# Code Review

### String matching/Grep for bugs

This is probably the fastest way to find low-hanging fruits; you just try to find patterns of known vulnerabilities. For example, you can use `grep` to find calls to the PHP `system` function:

```
$ grep -R 'system\(\$_' *
```

You can find a list of regular expressions to try on your code base in the GRaudit project (<https://github.com/wireghoul/graudit>).

### Determine size of the application to narrow down methodologies

You can use the tool `cloc` (<https://github.com/AlDanial/cloc>) to get a better idea of the size of the application:

```
% cloc .
      14 text files.
      13 unique files.                              
       2 files ignored.

github.com/AlDanial/cloc v 1.72  T=0.11 s (120.6 files/s, 46503.2 lines/s)
-------------------------------------------------------------------------------
Language                     files          blank        comment           code
-------------------------------------------------------------------------------
CSS                              2            676             11           3973
PHP                             10             48              4            289
SQL                              1              5              0              5
-------------------------------------------------------------------------------
SUM:                            13            729             15           4267
-------------------------------------------------------------------------------
```