PHP trojan horses

when I download a big PHP class or libray

what can I search on the code to detect posibles trojan horses?

in the 开发者_如何学运维past when I programed in clasic ASP, it was almost enough searching for "createobject" and reading the code around it. But PHP has lots of features and risks(in this meaning) so, can you give me a list of strings to check??, (or other better method??) as example "eval", "fopen", etc

Thanks

---

There are as many ways to compromise a system as there are ideas in a coder's head. Some are malicious, and some are simply unintentional.

Your best hope for maintaining a secure system is to use code only from trustworthy sources.

---

You really cannot screen them. You need to be able to trust the software source, and verify it's usefulness & quality with other developers and users.

As much as you are able, depend on libraries that are provided by large development communities, either as open source projects, or otherwise. Libraries conforming to strict coding standards like those in PEAR are likely to be a safer bet than one you find on a solitary website by a solitary developer with whom you cannot communicate easily.

Addendum: Basically, my advice is to follow the PHP community in sorting out the good scripts from the bad. Some may have a distrust of PEAR, but by and large the community has placed its trust there. Be wary, however, of sources you may encounter with names like mysuperphpscriptsfordownload.com where the community has yet to vette quality and trustworthiness.

---

You can't just search a function in a source because there are so many ways to obfuscate it.

Example:

$f = 'fo'; //> somewhere
$f .= 'pen'; //> somewhere else

$f('hi');

Don't inject code that you cannot clearly understand its source and they are coming from untrasted sources.