Auditing Legacy PHP Systems: What I Find Every Time
After reviewing dozens of old PHP codebases — SQL injection, no error handling, deprecated functions. Here's a checklist and how to fix it.
Auditing Legacy PHP Systems
Every legacy PHP audit is different. But after reviewing dozens of systems built between 2008 and 2018, the same problems appear every time.
The Usual Suspects
1. SQL Injection
// Still see this in 2025
$sql = "SELECT * FROM users WHERE id=" . $_GET['id'];
mysql_query($sql);
Fix: PDO with prepared statements. Period.
2. Deprecated Functions
mysql_query(), ereg(), split() — removed in PHP 7. If it still runs, it's on PHP 5.6 with no security updates since 2018.
3. No Error Handling
Fatal errors expose stack traces with file paths and database credentials to users. display_errors = On in production is a free gift to attackers.
4. Direct File Includes
include("../../../config.php");
include($_GET['page'] . ".php"); // path traversal
5. Passwords in MD5
MD5 is not a password hash. It's a checksum. Use password_hash() / password_verify().
My Audit Checklist
- grep for
mysql_query,$_GET,$_POSTconcatenated into SQL - Check PHP version:
php -v - Search for
md5(,sha1(near password logic -
display_errorsin php.ini - Directory traversal via include/require
- Missing CSRF tokens on forms
- File upload validation
After the audit comes a written report with priorities: critical (fix now), high (fix this month), medium (fix in roadmap).