{"id":"https://openalex.org/W2093213895","doi":"https://doi.org/10.1145/2771783.2771787","title":"Experience report: an empirical study of PHP security mechanism usage","display_name":"Experience report: an empirical study of PHP security mechanism usage","publication_year":2015,"publication_date":"2015-07-10","ids":{"openalex":"https://openalex.org/W2093213895","doi":"https://doi.org/10.1145/2771783.2771787","mag":"2093213895"},"language":"en","primary_location":{"id":"doi:10.1145/2771783.2771787","is_oa":false,"landing_page_url":"https://doi.org/10.1145/2771783.2771787","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2015 International Symposium on Software Testing and Analysis","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5027679966","display_name":"Johannes Dahse","orcid":null},"institutions":[{"id":"https://openalex.org/I904495901","display_name":"Ruhr University Bochum","ror":"https://ror.org/04tsk2644","country_code":"DE","type":"education","lineage":["https://openalex.org/I904495901"]}],"countries":["DE"],"is_corresponding":true,"raw_author_name":"Johannes Dahse","raw_affiliation_strings":["Ruhr University Bochum, Germany","Ruhr University, Bochum, #N#Germany"],"affiliations":[{"raw_affiliation_string":"Ruhr University Bochum, Germany","institution_ids":["https://openalex.org/I904495901"]},{"raw_affiliation_string":"Ruhr University, Bochum, #N#Germany","institution_ids":["https://openalex.org/I904495901"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5056790702","display_name":"Thorsten Holz","orcid":"https://orcid.org/0000-0002-2783-1264"},"institutions":[{"id":"https://openalex.org/I904495901","display_name":"Ruhr University Bochum","ror":"https://ror.org/04tsk2644","country_code":"DE","type":"education","lineage":["https://openalex.org/I904495901"]}],"countries":["DE"],"is_corresponding":false,"raw_author_name":"Thorsten Holz","raw_affiliation_strings":["Ruhr University Bochum, Germany","Ruhr University, Bochum, #N#Germany"],"affiliations":[{"raw_affiliation_string":"Ruhr University Bochum, Germany","institution_ids":["https://openalex.org/I904495901"]},{"raw_affiliation_string":"Ruhr University, Bochum, #N#Germany","institution_ids":["https://openalex.org/I904495901"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":2,"corresponding_author_ids":["https://openalex.org/A5027679966"],"corresponding_institution_ids":["https://openalex.org/I904495901"],"apc_list":null,"apc_paid":null,"fwci":0.7946,"has_fulltext":false,"cited_by_count":6,"citation_normalized_percentile":{"value":0.80945274,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":{"min":90,"max":97},"biblio":{"volume":null,"issue":null,"first_page":"60","last_page":"70"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.988099992275238,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9751999974250793,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.8271911144256592},{"id":"https://openalex.org/keywords/cross-site-scripting","display_name":"Cross-site scripting","score":0.6679263114929199},{"id":"https://openalex.org/keywords/web-application-security","display_name":"Web application security","score":0.6298428773880005},{"id":"https://openalex.org/keywords/markup-language","display_name":"Markup language","score":0.5574439764022827},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.5417308211326599},{"id":"https://openalex.org/keywords/world-wide-web","display_name":"World Wide Web","score":0.5302343368530273},{"id":"https://openalex.org/keywords/secure-coding","display_name":"Secure coding","score":0.5218355059623718},{"id":"https://openalex.org/keywords/context","display_name":"Context (archaeology)","score":0.4909070134162903},{"id":"https://openalex.org/keywords/scripting-language","display_name":"Scripting language","score":0.4744606614112854},{"id":"https://openalex.org/keywords/vulnerability","display_name":"Vulnerability (computing)","score":0.4432179629802704},{"id":"https://openalex.org/keywords/security-through-obscurity","display_name":"Security through obscurity","score":0.41977500915527344},{"id":"https://openalex.org/keywords/web-development","display_name":"Web development","score":0.3072725534439087},{"id":"https://openalex.org/keywords/web-service","display_name":"Web service","score":0.3048209846019745},{"id":"https://openalex.org/keywords/software-security-assurance","display_name":"Software security assurance","score":0.3021619915962219},{"id":"https://openalex.org/keywords/information-security","display_name":"Information