(If the file mixes PHP and HTML heavily, note the “PHP‑in‑HTML” sections and any templating engine used.) | Criterion | Rating (1‑5) | Comments | |-----------|--------------|----------| | Readability / Naming | | Consistent variable names? Comments? | | Modularity | | Use of functions/classes vs. monolithic script | | Error Handling | | Try‑catch, custom error pages, logging | | Performance | | Unnecessary DB calls, loops, output buffering | | Compliance with PSR‑12 / Coding Standards | | Indentation, braces, naming conventions | | Documentation | | Header docblocks, inline comments, README | 5️⃣ Security Review | Area | Findings | Severity | Recommendation | |------|----------|----------|----------------| | Input Validation / Sanitisation | e.g., raw $_GET / $_POST used directly in SQL | High / Medium / Low | Use prepared statements ( PDO / mysqli ) or filter functions. | | Output Escaping | e.g., echoing user data without htmlspecialchars | Medium | Encode all dynamic output for HTML/JS/URL contexts. | | SQL Injection | e.g., concatenated queries | High | Switch to parameterised queries. | | Cross‑Site Scripting (XSS) | e.g., reflected XSS via query string | Medium | Encode output, implement CSP. | | Cross‑Site Request Forgery (CSRF) | e.g., form submissions lack tokens | Medium | Add CSRF tokens. | | File Inclusion / Path Traversal | e.g., include $_GET['page']; | High | Whitelist allowed files; avoid direct user input in includes. | | Session Management | e.g., session fixation, missing httponly flag | Medium | Regenerate IDs after login, set secure cookie flags. | | Authentication / Authorization | e.g., public access to admin pages | High | Enforce proper access controls. | | Server‑Side Configuration | e.g., missing Content‑Security‑Policy , X‑Frame‑Options | Low/Medium | Add security headers. | | Error Disclosure | e.g., display_errors = On in production | Low | Disable display, log errors instead. | | Dependency Vulnerabilities | e.g., outdated Composer packages | Variable | Run composer audit / update. |