Packaging Instructions for PHP

Compilation Guide

See the master compilation guidelines for instructions for other platforms.

Supported PHP Versions

Language Supported Versions
PHP 5.2—7.3

Supported PHP Frameworks

Framework Versions
Zend 1, 2, 3

Packaging Guidance

Upload a compressed ZIP archive containing all PHP code and required dependencies to the Veracode Platform. Do not attempt to upload individual PHP files.

Veracode precompiles all PHP code uploaded to the Veracode Platform prior to analysis. The submitted PHP code must be able to compile. Otherwise, the prescan returns a compilation error.

Note: Submitting third-party libraries for unsupported PHP frameworks may result in additional findings and longer analysis times.

The PHP compiler only attempts to compile files ending in the following extensions:

  • .php
  • .module
  • .inc
  • .html
  • .htm
  • .profile
  • .install
  • .engine
  • .theme
  • .php4
  • .php5
  • .php7
  • .phtml

Analysis Limitations

Veracode's PHP analysis does not interpret PHP configuration settings in PHP.INI, build options passed to PHP's configure script, ini_set, assert, or HTTP server specific configuration (options that are passed to PHP at runtime or specified in server configuration files). Veracode's analysis makes the following assumptions:

  • All applications are web applications/stdout goes to an HTTP client
  • Register_globals is set to OFF
  • register_argc_argv, always_populate_raw_post_data, and register_long_arrays are ON
  • All magic_quotes config options are OFF