0xabad1dea · December 14, 2015 17:09
diff --git a/phppasswordfunctions.txt b/phppasswordfunctions.txt
 Here is a huge list of functions listed in the PHP manual which take an argument 
 which contains sensitive data, either directly or as an array element. Use it to 
 "audit" for statically embedded passwords in "your" codebase. Some of these are 
 very obscure/deprecated/whatever. The ones with "construct" in the name are 
 classes called in source like new foo("password");...


 http://php.net/manual/en/function.hash-hmac.php

 http://www.php.net/manual/en/function.curl-setopt.php

 http://php.net/manual/en/function.ssh2-auth-password.php <-- (the note about this not supporting keyboard_interactive from the getgo is just precious)

 http://www.php.net/manual/en/function.mysql-connect.php

 http://www.php.net/manual/en/function.mysqli-connect.php

 http://www.php.net/manual/en/mysqli.construct.php 

 http://www.php.net/manual/en/pdo.construct.php

 http://www.php.net/manual/en/function.oci-connect.php

 http://www.php.net/manual/en/function.oci-new-connect.php

 http://www.php.net/manual/en/function.oci-pconnect.php

 http://php.net/manual/en/function.mysql-pconnect.php

 http://www.php.net/manual/en/function.ldap-bind.php

 http://www.php.net/manual/en/function.ftp-login.php

 http://php.net/manual/en/function.mssql-connect.php

 http://www.php.net/manual/en/function.mssql-pconnect.php

 http://www.php.net/manual/en/function.ssh2-auth-hostbased-file.php 

 http://www.php.net/manual/en/function.ssh2-auth-pubkey-file.php 

 http://www.php.net/manual/en/function.hw-connect.php

 http://www.php.net/manual/en/function.svn-auth-set-parameter.php <-- depends on first argument

 http://www.php.net/manual/en/function.yaz-connect.php 

 http://www.php.net/manual/en/function.pg-connect.php

 http://www.php.net/manual/en/function.pg-pconnect.php

 http://php.net/manual/en/function.imap-open.php

 http://www.php.net/manual/en/function.cyrus-authenticate.php

 http://www.php.net/manual/en/function.vpopmail-add-user.php

 http://www.php.net/manual/en/function.vpopmail-auth-user.php

 http://www.php.net/manual/en/function.vpopmail-passwd.php

 http://www.php.net/manual/en/function.mcrypt-encrypt.php

 http://www.php.net/manual/en/function.mcrypt-decrypt.php

 http://www.php.net/manual/en/function.openssl-encrypt.php

 http://www.php.net/manual/en/function.openssl-decrypt.php

 http://www.php.net/manual/en/function.openssl-private-decrypt.php

 http://www.php.net/manual/en/function.openssl-private-encrypt.php

 http://www.php.net/manual/en/function.openssl-public-decrypt.php

 http://www.php.net/manual/en/function.openssl-public-encrypt.php

 http://www.php.net/manual/en/function.kadm5-init-with-password.php

 http://www.php.net/manual/en/function.dbx-connect.php

 http://www.php.net/manual/en/function.odbc-connect.php

 http://www.php.net/manual/en/function.cubrid-connect.php

 http://www.php.net/manual/en/function.cubrid-connect-with-url.php

 http://www.php.net/manual/en/function.cubrid-connect.php

 http://www.php.net/manual/en/function.cubrid-pconnect.php

 http://www.php.net/manual/en/function.cubrid-pconnect-with-url.php

 http://www.php.net/manual/en/function.ibase-connect.php

 http://www.php.net/manual/en/function.ibase-pconnect.php

 http://www.php.net/manual/en/function.fbsql-connect.php

 http://www.php.net/manual/en/function.fbsql-pconnect.php

 http://www.php.net/manual/en/function.fbsql-database-password.php

 http://www.php.net/manual/en/function.fbsql-password.php

 http://www.php.net/manual/en/function.fbsql-set-password.php

 http://www.php.net/manual/en/function.db2-connect.php

 http://www.php.net/manual/en/function.db2-pconnect.php

 http://www.php.net/manual/en/function.ifx-connect.php

 http://www.php.net/manual/en/function.ifx-pconnect.php

 http://www.php.net/manual/en/function.ingres-connect.php

 http://www.php.net/manual/en/function.ingres-pconnect.php

 http://www.php.net/manual/en/function.maxdb-connect.php

 http://www.php.net/manual/en/function.maxdb-real-connect.php

 http://www.php.net/manual/en/mongoclient.construct.php

 http://www.php.net/manual/en/function.ovrimos-connect.php

 http://www.php.net/manual/en/function.sqlsrv-connect.php

 http://www.php.net/manual/en/function.sybase-connect.php

 http://www.php.net/manual/en/function.sybase-pconnect.php

 http://www.php.net/manual/en/oauth.construct.php <-- technically "secret" but these things leak all the time

 http://www.php.net/manual/en/soapclient.soapclient.php 

 http://www.php.net/manual/en/varnishadmin.construct.php 

 http://www.php.net/manual/en/varnishadmin.setsecret.php

 http://www.php.net/manual/en/snmp.construct.php 

 http://www.php.net/manual/en/snmp.setsecurity.php 

 http://www.php.net/manual/en/stomp.construct.php

 http://www.php.net/manual/en/amqpconnection.setpassword.php

 http://www.php.net/manual/en/amqpconnection.construct.php 

 0xabad1dea
	Here is a huge list of functions listed in the PHP manual which take an argument
	which contains sensitive data, either directly or as an array element. Use it to
	"audit" for statically embedded passwords in "your" codebase. Some of these are
	very obscure/deprecated/whatever. The ones with "construct" in the name are
	classes called in source like new foo("password");...