security","score":0.2680921256542206},{"id":"https://openalex.org/keywords/cloud-computing-security","display_name":"Cloud computing security","score":0.2557005286216736},{"id":"https://openalex.org/keywords/security-service","display_name":"Security service","score":0.241620272397995},{"id":"https://openalex.org/keywords/security-information-and-event-management","display_name":"Security information and event management","score":0.22803309559822083},{"id":"https://openalex.org/keywords/xml","display_name":"XML","score":0.17517122626304626},{"id":"https://openalex.org/keywords/programming-language","display_name":"Programming language","score":0.09798261523246765},{"id":"https://openalex.org/keywords/cloud-computing","display_name":"Cloud computing","score":0.07929646968841553}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8271911144256592},{"id":"https://openalex.org/C39569185","wikidata":"https://www.wikidata.org/wiki/Q371199","display_name":"Cross-site scripting","level":5,"score":0.6679263114929199},{"id":"https://openalex.org/C59241245","wikidata":"https://www.wikidata.org/wiki/Q4781497","display_name":"Web application security","level":4,"score":0.6298428773880005},{"id":"https://openalex.org/C45874996","wikidata":"https://www.wikidata.org/wiki/Q37045","display_name":"Markup language","level":3,"score":0.5574439764022827},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.5417308211326599},{"id":"https://openalex.org/C136764020","wikidata":"https://www.wikidata.org/wiki/Q466","display_name":"World Wide Web","level":1,"score":0.5302343368530273},{"id":"https://openalex.org/C22680326","wikidata":"https://www.wikidata.org/wiki/Q7444867","display_name":"Secure coding","level":5,"score":0.5218355059623718},{"id":"https://openalex.org/C2779343474","wikidata":"https://www.wikidata.org/wiki/Q3109175","display_name":"Context (archaeology)","level":2,"score":0.4909070134162903},{"id":"https://openalex.org/C61423126","wikidata":"https://www.wikidata.org/wiki/Q187432","display_name":"Scripting language","level":2,"score":0.4744606614112854},{"id":"https://openalex.org/C95713431","wikidata":"https://www.wikidata.org/wiki/Q631425","display_name":"Vulnerability (computing)","level":2,"score":0.4432179629802704},{"id":"https://openalex.org/C114869243","wikidata":"https://www.wikidata.org/wiki/Q133735","display_name":"Security through obscurity","level":5,"score":0.41977500915527344},{"id":"https://openalex.org/C79373723","wikidata":"https://www.wikidata.org/wiki/Q386275","display_name":"Web development","level":3,"score":0.3072725534439087},{"id":"https://openalex.org/C35578498","wikidata":"https://www.wikidata.org/wiki/Q193424","display_name":"Web service","level":2,"score":0.3048209846019745},{"id":"https://openalex.org/C62913178","wikidata":"https://www.wikidata.org/wiki/Q7554361","display_name":"Software security assurance","level":4,"score":0.3021619915962219},{"id":"https://openalex.org/C527648132","wikidata":"https://www.wikidata.org/wiki/Q189900","display_name":"Information security","level":2,"score":0.2680921256542206},{"id":"https://openalex.org/C184842701","wikidata":"https://www.wikidata.org/wiki/Q370563","display_name":"Cloud computing security","level":3,"score":0.2557005286216736},{"id":"https://openalex.org/C29983905","wikidata":"https://www.wikidata.org/wiki/Q7445066","display_name":"Security service","level":3,"score":0.241620272397995},{"id":"https://openalex.org/C103377522","wikidata":"https://www.wikidata.org/wiki/Q3493999","display_name":"Security information and event management","level":4,"score":0.22803309559822083},{"id":"https://openalex.org/C8797682","wikidata":"https://www.wikidata.org/wiki/Q2115","display_name":"XML","level":2,"score":0.17517122626304626},{"id":"https://openalex.org/C199360897","wikidata":"https://www.wikidata.org/wiki/Q9143","display_name":"Programming language","level":1,"score":0.09798261523246765},{"id":"https://openalex.org/C79974875","wikidata":"https://www.wikidata.org/wiki/Q483639","display_name":"Cloud computing","level":2,"score":0.07929646968841553},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.0},{"id":"https://openalex.org/C151730666","wikidata":"https://www.wikidata.org/wiki/Q7205","display_name":"Paleontology","level":1,"score":0.0},{"id":"https://openalex.org/C86803240","wikidata":"https://www.wikidata.org/wiki/Q420","display_name":"Biology","level":0,"score":0.0}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1145/2771783.2771787","is_oa":false,"landing_page_url":"https://doi.org/10.1145/2771783.2771787","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2015 