Research And Implement Of PHP Code Defect Detection Technology Based On Static And Dynamic Analysis

With the rapid development of the Internet , Internet users are expanding and the total number of websites is increasing , web application is becoming more and more close with our life. Web page is no longer just a simple static html page , but produced by a variety of dynamic scripting language , PHP is the most popular language in web application development, it's easy to get started because of its easy syntax . However the web system faces a growing number of hacker attacks due to the storage of large amounts of user data , and a large number of user information disclosure incidents occur from time to time, many junior develpers do not have basic security knowledge , so the products have to go through the code audit of security personnel before on line . Howerer , the efficiency of manual audit is too low , and typical open-source static code tools Rips and commercial tools Fortify are not very good, false alarm rate is too high,on the other hand, dynamic tools are not suitable for certain specific scenes and they requires a lot of manual intervention, there is also no ideal open source dynamic analysis tool. So researching and designing an accurate and reliable code audit product is a hotspot of the current domestic and international research.In this paper, after deep research on the lexical analysis, grammar analysis, data flow analysis , fuzzing technology and reflection technology,combined with the actual scene encountered by the author and the actual experience when doing the penetration test, we put forward a kind of code defect detection technology based on the combination of static and dynamic analysis . Static analysis is relatively efficient, it's mainly used to analyze the code syntax, accurately locate the dangerous functions,stain back, and output the sinks propagation path, through analysing the abstract syntax tree, according to the custom security rules. Dynamic analysis is mainly used to improve the accuracy, based on reflection technology and Fuzzing technology,it uses a reflection technique to dynamically invoke a user-defined filtering function to determine whether the function is a purification function by comparing the input and the output according to a pre-defined security rule.