	http://php.net/manual/en/function.hash-hmac.php

	http://www.php.net/manual/en/function.curl-setopt.php

	http://php.net/manual/en/function.ssh2-auth-password.php <-- (the note about this not supporting keyboard_interactive from the getgo is just precious)

	http://www.php.net/manual/en/function.mysql-connect.php

	http://www.php.net/manual/en/function.mysqli-connect.php

	http://www.php.net/manual/en/mysqli.construct.php

	http://www.php.net/manual/en/pdo.construct.php

	http://www.php.net/manual/en/function.oci-connect.php

	http://www.php.net/manual/en/function.oci-new-connect.php

	http://www.php.net/manual/en/function.oci-pconnect.php

	http://php.net/manual/en/function.mysql-pconnect.php

	http://www.php.net/manual/en/function.ldap-bind.php

	http://www.php.net/manual/en/function.ftp-login.php

	http://php.net/manual/en/function.mssql-connect.php

	http://www.php.net/manual/en/function.mssql-pconnect.php

	http://www.php.net/manual/en/function.ssh2-auth-hostbased-file.php

	http://www.php.net/manual/en/function.ssh2-auth-pubkey-file.php

	http://www.php.net/manual/en/function.hw-connect.php

	http://www.php.net/manual/en/function.svn-auth-set-parameter.php <-- depends on first argument

	http://www.php.net/manual/en/function.yaz-connect.php

	http://www.php.net/manual/en/function.pg-connect.php

	http://www.php.net/manual/en/function.pg-pconnect.php

	http://php.net/manual/en/function.imap-open.php

	http://www.php.net/manual/en/function.cyrus-authenticate.php

	http://www.php.net/manual/en/function.vpopmail-add-user.php

	http://www.php.net/manual/en/function.vpopmail-auth-user.php

	http://www.php.net/manual/en/function.vpopmail-passwd.php

	http://www.php.net/manual/en/function.mcrypt-encrypt.php

	http://www.php.net/manual/en/function.mcrypt-decrypt.php

	http://www.php.net/manual/en/function.openssl-encrypt.php

	http://www.php.net/manual/en/function.openssl-decrypt.php

	http://www.php.net/manual/en/function.openssl-private-decrypt.php

	http://www.php.net/manual/en/function.openssl-private-encrypt.php

	http://www.php.net/manual/en/function.openssl-public-decrypt.php

	http://www.php.net/manual/en/function.openssl-public-encrypt.php

	http://www.php.net/manual/en/function.kadm5-init-with-password.php

	http://www.php.net/manual/en/function.dbx-connect.php

	http://www.php.net/manual/en/function.odbc-connect.php

	http://www.php.net/manual/en/function.cubrid-connect.php

	http://www.php.net/manual/en/function.cubrid-connect-with-url.php

	http://www.php.net/manual/en/function.cubrid-connect.php

	http://www.php.net/manual/en/function.cubrid-pconnect.php

	http://www.php.net/manual/en/function.cubrid-pconnect-with-url.php

	http://www.php.net/manual/en/function.ibase-connect.php

	http://www.php.net/manual/en/function.ibase-pconnect.php

	http://www.php.net/manual/en/function.fbsql-connect.php

	http://www.php.net/manual/en/function.fbsql-pconnect.php

	http://www.php.net/manual/en/function.fbsql-database-password.php

	http://www.php.net/manual/en/function.fbsql-password.php

	http://www.php.net/manual/en/function.fbsql-set-password.php

	http://www.php.net/manual/en/function.db2-connect.php

	http://www.php.net/manual/en/function.db2-pconnect.php

	http://www.php.net/manual/en/function.ifx-connect.php

	http://www.php.net/manual/en/function.ifx-pconnect.php

	http://www.php.net/manual/en/function.ingres-connect.php

	http://www.php.net/manual/en/function.ingres-pconnect.php

	http://www.php.net/manual/en/function.maxdb-connect.php

	http://www.php.net/manual/en/function.maxdb-real-connect.php

	http://www.php.net/manual/en/mongoclient.construct.php

	http://www.php.net/manual/en/function.ovrimos-connect.php

	http://www.php.net/manual/en/function.sqlsrv-connect.php

	http://www.php.net/manual/en/function.sybase-connect.php

	http://www.php.net/manual/en/function.sybase-pconnect.php

	http://www.php.net/manual/en/oauth.construct.php <-- technically "secret" but these things leak all the time

	http://www.php.net/manual/en/soapclient.soapclient.php

	http://www.php.net/manual/en/varnishadmin.construct.php

	http://www.php.net/manual/en/varnishadmin.setsecret.php

	http://www.php.net/manual/en/snmp.construct.php

	http://www.php.net/manual/en/snmp.setsecurity.php

	http://www.php.net/manual/en/stomp.construct.php

	http://www.php.net/manual/en/amqpconnection.setpassword.php

	http://www.php.net/manual/en/amqpconnection.construct.php

	0xabad1dea