Hi Herve,
Thanks for replying

What I`m trying to build is a scanner for bad code, using PHP functions as a start (but can and hopefully will go beyond that). So if you can share what kind of bad code I should look for, I`ll try to put it in

As of now, things like "fopen($file)" are flagged, but it's still very far from useful.
Here`s a sample bit of output for a couple ranked functions:
<div style='margin: 4; padding: 4px; border: 1px dotted;'><a name='div_11' /> <ul> <h3> smarty/core/core.write_compiled_resource.php </h3>
<li> <a name='li_21' /> --- --- --- --- --- --- --- ---
:28: <br />
<b> [3] </b> (PHP) <i><a href='http://www.php.net/manual/en/function.require-once.php'>require_once</a>: Includes and evaluates the specified file, once, during the execution
of the script. May disclose physical paths if file is not readable </i>
<pre> require_once(SMARTY_DIR . 'core' . DIRECTORY_SEPARATOR . 'core.write_file.php');
</pre>
</li>
</ul> </div>
<div style='margin: 4; padding: 4px; border: 1px dotted;'><a name='div_12' /> <ul> <h3> smarty/core/core.write_compiled_include.php </h3>
<li> <a name='li_22' /> --- --- --- --- --- --- --- ---
:72: <br />
<b> [3] </b> (PHP) <i><a href='http://www.php.net/manual/en/function.require-once.php'>require_once</a>: Includes and evaluates the specified file, once, during the execution
of the script. May disclose physical paths if file is not readable </i>
<pre> require_once(SMARTY_DIR . 'core' . DIRECTORY_SEPARATOR . 'core.write_file.php');
</pre>
</li>
</ul> </div>
<div style='margin: 4; padding: 4px; border: 1px dotted;'><a name='div_13' /> <ul> <h3> mail/phpmailer/class.phpmailer.php </h3>
<li> <a name='li_23' /> --- --- --- --- --- --- --- ---
:520: <br />
<b> [4] </b> (PHP) <i><a href='http://www.php.net/manual/en/function.fopen.php'>fopen</a>: Parameter ($queue_path . $msg_id . ".pqm") has a '$', fopen may be
exploitable if users can inject$queue_path . $msg_id . ".pqm". Use a
constant or a filename as argument to fopen. May disclose physical paths if
file is not readable </i>
<pre> $fp = @fopen($queue_path . $msg_id . ".pqm", "wb");
</pre>
</li>
<li> <a name='li_24' /> --- --- --- --- --- --- --- ---
:664: <br />
<b> [5] </b> (PHP) <i><a href='http://www.php.net/manual/en/function.include-once.php'>include_once</a>: Included file parameter ($this->PluginDir . "class.smtp.php") has a
'$', may be allow execution of arbitrary code.. Use a constant or a
filename as argument to include_once. May disclose physical paths if file
is not readable </i>
<pre> include_once($this->PluginDir . "class.smtp.php");
</pre>
</li>
<li> <a name='li_25' /> --- --- --- --- --- --- --- ---
:1245: <br />
<b> [4] </b> (PHP) <i><a href='http://www.php.net/manual/en/function.fopen.php'>fopen</a>: Parameter ($path) has a '$', fopen may be exploitable if users can
inject$path. Use a constant or a filename as argument to fopen. May
disclose physical paths if file is not readable </i>
<pre> if(!@$fd = fopen($path, "rb"))
</pre>
</li>
</ul> </div>
<div style='margin: 4; padding: 4px; border: 1px dotted;'><a name='div_14' /> <ul> <h3> snoopy.php </h3>
<li> <a name='li_26' /> --- --- --- --- --- --- --- ---
:983: <br />
<b> [4] </b> (PHP) <i><a href='http://www.php.net/manual/en/function.file.php'>file</a>: Parameter ("/tmp/$headerfile") has a '$', file may be exploitable if
users can inject"/tmp/$headerfile". Use a constant or a filename as
argument to file. May disclose physical paths if file is not readable </i>
<pre> $result_headers = file("/tmp/$headerfile");
</pre>
</li>
<li> <a name='li_27' /> --- --- --- --- --- --- --- ---
:1193: <br />
<b> [4] </b> (PHP) <i><a href='http://www.php.net/manual/en/function.fopen.php'>fopen</a>: Parameter ($file_name) has a '$', fopen may be exploitable if users
can inject$file_name. Use a constant or a filename as argument to fopen.
May disclose physical paths if file is not readable </i>
<pre> $fp = fopen($file_name, "r");
</pre>
</li>
</ul><div>
Still a long way to go... but might work


looks good in preview, then borks on submit

When I get home I'll upload it then re-post...