Pixy a XSS and SQL-Injection Scanner for PHP

LWN mentioned Pixy a XSS and SQL-Injection Scanner for PHP which looks quite interesting.

From a quick overview over the project page, it seems that it uses data flow analysis to mark potential insecure sections where external variables are used without care and prior data validation.

Didn’t really test it though and therefore don’t know about false positives and so on. But it is certainly worth a closer look, unfortunately I currently don’t have time but who knows maybe someday when PHP5 is supported it will become handy.

Marc