Safeguard
Tag

php

Safeguard articles tagged "php" — guides, analysis, and best practices for software supply chain and application security.

14 articles

Application Security

A hardening checklist for modern Drupal deployments

Drupal 7's 2025 end-of-life left unsupported sites exposed; here's a concrete checklist for module vetting, access control, and patch cadence on Drupal 10/11.

Jul 11, 20266 min read
Vulnerability Analysis

PHP-CGI Argument Injection RCE on Windows (CVE-2024-4577) Explained

CVE-2024-4577 revived a decade-old PHP-CGI flaw through a Windows Unicode 'best-fit' quirk, yielding unauthenticated RCE. Here's the mechanism and the patched versions.

Jul 8, 20265 min read
Application Security

PHPStan vs. Psalm: setting up PHP static analysis to catch security bugs pre-commit

Psalm ships free taint analysis out of the box; PHPStan doesn't track data flow at all without extensions. Here's how to wire either one into pre-commit.

Jul 8, 20266 min read
Vulnerability Management

What PHP's use-after-free bugs teach us about dynamic-runtime memory safety

Check Point disclosed three PHP 7 unserialize zero-days in 2016 alone. A decade of PHP use-after-free CVEs shows memory-safety risk doesn't end at the C/C++ boundary.

Jul 8, 20266 min read
Container Security

Building a minimal, multi-stage, non-root Dockerfile for PHP

The official php:fpm image still runs its master process as root — a documented, still-open issue. Here's how to build a PHP Dockerfile that doesn't.

Jul 8, 20267 min read
Security Guides

Auditing PHP Dependencies with composer audit

Composer ships a native security auditor. Learn to run composer audit against your composer.lock, catch abandoned packages, and extend it with continuous SCA.

Jul 5, 20265 min read
Buyer's Guides

PHP Code Review Tools: An Honest 2026 Buyer's Guide

A balanced 2026 comparison of PHP code review and static-analysis tools — PHPStan, Psalm, PHP_CodeSniffer, progpilot, Semgrep, SonarQube — with honest tradeoffs and where Safeguard fits.

Jul 5, 20266 min read
Vulnerability Analysis

Drupalgeddon2 (CVE-2018-7600) Explained: Drupal's Form API RCE

CVE-2018-7600, known as Drupalgeddon2, is a CVSS 9.8 unauthenticated remote code execution flaw in Drupal core's Form API. Here is how the renderable-array bug works and which versions to run.

Jul 3, 20266 min read
Supply Chain Attacks

Composer/PHP Supply Chain Threats: 2025 Report

A senior engineer's 2025 report on Composer and Packagist supply chain threats: namespace abuse, abandoned maintainers, plugin hooks, and the attacks that actually landed on PHP shops.

Apr 2, 20268 min read
Open Source Security

Composer/PHP Package Supply Chain in 2026

PHP's Composer and Packagist ecosystem has quietly improved its supply chain story. Here is where things actually stand in 2026, and what PHP shops should do now.

Mar 5, 20268 min read
Vulnerability Analysis

CVE-2024-4577 PHP CGI Argument Injection Explained

CVE-2024-4577 is a CVSS 9.8 argument injection in PHP-CGI on Windows that bypasses CVE-2012-1823's fix. Root cause, exploitation, and remediation.

Feb 23, 20268 min read
Engineering

PHP Composer Security: Lockfiles, Packagist and Abandoned Packages

composer.lock is your integrity anchor, Packagist is a single point of trust, and roughly one in ten packages you depend on is quietly unmaintained. A field guide.

Apr 18, 20246 min read
php — Safeguard Blog