I have to make a script in PHP that will scan other PHP files to check for dangerous function calls like eval,exec . Is there any parser available that can give me a logical structure of code.

Or i have to go with Regex.

Thanks, any type suggestions are welcome.

Arshdeep

Edit: i am not considering it as "one shot kill all". I have some other things in mind too, but its still something that i have to do.

You can use tokenizer to do that:

print_r(token_get_all('<?php exec("rm -rf *"); ?>'));

Notice in the output the third element which is:

[1] => Array
    (
        [0] => 307
        [1] => exec
        [2] => 1
    )

Don't, you'll only shoot yourself in the foot.

PHP is a highly dynamic language. You probably can't even imagine what possibilities there are to execute code. I had some attempts at preprocessing PHP for sandboxing and from my experience I can tell you that it is very hard to account for all cases. To get a rough overview of what you are facing, look at the exploitable functions list, which was created over time and still isn't perfect.

To answer your actual question, I maintain a PHP parser written in PHP. You could intercept all function calls by defining a node visitor looking roughly like this:

class MyNodeVisitor extends PHPParser_NodeVisitorAbstract {
    public function enterNode(PHPParser_Node $node) {
        if ($node instanceof PHPParser_Node_Expr_FuncCall) {
            if ($node->name instanceof PHPParser_Node_Name) {
                // static function name
            } else {
                // dynamic function name
            }
        }
    }
}

Just use disable_function and disable_classes.
This can be changed only at the php.ini level.