{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,9]],"date-time":"2026-01-09T10:33:36Z","timestamp":1767954816340,"version":"3.49.0"},"reference-count":42,"publisher":"World Scientific Pub Co Pte Ltd","issue":"03","funder":[{"name":"Basic Innovation Re search Cultivation Program of Yanshan University","award":["2024LGZD004"],"award-info":[{"award-number":["2024LGZD004"]}]},{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"crossref","award":["62376240"],"award-info":[{"award-number":["62376240"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"crossref"}]},{"name":"S&T Program of Hebei","award":["236Z0304G"],"award-info":[{"award-number":["236Z0304G"]}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Int. J. Soft. Eng. Knowl. Eng."],"published-print":{"date-parts":[[2026,3,15]]},"abstract":"<jats:p>As the most widely used server-side programming language for web applications, PHP has a large number of SQL injection (SQLI) and cross-site scripting (XSS) vulnerabilities that are exploited maliciously, making the detection of such vulnerabilities increasingly critical. Existing source code detection methods suffer from issues such as uncleaned redundant information, limited representation dimensions and poor detection performance. To address these challenges, we propose a PHP vulnerability detection method based on RGB image representation and hybrid attention mechanisms\u00a0\u2014 PHP ResNet with Hybrid Attention (PRWHA). First, PRWHA marks the input sources and sensitive functions, constructs data flow and control flow graphs between source and sink points and adds function call edges. This method uniquely identifies nodes in the graph using filenames and line numbers to enable inter-procedural and cross-file detection. Next, it leverages both the topological information (including data flow, control flow and function call relationships) and textual information of the code\u2019s graph structure to generate RGB images. These images are then processed by a ResNet-50 model enhanced with a hybrid attention layer to detect SQLI and XSS vulnerabilities. To validate the effectiveness of PRWHA, we evaluated it on both publicly available datasets and real-world software datasets. The results demonstrate that PRWHA outperforms traditional methods as well as other machine learning, deep learning and Large Language Model (LLM)-based detection approaches. On the public dataset, PRWHA achieved an accuracy of 99.00% and an F1-score of 97.13% on the test set. On the real-world software dataset, it achieved an accuracy of 73% and a vulnerability detection rate of approximately 83.67%.<\/jats:p>","DOI":"10.1142\/s0218194025500743","type":"journal-article","created":{"date-parts":[[2025,10,8]],"date-time":"2025-10-08T10:01:35Z","timestamp":1759917695000},"page":"455-486","source":"Crossref","is-referenced-by-count":0,"title":["PRWHA: RGB Image-Based Hybrid Attention for Cross-File SQLI\/XSS Vulnerability Detection in PHP Web Applications"],"prefix":"10.1142","volume":"36","author":[{"ORCID":"https:\/\/orcid.org\/0009-0002-9320-9382","authenticated-orcid":false,"given":"Rong","family":"Ren","sequence":"first","affiliation":[{"name":"School of Information Science and Engineering, Yanshan University, Qinhuangdao, P.\u00a0R.\u00a0China"},{"name":"The Key Laboratory of Software Engineering, Yanshan University, Qinhuangdao, P.\u00a0R.\u00a0China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Qingyu","family":"Song","sequence":"additional","affiliation":[{"name":"School of Information Science and Engineering, Yanshan University, Qinhuangdao, P.\u00a0R.\u00a0China"},{"name":"The Key Laboratory of Software Engineering, Yanshan University, Qinhuangdao, P.\u00a0R.\u00a0China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-9867-8439","authenticated-orcid":false,"given":"Bing","family":"Zhang","sequence":"additional","affiliation":[{"name":"School of Information Science and Engineering, Yanshan University, Qinhuangdao, P.