I am fuzzing a PHP web application for vulnerabilities and I want to the source code coverage over a period of time (at certain time intervals) for a certain part of the programme (specific PHP files). For example, after 10 seconds 5% of that source code is touched, after 20 seconds 6%, etc. I have looked into PHPUnit and XDEBUG. I was able to generate a report with PHPUnit, but this only gives me information about how much source code was touched at the end. Does anyone know a tool that can give me periodically information on source code coverage of a PHP application or how to use XDEBUG to extract this kind of information?
Related
I recently started web development. The course I took was to install WAMP and start developing right away. I used an atom text editor, this -combined with wamp- proved to be a very fast way to write client-side code(HTML, CSS, Javascript).
But when I started to write serverside PHP things got a little messy. I should probably explain my site's structure here.
I keep separate PHP, CSS, javascript files for every page on the client side, for the server side a have 2 different types of PHP files:
Files that only perform a specific operation on the database(For example returning "5 more answers"). These are always called by AJAX requests.
Files that load the page for the first time. These are only used when the user opens the page for the first time, they do necessary database queries and return the page. Later requests always go to the 1st type of PHP files.
Now regarding my problem. I debugged until now by printing variables to the screen with var_dump() or echoing. But this started to become too slow as the data I work with grew. I wonder if there is a way of debugging which will let me but a breakpoint in one of my PHP files. Then, when I open it on the browser, on the localhost I created using WAMP, will let me go through the PHP file step by step.
I have been dealing with this issue for 3 days, I tried to make it work with Eclipse IDE but couldn't find a way. Also, there seems to be no tutorials or Q&A on the internet regarding the issue.
Breakpoint debugging opens a whole new world, and is the natural step after var_dump() debugging. Not only does it speed up development, but it provides much more information about your code, as you can step through each line and see what values have been set at each step, and how they evolve as your program executes its code. This means you can track the entirety of the values at different stages with one run - imagine tracking all variables at each point using var_dump()!
Although choosing an IDE is a personal decision based on personal taste, i strongly recommend you try out PhpStorm. If you can get a student licence go for it.
PhpStorm has extensive documentation & tutorials on all features in the IDE, debugging is no exception:
https://www.jetbrains.com/help/phpstorm/configuring-xdebug.html
https://www.youtube.com/watch?v=GokeXqI93x8
I don't know of a specific solution to your issue. I'm not exactly sure what you're doing but as a quick tip, I find add the following snippet to the top of the file useful as it will highly error more easily rather than browser just say nope.
error_reporting(E_ALL);
ini_set('display_errors', 'On');
Hope this help you a bit.
I tried out what's recommended in comments and answers. I first tried Netbeans. To be fair it disappointed me. Download kept getting stuck at 100%, even for different versions. When I stopped downloading and went ahead to create a php project, there was missing parts I guess. I couldn't even manage to create a php project. But that might just be me not being able to do it.
Then I followed #leuquim's answer and #Alex Howansky's comment and downloaded PHPStorm. And I got it to work in no more than 20 minutes. I downloaded it with a student's licence. For people who want to use PHPStorm with WAMP here's a Youtube tutorial:
https://www.youtube.com/watch?v=CxX4vnZFbZU
One thing to note in the video is that, maker of the video chooses PHP Web Application in the Run Configurations. That has been changed to PHP Web Page.
When I run my PHPUnit tests, Xdebug generates a nice code coverage report which shows me exactly how many times each line of code was executed in each of my PHP files.
I want to get the same report for my web site under, say, a week of normal use, so that I can find lines of PHP on my site that might not be used any more. Rather than unit tests running my PHP code, it would be the web server, but I should be able to get the same report, right?
How do I set up Xdebug to collect data and generate a code coverage report on a live site?
