Authors Mihail Kirov, Jacques Ricard, Ramtine Tofighi Shirazi
Category Software
Tags audit, OSTIF, software, PHP, 2025
The Open Source Technology Improvement Fund, Inc., engaged with Quarkslab to perform a security audit of the code snippets in the English version of PHP documentation, focused on some specific pages.
Introduction
PHP remains one of the most widely used languages in software development, powering everything from dynamic websites to backend services and automation scripts. With such broad usage, developers often turn to the official PHP documentation as a primary resource for learning and reference. However, if that documentation lacks proper security guidance or contains outdated examples, it can unintentionally encourage insecure coding practices. Performing a security review of PHP documentation is therefore essential—not only to promote modern, secure development standards, but also to help protect applications and users from common vulnerabilities.
To that end, the Open Source Technology Improvement Fund, Inc. and the PHP Foundation engaged with Quarkslab to perform a security audit of the code snippets in the English version of PHP documentation, focused on some specific pages. The PHP documentation (i.e., manual) consists primarily of a function reference, but also contains a language reference, explanations of some of PHP's major features, and other supplemental information. The PHP documentation also includes information covering the two most recent major releases of PHP (versions 7 and 8). Moreover, users can also post comments on some pages.
Scope of work
The defined objectives for this collaboration were to perform a security review of the PHP documentation in order to have an overall assessment of the quality of the included code snippets. As the documentation is quite extensive, the scope was reduced based on priorities and the review was performed in a best-effort manner, within the allocated time frame of the review.
Quarkslab based the review on the following priorities, as agreed with the OSTIF and PHP Foundation:
- Documentation code snippet review as first priority
- Focus on specific topics, such as filesytem, then cryptography, and more if time permits/relevant
- Then focus on user-comment code snippets
- Starting with curl_setopt
Note: The security review report specifies all reviewed documentation pages for clarity purposes.
The security review was performed in 10 days.
Findings
During the time frame of the security audit, Quarkslab discovered several security issues and vulnerabilities. Given that the scope is focused on snippets of code and user comments, no severity ranking is provided.
Overall, we have 81 observed issues. All details are provided in the report.
Warning
Since the scope focused on code examples, some issues (e.g., hardcoded secret keys) were not considered as such since their purpose is to illustrate the example. Following Quarkslab’s recommendations, the PHP foundation should have added disclaimers and notes on such practices.
Conclusion
Initial review
Quarkslab conducted a security assessment of several PHP documentation pages, with particular attention to user comments on the most heavily commented pages. The review revealed that code quality best practices were not consistently enforced (e.g., error handling and input validation), posing potential risks if snippets were copied into implementations; documentation for deprecated functions was not always updated; and user comments, especially older ones, should not be trusted by default given the project’s evolution
After several months
The PHP maintainers incorporated Quarkslab’s audit recommendations, resulting in improved overall quality of the PHP documentation. Quarkslab nevertheless recommends rendering the appendix introduced in pull request 4797 to further promote best practices in error handling and input validation.
Note: Before this blogpost publication, PHP mainteners informed Quarkslab that the issue regarding the appendix had been resolved; Quarsklab did not verify this point but relied on the PHP maintainers’ assurance.
Quarkslab underlines the prompt responses from PHP Foundation team members to fix the observed issues in the documentation. Finally, we would like to thank the OSTIF team and the PHP Foundation for their support and collaboration throughout this security review.