\u00a0R.\u00a0China"},{"name":"The Key Laboratory of Software Engineering, Yanshan University, Qinhuangdao, P.\u00a0R.\u00a0China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-9338-5605","authenticated-orcid":false,"given":"Haitao","family":"He","sequence":"additional","affiliation":[{"name":"School of Information Science and Engineering, Yanshan University, Qinhuangdao, P.\u00a0R.\u00a0China"},{"name":"The Key Laboratory of Software Engineering, Yanshan University, Qinhuangdao, P.\u00a0R.\u00a0China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7159-1424","authenticated-orcid":false,"given":"Qian","family":"Wang","sequence":"additional","affiliation":[{"name":"School of Information Science and Engineering, Yanshan University, Qinhuangdao, P.\u00a0R.\u00a0China"},{"name":"The Key Laboratory of Software Engineering, Yanshan University, Qinhuangdao, P.\u00a0R.\u00a0China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-0655-4947","authenticated-orcid":false,"given":"Guoyan","family":"Huang","sequence":"additional","affiliation":[{"name":"School of Information Science and Engineering, Yanshan University, Qinhuangdao, P.\u00a0R.\u00a0China"},{"name":"The Key Laboratory of Software Engineering, Yanshan University, Qinhuangdao, P.\u00a0R.\u00a0China"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"219","published-online":{"date-parts":[[2025,11,3]]},"reference":[{"key":"S0218194025500743BIB001","unstructured":"W3techs \u2014 Extensive and reliable web technology surveys (2024), https:\/\/w3techs.com\/."},{"key":"S0218194025500743BIB002","unstructured":"New H3C Technologies Co., Ltd. (2023) Cybersecurity vulnerability landscape report - H3C group, https:\/\/www.h3c.com\/cn\/d_202402\/2056604_30003_0.htm"},{"key":"S0218194025500743BIB003","doi-asserted-by":"publisher","DOI":"10.1049\/iet-sen.2011.0084"},{"key":"S0218194025500743BIB004","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2006.29"},{"key":"S0218194025500743BIB005","unstructured":"J. Dahse and J. Schwenk, Rips-a static source code analyser for vulnerabilities in php scripts, seminar work (seminer \u00e7al\u0131smas\u0131), Horst G\u00f6rtz Institute Ruhr-University Bochum (2010)."},{"key":"S0218194025500743BIB006","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2014.23262"},{"key":"S0218194025500743BIB007","doi-asserted-by":"publisher","DOI":"10.1109\/DSN.2015.16"},{"key":"S0218194025500743BIB008","doi-asserted-by":"publisher","DOI":"10.1145\/2166956.2166964"},{"key":"S0218194025500743BIB009","unstructured":"I. A. Y. Shakhatreh, Sql-injection vulnerability scanner using automatic creation of sql-injection attacks (mysqlinjector) (2010)."},{"key":"S0218194025500743BIB010","doi-asserted-by":"publisher","DOI":"10.1109\/TR.2015.2457411"},{"key":"S0218194025500743BIB011","doi-asserted-by":"publisher","DOI":"10.1145\/2931037.2931041"},{"key":"S0218194025500743BIB012","doi-asserted-by":"publisher","DOI":"10.1109\/5.18626"},{"key":"S0218194025500743BIB013","doi-asserted-by":"publisher","DOI":"10.1145\/3230833.3230856"},{"key":"S0218194025500743BIB014","volume-title":"Advances in Neural Information Processing Systems","volume":"32","author":"Zhou Y.","year":"2019"},{"key":"S0218194025500743BIB015","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2020.3044773"},{"key":"S0218194025500743BIB016","unstructured":"Z. Li, D. Zou, S. Xu, X. Ou, H. Jin, S. Wang, Z. Deng and Y. Zhong, Vuldeepecker: A deep learning-based system for vulnerability detection, arXiv:1801.01681."},{"issue":"5","key":"S0218194025500743BIB017","first-page":"2224","volume":"18","author":"Zou D.","year":"2021","journal-title":"IEEE Trans. Dependable Secure Comput."