching the database

A request value concatenated into a query — $wpdb, PDO, or raw mysqli — is still the most common PHP vulnerability. One missed prepare() is all it takes.

eval() and dynamic includes

eval(), create_function(), and variable include paths built from user input turn a small oversight into remote code execution. Easy to write, easy to miss in review.

File uploads that trust the client

Checking only the extension or the supplied MIME type lets a .php slip through as an image. Upload handling is where a lot of PHP apps quietly become exploitable.

Legacy code that predates prepared statements

You inherit an app written before PDO was the norm — mysql_query, manual escaping, md5 passwords. It works, so nobody audits it until something goes wrong.

Hardcoded credentials in config and includes

DB passwords, API keys, and secrets pasted straight into wp-config.php or a settings file — then committed to the repo and forgotten until a leak.

command and shell calls on user input

exec(), shell_exec(), and system() built from request data open command injection. Sometimes it is your code; sometimes it is a dependency you pulled in.

Ask AST

The questions PHP developers actually run into — from plugins to legacy backends — answered with the specific line, the severity, and the fix.

QThis query builds a string from $_GET before hitting the database — is it open to SQL injection?

Paste it. AST traces whether the request value reaches your query unparameterised and, if it does, flags the exact line and rewrites it with a prepared statement — $wpdb->prepare() or a PDO bound parameter, depending on what your code uses.

QI have an eval() in some inherited code — how do I know if it is actually exploitable?

AST checks whether anything user-controlled can reach that eval() or dynamic include. It marks the severity, shows the path the input takes, and suggests a safe replacement so you can justify removing or rewriting it.

QMy plugin accepts file uploads — what should I check before users can hit it?

Paste the upload handler. AST flags extension-only or MIME-only validation, missing type allowlists, and uploads written into web-served directories, then explains how to validate properly and store outside the docroot.

QI am modernising a legacy PHP app — where are the real security problems hiding?

Paste the files. AST surfaces deprecated mysql_* calls, manual escaping, md5/sha1 password hashing, and hardcoded secrets, ranked by severity, so you fix the genuinely dangerous parts before cosmetic refactors.

No Logs Policy
No Storage
No Retention
Your Code Stays Private