// sample report
PHP Code Security Review — Sample Report
This is a sample report — an illustrative example for evaluation only. It does not describe any specific customer or system.
Example scenario
A developer pastes a controller snippet for a defensive review before merging.
Executive summary
Two issues were identified: a query built with string concatenation (SQL injection risk) and unescaped output rendered into HTML (XSS risk). Both have well-understood, low-effort fixes: parameterised queries and output escaping.
Findings
| ID | Finding | Severity | Mapping |
|---|---|---|---|
| CR-01 | SQL built by string concatenation | High | OWASP A03:2021 · CWE-89 · NIST SI-10 |
| CR-02 | Unescaped output to HTML | Medium | OWASP A03:2021 · CWE-79 · NIST SI-10 |
Details
CR-01 · SQL built by string concatenation
HighEvidence. User input is concatenated directly into a SQL statement instead of using a bound parameter.
Risk. An attacker could alter the query to read or modify unintended data.
Defensive countermeasure. Use prepared statements with bound parameters for every query that includes input.
OWASP A03:2021 · CWE-89 · NIST SI-10
CR-02 · Unescaped output to HTML
MediumEvidence. A request value is echoed into the page without htmlspecialchars().
Risk. Reflected cross-site scripting if the value contains markup.
Defensive countermeasure. Escape all dynamic output on the way out (htmlspecialchars with ENT_QUOTES) and add a CSP.
OWASP A03:2021 · CWE-79 · NIST SI-10
Related NeoShield tool
Defensive use only. This platform is for defensive and authorized security work only. Do not scan, test, or analyze systems you do not own or have explicit permission to assess. Sample reports never include offensive exploit steps.