},{"key":"S0218194025500743BIB018","first-page":"2365","volume-title":"Proc. 44th Int. Conf. Software Engineering","author":"Yueming W.","year":"2022"},{"key":"S0218194025500743BIB019","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2023.103501"},{"key":"S0218194025500743BIB020","doi-asserted-by":"publisher","DOI":"10.1109\/ICSTW50294.2020.00083"},{"key":"S0218194025500743BIB021","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-41579-2_12"},{"key":"S0218194025500743BIB022","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP.2017.14"},{"key":"S0218194025500743BIB023","doi-asserted-by":"publisher","DOI":"10.1109\/DSC54232.2022.9888816"},{"key":"S0218194025500743BIB024","doi-asserted-by":"publisher","DOI":"10.3390\/app13020825"},{"key":"S0218194025500743BIB025","doi-asserted-by":"publisher","DOI":"10.1109\/TNN.2008.2005605"},{"key":"S0218194025500743BIB026","unstructured":"D. Kroening and G. Weissenbacher, Joern: An open-source code analysis platform. Release v2.0.1, https:\/\/github.com\/joernio\/joern."},{"key":"S0218194025500743BIB027","unstructured":"T. N. Kipf and M. Welling, Semi-supervised classification with graph convolutional networks, arXiv:1609.02907."},{"key":"S0218194025500743BIB028","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v34i01.5477"},{"key":"S0218194025500743BIB029","doi-asserted-by":"publisher","DOI":"10.1016\/0378-8733(78)90021-7"},{"key":"S0218194025500743BIB030","doi-asserted-by":"publisher","DOI":"10.1007\/BF02289026"},{"key":"S0218194025500743BIB031","doi-asserted-by":"publisher","DOI":"10.1109\/42.816070"},{"key":"S0218194025500743BIB032","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2016.90"},{"key":"S0218194025500743BIB033","unstructured":"National Institute of Standards and Technology, SARD (2020), https:\/\/samate.nist.gov\/index.php\/Software_Assurance_Reference_Dataset.html."},{"key":"S0218194025500743BIB034","unstructured":"F. Schuckert, H. Langweg and B. Katt, PHP test suite - XSS, SQLi 1.0.0 (2022), https:\/\/samate.nist.gov\/SARD\/test-suites\/114."},{"key":"S0218194025500743BIB035","doi-asserted-by":"publisher","DOI":"10.1145\/3065386"},{"key":"S0218194025500743BIB036","unstructured":"N. Rahaman\n                      et al\n                      ., On the spectral bias of neural networks, arXiv:1806.08734."},{"key":"S0218194025500743BIB037","first-page":"2017","volume-title":"Proc. 29th Int. Conf. Neural Information Processing Systems","author":"Jaderberg M.","year":"2015"},{"key":"S0218194025500743BIB038","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2018.00745"},{"key":"S0218194025500743BIB039","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-01234-2_1"},{"key":"S0218194025500743BIB040","doi-asserted-by":"publisher","DOI":"10.1016\/j.patcog.2022.108785"},{"key":"S0218194025500743BIB041","unstructured":"B. Rozi\u00e8re\n                      et al\n                      ., Code llama: Open foundation models for code, arXiv:2308.12950."},{"key":"S0218194025500743BIB042","doi-asserted-by":"publisher","DOI":"10.1109\/WACV.2018.00097"}],"container-title":["International Journal of Software Engineering and Knowledge Engineering"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.worldscientific.com\/doi\/pdf\/10.1142\/S0218194025500743","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,1,9]],"date-time":"2026-01-09T09:13:00Z","timestamp":1767949980000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.worldscientific.com\/doi\/10.1142\/S0218194025500743"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,11,3]]},"references-count":42,"journal-issue":{"issue":"03","published-print":{"date-parts":[[2026,3,15]]}},"alternative-id":["10.1142\/S0218194025500743"],"URL":"https:\/\/doi.org\/10.1142\/s0218194025500743","relation":{},"ISSN":["0218-1940","1793-6403"],"issn-type":[{"value":"0218-1940","type":"print"},{"value":"1793-6403","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,11,3]]}}}