Using a fuzzer is a good idea. But, you could also try coding an automated system yourself, as this will boost your knowledge about php and security issues/loop holes in your php sites.

使用模糊器是个好主意。但是，您也可以尝试自己编写一个自动化系统，因为这将提高您对 php 和 php 站点中的安全问题/循环漏洞的了解。

I would personally use Google's Skipfishand find out for yourself if there are problems, then build your own just for your needs and ease of use. Good luck!

我个人会使用 Google 的Skipfish并亲自找出是否存在问题，然后根据自己的需要和易用性构建自己的。祝你好运！

I've been using netsparker http://www.mavitunasecurity.com/

我一直在使用 netsparker http://www.mavitunasecurity.com/

Not exactly what you need but it can help a lot :)

不完全是你需要的，但它可以帮助很多:)

This can be done with a fuzzeror a web vulnerability scanner.

这可以通过模糊器或网络漏洞扫描器来完成。

You should do both. Review your code and look for possible SQL-Injections etc.

你应该两者都做。查看您的代码并寻找可能的 SQL 注入等。

Google released a very nice tool named "Skipfish" that scans your application for common security holes / attack patterns.

Google 发布了一个名为“ Skipfish”的非常好的工具，它可以扫描您的应用程序以查找常见的安全漏洞/攻击模式。

I recommend using the open source project wapitiwhich will test for XSS, SQLi, LFI/RFI and many more. There is also the commercial product Sitewatch($), and the best is NTOSpider($$$$$).

我建议使用开源项目wapiti，它将测试 XSS、SQLi、LFI/RFI 等等。还有商业产品Sitewatch（$），最好的是NTOSpider（$$$$$）。

To familiarize yourself with common web security flaws, you may also wish to explore Webgoat

为了熟悉常见的 Web 安全漏洞，您可能还希望探索Webgoat

You can use a static code analysis tool, e.g. RIPSfor PHP, to analyze your complete source code for security flaws. Fuzzing your website from the outside may not cover all code paths and overlook issues.

您可以使用静态代码分析工具（例如RIPSfor PHP）来分析您的完整源代码是否存在安全漏洞。从外部对您的网站进行模糊测试可能无法涵盖所有​​代码路径并忽略问题。

This is a new and good tool fot testing,it can be used, from web developers, penetration testers or even security researchers to test web applications with the view to find bugs, errors or vulnerabilities. It worths to give a try Commix

这是一个新的很好的测试工具，它可以被 web 开发人员、渗透测试人员甚至安全研究人员用来测试 web 应用程序，以发现错误、错误或漏洞。值得一试 Commix

RFI, LFI, SQL Injection, too many to discuss, and probably too boring to read one by one. I suggest you use a fuzzer instead. There many free ones and here's a wiki article about it: http://en.wikipedia.org/wiki/Fuzz_testing

RFI, LFI, SQL Injection，太多讨论了，可能太无聊了，一一阅读。我建议你改用模糊器。有很多免费的，这里有一篇关于它的 wiki 文章：http: //en.wikipedia.org/wiki/Fuzz_testing

I doubt there's anything -good (so, 100% reliable)- that's automated. But a nice topic to go through might be this one on SO, as it lists "historical security flaws".

我怀疑有什么东西 - 好的（所以，100% 可靠） - 是自动化的。但是一个很好的主题可能是 SO 上的这个主题，因为它列出了“历史安全漏洞”。

Historical security flaws of popular PHP CMS's?

流行的 PHP CMS 的历史安全漏洞？