Web shell attacks through malicious PHP scripts allow attackers to execute system commands remotely and take control of web servers. Most existing PHP shell detection methods rely on signature matching, which can be evaded by obfuscation. This paper proposes an alternative static taint analysis framework to detect PHP web shell attacks by modeling data flows from untrusted inputs to sensitive sinks. The proposed web shell attacks detector takes PHP source code as input and performs a staged analysis, including lexical analysis to tokenize the code, syntactic analysis to generate a parse tree, semantic analysis to extract variables and functions into a dependency control flow graph (D-CFG), dataflow analysis to track taint through the D-CFG and identify flows from untrusted sources like $ _GET to sinks like shell commands, and evaluation to compare identified flows to known malicious patterns and check for indications of a web shell attack. Each stage builds on the previous one, and the whole process aims at reliably detecting PHP web shell threats through static taint analysis of program flows from origin to system execution. It conducts a hybrid analysis using lexical, syntactic, and semantic analysis of the abstract syntax tree. Static taint analysis is a program analysis technique used to identify how untrusted data propagated through a codebase without executing the program. Also, static taint analysis helps find security issues by modeling how untrusted inputs interact with critical operations via a static code inspection rather than dynamic execution. Results on a PHP web shells dataset showed that our framework could achieve 95% recall and 90% precision, outperforming existing static and dynamic analysis methods. The approach also had fewer false positives than signature-based methods. The evaluation demonstrates the framework’s capabilities in precisely detecting web shell attacks with high accuracy.