Try free for 15 days — no credit card required. Billing starts January 1, 2027 at $7.95 per month.
For freelancers & small teams
Paste your code. Get instant, safe fixes.
AllScanTool scans PHP, JS, HTML, CSS, WordPress, and embeds with clear, copy‑pasteable fixes.
🔒 No storage
⚡ Instant results
🎯 Built for freelancers
code scan — functions.php
$id = $_GET['id'];
$q = "SELECT * FROM users
WHERE id = " . $id;
echo $_POST['comment'];
eval($_GET['code']);
CriticalSQL injection — line 2
HighUnescaped output — line 3
Criticaleval() detected — line 4
What it catches
WordPress
Critical
eval($_GET['code']); — dynamic code execution detected in functions.php
Remove eval() — use a whitelist of allowed functions instead.
Critical
$q = "SELECT * FROM users WHERE id = " . $_GET['id'];
Use $wpdb->prepare() with parameterized queries.
High
echo $_POST['comment']; — unescaped user output in template
Use esc_html( $_POST['comment'] ) before output.
High
AJAX handler missing nonce check — any visitor can trigger it
Add check_ajax_referer( 'my_action', 'nonce' ) at the top.
Shopify
High
{{ customer.email }} output unescaped in Liquid template
Use {{ customer.email | escape }} to prevent XSS.
High
Hardcoded API key found in theme.js — visible to all visitors
Move to Shopify metafields or a serverless proxy endpoint.
TikTok embeds
FYI
TikTok embed detected — sends visitor data to TikTok servers on load
Add a consent wrapper or note in client privacy policy (required for EU).
YouTube embeds
FYI
YouTube embed sends visitor IP to Google on every page load
Switch to youtube-nocookie.com domain or add a click-to-load wrapper.
Other embeds & third-party scripts
FYI
Facebook Pixel detected — tracks visitors across sites without consent prompt
Add cookie consent gate before firing the Pixel (required under GDPR).
FYI
Instagram embed loading from external CDN — slows page and leaks referrer
Use a server-side Instagram oEmbed or a privacy-first embed service.
High
Script loaded from unknown external domain — supply chain risk
Audit the source. If unnecessary, remove it. If needed, self-host it.