When using sgrep to search for insecure PHP code, I've found it useful to be able to ignore function arguments that are hard-coded strings. For example, making an assumption that a hard-coded string argument to a function like popen() is probably(!?) okay, but an argument with variable substitution is more suspect and should receive more follow up.
Rather than put together complex patterns with metavariables, it's been easier to say, "not a string" with a pattern of "!...". That pattern is intended to echo the "..." for matching any string.
When using sgrep to search for insecure PHP code, I've found it useful to be able to ignore function arguments that are hard-coded strings. For example, making an assumption that a hard-coded string argument to a function like popen() is probably(!?) okay, but an argument with variable substitution is more suspect and should receive more follow up.
Rather than put together complex patterns with metavariables, it's been easier to say, "not a string" with a pattern of "!...". That pattern is intended to echo the "..." for matching any string.
Thanks, Mike