SpikeSource recently released the Spike PHP Security Audit Tool, providing static analysis of PHP code for finding security exploits. I'm quite excited to try this out, but couldn't get a working installation happening.

First off, the requirements don't state it but you'll need PHP5 to make this run (due to the use of private/public function designations within classes). Secondly, I setup the tool on one of my PHP5 sites, but then ran into a warning about the use of (the deprecated) call-time pass-by-reference. Unfortunately, my PHP5 hosting accounts do not provide access to php.INI so I am not able to edit this setting unless I recompile PHP. I tried setting a php_flag in .htaccess, but this also failed (the server likely doesn't allow overrides).

Apparently, a PHP4-compatible version is due out this week, so I'll have to wait for that or a PHP5 version that doesn't require call-time pass-by-reference.

UPDATE: Spike PHP Security Audit Tool version 0.23 was released just hours after this post! PHP4 compatible. It runs on the command line–something I didn't realize at first. The report formatting is pretty plain. The "feedback" the tool provides is decent; it shows where problems might be. Ultimately, the effectiveness of the tool will be largely determined by the coding skills of the programmer using it.