I'll answer my own question. Xdebug provides a xdebug_start_code_coverage() call to start collecting code coverage information, and a xdebug_get_code_coverage() call to retrieve information about what code was covered. This is easily applicable to unit testing, because you're generally only concerned with what code was covered by the run of a sequence of tests in a controlled situation. (Turn on coverage, run the tests, then you've got the coverage results.) But for arbitrary hits on a web server application, you'd probably need to start code coverage in the preDispatch and then have the postDispatch write the stats to a database (or store them in some other way) so that later you could collate the results into a report. That's not handled by Xdebug.
Xdebug can collect profiling information in cachegrind format, so I'll see if I can use that to help find what code hasn't been called.
I am trying to be make a online gcc compiler which can be accessed by the browser. For all this I have use php,cygwin on window XP. Actually I am giving the code window on the browser to the user.
The general process is as:
$source write in .c file
.c file compile by gcc compiler and .exe file created
the output of .exe file is shown to the user.
It's supposed that there is no read function in c program for testing I am use only a single printf statement.
The problem is:
If there are about to 30 simultaneous request means 30 users compiler the program at the same point of time then it will produce output in about 15 seconds, which is too long.
Can some please one help me to reduce this time. Each suggestions are welcomed
Can I just read the output of C program with out making a .exe file.
A starting point could be exploring distributed build systems.
On Windows I have known a (non-free) solution is Incredibuild. We used it for one of our projects around 8 years ago, and it reduced clean and build time from 25 minutes to around 5 minutes. There is a review of it here.
Right now, as I just searched for other alternatives and non-windows solutions I have also found distcc.
There is also a discussion (seemingly old) here about alternatives to Incredibuild.
If the C source code are almost the same for each compilation request, you can use compiler cache enabled building system. E. g. waf and cmake. They can utilized the copy of the previous building to speed up the compilation.
I'm using Aptana Studio 3 with several big PHP projects (10.000+ files) and it suffers from very slow indexing of PHP files.... which takes 10-20 minutes to complete and starts every time at the startup of Aptana, and also sometimes at random moments, for example when synchronizing with SVN...
In the progress view I get multiple 'Indexing new PHP Modules' items.
All the time it is doing this Aptana is unusably slow. I don't get why this indexing starts over and over again on files that aren't new at all!
I already turned off automatic refreshes and automatic build. If I exclude 'PHP' from the 'Project Natures' in the properties of the projects, the indexing stops, but then I don't have code completion in PHP files.
I cleaned all projects, created a new workspace, etc. and nothing helps... This happens on multiple pc's (Windows) so I guess more people get this behaviour.
Any possible solutions?
UPDATE
I added the folder of my workspace to the 'ignore'-folders of my virus scanner (Microsoft Security Essentials). At first this seemed to work, but then the indexing started again...
Seems like you did the right steps to try and resolve it, and it also seems we should have a ticket for that, so I created one at https://jira.appcelerator.org/browse/APSTUD-4500 (please add yourself as a 'watcher').
One more thing to try is to break down a big project into a few smaller ones (whenever possible, of course). The indexer creates a binary index file for each project, and this file size is proportional to amount of classes, functions, variables and constants you have in your project. In case, for some reason (e.g. a bug) this file gets corrupted, a re-index will happen, so having multiple smaller projects may help with that. Again... just an idea.
I came across this thread on SO which talks about PHP code coverage tools - Code Coverage tools for PHP
I have never worked on PHP and have been writing Selenium UI tests using java against an application which has been written in PHP.
While going through the thread I mentioned above I felt (I might be wrong) that those PHP code coverage tools are to be used when there are unit tests written in PHP Unit and one wants to find how well Unit tests cover the application.
I am looking for a solution where I execute my Selenium tests which are written and java and there would be some hook in PHP application code base which gives some sort of report about application code base which was executed and one which was not.
Is it possible to do this?
Just add an auto-prepend script which calls xdebug_start_code_coverage() and registers a shutdown function which logs the output of xdebug_get_code_coverage()
Then analyse your data later.