As https://security.stackexchange.com/a/11935/35886 states: the best protection against code injection is to prevent it but often you see posts on SO or here that goes like
I found "long line of php/perl, etc code" and want to know what it does.
Then I realized that many of those code injections tend to be very long lines of code (beside being encoded and possibly encrypted) to prevent being too obvious at a first glance.
Now I was thinking whether automated scans of any code base for some long lines of code could provide a cheap mechanism to detect code injection blocks in interpreted languages?
A quick search did not reveal any correlation of hits and false positives when scanning for code lines longer than n chars.
I am ware that obfuscated code, but also badly written code would be detected by such a system, but is there a known usage of such a simple technique in any IDS?
For a general hosting provider this might not be practical (or even legal?) to scan all client files for overly long lines as it would required manpower or further risk analysis of all hits and a notification system for the end user. But hosters for blogs etc, which can get some injection by malicious themes or any other type could profit of that. Or am I wrong here?