Hi Mark,
Thanks for the devoted involvement. I'm just thinking of what would happen if the hacker uses let's say eval (... or `eval
(` - I just checked and PHP seems to be fine with parenthesis being on a new line or with any amount of whitespace between the function name and the parenthesis.
Technically in all cases that I've seen a hacker's code it's usually on one line with no spaces whatsoever, but if I was a hacker and just adding some whitespace would allow me to go around the scans - I would totally do that.
I think that regex is (unfortunately)the only option in this case - I know that it's way more expensive, especially if you're parsing big files, but I don't know if there is an alternative(except maybe parsing the files with http://php.net/token_get_all - but I don't know which one would be faster/more reliable ).
Nikola