International Symposium on Software Testing and Analysis","raw_type":"proceedings-article"}],"best_oa_location":null,"sustainable_development_goals":[{"display_name":"Peace, Justice and strong institutions","score":0.5799999833106995,"id":"https://metadata.un.org/sdg/16"}],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":36,"referenced_works":["https://openalex.org/W23242426","https://openalex.org/W23790581","https://openalex.org/W109951691","https://openalex.org/W201766245","https://openalex.org/W1429964360","https://openalex.org/W1600776630","https://openalex.org/W1917555234","https://openalex.org/W1952344271","https://openalex.org/W1999436718","https://openalex.org/W2008158744","https://openalex.org/W2049214202","https://openalex.org/W2066070747","https://openalex.org/W2070791239","https://openalex.org/W2081625417","https://openalex.org/W2085925880","https://openalex.org/W2086631206","https://openalex.org/W2088498570","https://openalex.org/W2094415856","https://openalex.org/W2094568767","https://openalex.org/W2107604680","https://openalex.org/W2111487235","https://openalex.org/W2112962899","https://openalex.org/W2120109169","https://openalex.org/W2125357166","https://openalex.org/W2134646643","https://openalex.org/W2138124253","https://openalex.org/W2142867733","https://openalex.org/W2142958724","https://openalex.org/W2151152024","https://openalex.org/W2151619740","https://openalex.org/W2152225177","https://openalex.org/W2164582878","https://openalex.org/W2169868363","https://openalex.org/W2186876923","https://openalex.org/W2226733597","https://openalex.org/W2405282478"],"related_works":["https://openalex.org/W1668723973","https://openalex.org/W2547817202","https://openalex.org/W331060086","https://openalex.org/W4240401768","https://openalex.org/W4384518368","https://openalex.org/W3117252235","https://openalex.org/W3163146719","https://openalex.org/W658105165","https://openalex.org/W3201294019","https://openalex.org/W4287279928"],"abstract_inverted_index":{"The":[0],"World":[1],"Wide":[2],"Web":[3],"mainly":[4],"consists":[5],"of":[6,30,94,97,123,127,140],"web":[7,46,89,186],"applications":[8],"written":[9],"in":[10,22,50,116,146,160,200],"weakly":[11],"typed":[12],"scripting":[13],"languages,":[14],"with":[15,48],"PHP":[16,119],"being":[17],"the":[18,28,53,92],"most":[19],"popular":[20,118],"language":[21],"practice.":[23],"Empirical":[24],"evidence":[25],"based":[26],"on":[27,193],"analysis":[29,102,122],"vulnerabilities":[31],"suggests":[32],"that":[33],"security":[34,49,63,76,144,158,174,198],"is":[35],"often":[36,71],"added":[37],"as":[38],"an":[39],"ad-hoc":[40],"solution,":[41],"rather":[42],"than":[43,179],"planning":[44],"a":[45,88,98,137],"application":[47],"mind":[51],"during":[52],"design":[54],"phase.":[55],"Although":[56],"some":[57],"best-practice":[58],"guidelines":[59],"emerged,":[60],"no":[61],"comprehensive":[62,138],"standards":[64],"are":[65],"available":[66],"for":[67,78,104],"developers.":[68],"Thus,":[69],"developers":[70,142,190],"apply":[72],"their":[73],"own":[74],"favorite":[75],"mechanisms":[77,115,145,159,175,199],"data":[79,134],"sanitization":[80,112],"or":[81,113],"validation":[82,114],"to":[83,87,191,202],"prohibit":[84],"malicious":[85],"input":[86,111],"application.":[90],"In":[91,152],"context":[93],"our":[95],"development":[96],"new":[99],"static":[100],"code":[101,128],"tool":[103,189],"vulnerability":[105],"detection,":[106],"we":[107,155,168],"studied":[108],"commonly":[109],"used":[110],"25":[117],"applications.":[120],"Our":[121,181],"2.5":[124],"million":[125],"lines":[126],"and":[129,162,173,188,197,204],"over":[130],"26":[131],"thousand":[132],"secured":[133],"flows":[135],"provides":[136],"overview":[139],"how":[141],"utilize":[143],"practice":[147],"regarding":[148],"different":[149],"markup":[150,171,195],"contexts.":[151],"this":[153],"paper,":[154],"discuss":[156],"these":[157],"detail":[161],"reveal":[163],"common":[164],"pitfalls.":[165],"For":[166],"example,":[167],"found":[169],"certain":[170],"contexts":[172,196],"more":[176],"frequently":[177],"vulnerable":[178],"others.":[180],"empirical":[182],"study":[183],"helps":[184],"researchers,":[185],"developers,":[187],"focus":[192],"error-prone":[194],"order":[201],"detect":[203],"mitigate":[205],"vulnerabilities.":[206]},"counts_by_year":[{"year":2024,"cited_by_count":1},{"year":2022,"cited_by_count":3},{"year":2019,"cited_by_count":1},{"year":2016,"cited_by_count":1}],"updated_date":"2025-11-06T03:46:38.306776","created_date":"2025-10-10T00:00:00"}