摘要: 本文针对PHP应用中由于序列化滥用、输入校验缺失、路径解析歧义而引起的高危安全威胁，将快速预筛、基于AST/CFG的深度语义分析、跨函数关联溯源三种模式有机结合起来，构造从受污染源到触发点的可视化证据链，并设计实现了一套多模态污点分析检测框架，解决了传统审计工具在跨文件数据流追踪、消毒器识别、路径归一化等方面的不足，同时引入AI辅助技术对漏洞片段做智能摘要及自动化验证，提高了人工复核效率。通过在DVWA靶场及若干真实开源项目上的对比实验，验证了所提方法在复杂漏洞挖掘中的可靠性及所生成报告的可信性。

Abstract: This paper addresses high-severity security threats in PHP applications caused by the misuse of serialization, missing input validation, and ambiguities in path resolution. It integrates three complementary modes—rapid pre-screening, deep semantic analysis based on AST/CFG, and cross-function correlation tracing—to construct a visual evidence chain from taint sources to vulnerability trigger points. We design and implement a multimodal taint-analysis detection framework that overcomes limitations of traditional auditing tools in cross-file data-flow tracking, sanitizer identification, and path normalization. In addition, we introduce AI-assisted techniques to generate intelligent summaries of vulnerable code snippets and automate verification, thereby improving the efficiency of manual review. Comparative experiments on the DVWA testbed and several real-world open-source projects demonstrate the reliability of the proposed approach for discovering complex vulnerabilities and the credibility of the generated reports.