From Wikipedia, the free encyclopedia
Jump to: navigation, search
Developer(s) Mario Heiderich, Christian Matthies, Lars H. Strojny
Stable release
0.7[1] / August 26, 2011 (2011-08-26)
Development status Active
Written in PHP
Operating system Cross-platform
License LGPL

PHPIDS (PHP Intrusion Detection System) is an open source PHP Web Application Intrusion Detection System. It was written by Mario Heiderich, Christian Matthies, Lars H. Strojny and several others in March 2007. It was then ported into other frameworks later on,[2][3][4][5][6] and distributed under the LGPL License.


The main goal is to give every PHP programmer the ability of finding intrusion data coming from client to php web application. Speed up PHP application development by reducing the amount of time and money needed to spend on application security.


PHPIDS detects Cross-site scripting (XSS), SQL injection, header injection, Directory traversal, Remote File Execution, Local File Inclusion, Denial of Service (DoS). It is simple to use and well structured. It provides impact of every attack by analyzing any chosen input variables as POST, GET, SESSION, COOKIE.

Forks to other Software[edit]

PHPIDS module adds a security layer for Drupal [7]
Mute Screamer - is a WordPress plugin based on PHPIDS [8]
PHPIDS Extension for MediaWiki developed [9]
ZIDS - PHPIDS module developed to add extra security to Zend Framework Applications [10]
px_phpids - an extension developed for Typo3 based on PHPIDS [11]
dotnetids - a similar project as PHPIDS to secure ASP.NET Applications written in [12]

ModSecurity is a web application layer firewall uses the PHPIDS default filter rules in their packages.[13]


PHPIDS tries to apply several regular expressions to detect known bad. By doing so, it basically applies the blacklist approach, combined with efforts to detect unknown patterns by applying heuristics. Any blacklist approach can be criticised to fail detecting currently unknown bad, and this approach requires the administrator of any application to constantly update this library to stay current with new attack vectors.

Furthermore, using PHPIDS as the primary means of application security will lead developers into wrongly assume their product is safe, which might not be correct. Additionally, the output of a PHPIDS check is not a binary value, but rather some integer value of unclear significance, which has to be evaluated by the developer, and then apply appropriate steps in the context of the application. The positive side of this method is that the developer has to think about which level of attack value he thinks is appropriate, but on the other hand any single attack, even with low impact value, might help compromise the applications security.

A better approach would be to apply secure programming tactics independent of any IDS system and create a secure application. Adding PHPIDS on top of that might enable the application to detect malicious users, possibly tagging them as being evil, and alert the administrator or log any attacks detected for later review. These steps have to be added by the application developers themselves, as PHPIDS does not offer such features.

Detecting possible attacks via regular expressions has a slight performance penalty on the application.[14]

See also[edit]


External links[edit]