php
Safeguard articles tagged "php" — guides, analysis, and best practices for software supply chain and application security.
14 articles
A hardening checklist for modern Drupal deployments
Drupal 7's 2025 end-of-life left unsupported sites exposed; here's a concrete checklist for module vetting, access control, and patch cadence on Drupal 10/11.
PHP-CGI Argument Injection RCE on Windows (CVE-2024-4577) Explained
CVE-2024-4577 revived a decade-old PHP-CGI flaw through a Windows Unicode 'best-fit' quirk, yielding unauthenticated RCE. Here's the mechanism and the patched versions.
PHPStan vs. Psalm: setting up PHP static analysis to catch security bugs pre-commit
Psalm ships free taint analysis out of the box; PHPStan doesn't track data flow at all without extensions. Here's how to wire either one into pre-commit.
What PHP's use-after-free bugs teach us about dynamic-runtime memory safety
Check Point disclosed three PHP 7 unserialize zero-days in 2016 alone. A decade of PHP use-after-free CVEs shows memory-safety risk doesn't end at the C/C++ boundary.
Building a minimal, multi-stage, non-root Dockerfile for PHP
The official php:fpm image still runs its master process as root — a documented, still-open issue. Here's how to build a PHP Dockerfile that doesn't.
Auditing PHP Dependencies with composer audit
Composer ships a native security auditor. Learn to run composer audit against your composer.lock, catch abandoned packages, and extend it with continuous SCA.
PHP Code Review Tools: An Honest 2026 Buyer's Guide
A balanced 2026 comparison of PHP code review and static-analysis tools — PHPStan, Psalm, PHP_CodeSniffer, progpilot, Semgrep, SonarQube — with honest tradeoffs and where Safeguard fits.
Drupalgeddon2 (CVE-2018-7600) Explained: Drupal's Form API RCE
CVE-2018-7600, known as Drupalgeddon2, is a CVSS 9.8 unauthenticated remote code execution flaw in Drupal core's Form API. Here is how the renderable-array bug works and which versions to run.
Composer/PHP Supply Chain Threats: 2025 Report
A senior engineer's 2025 report on Composer and Packagist supply chain threats: namespace abuse, abandoned maintainers, plugin hooks, and the attacks that actually landed on PHP shops.
Composer/PHP Package Supply Chain in 2026
PHP's Composer and Packagist ecosystem has quietly improved its supply chain story. Here is where things actually stand in 2026, and what PHP shops should do now.
CVE-2024-4577 PHP CGI Argument Injection Explained
CVE-2024-4577 is a CVSS 9.8 argument injection in PHP-CGI on Windows that bypasses CVE-2012-1823's fix. Root cause, exploitation, and remediation.
PHP Composer Security: Lockfiles, Packagist and Abandoned Packages
composer.lock is your integrity anchor, Packagist is a single point of trust, and roughly one in ten packages you depend on is quietly unmaintained. A field guide.