How to Perform Static Code Analysis in PHP

How can I perform static code analysis in PHP?

Run php in lint mode from the command line to validate syntax without execution:

php -l FILENAME

Higher-level static analyzers include:

  • php-sat - Requires http://strategoxt.org/
  • PHP_Depend
  • PHP_CodeSniffer
  • PHP Mess Detector
  • PHPStan
  • PHP-CS-Fixer
  • phan

Lower-level analyzers include:

  • PHP_Parser
  • token_get_all (primitive function)

Runtime analyzers, which are more useful for some things due to PHP's dynamic nature, include:

  • Xdebug has code coverage and function traces.
  • My PHP Tracer Tool uses a combined static/dynamic approach, building on Xdebug's function traces.

The documentation libraries phpdoc and Doxygen perform a kind of code analysis. Doxygen, for example, can be configured to render nice inheritance graphs with Graphviz.

Another option is xhprof, which is similar to Xdebug, but lighter, making it suitable for production servers. The tool includes a PHP-based interface.

Writing static code analysis tools

I suggest looking at the RIPS Scanner project and review its source code for ideas. It performs exactly the functions you wish to do.

Understanding php static code analysis results

Here are some more sources / links about the metrics , results and info in an old but similar question. If you want more info about mistakes and code smells I would recommand you look intro: PHP_CodeSniffer and PHP_Depend

PHP static code analysis tool, which detects uncaught exceptions?

PHPLint seems to be the answer. For example, it parses

<?php

function some()
{
    if (time() == 123) {
        throw new Exception("I can't happen");
    }
}

some();

, which will never throw an exception (unless you're in the past), into:

BEGIN parsing of test-cSdHoW
1:      <?php
2:      
3:      function some()
4:      {
5:       if (time() == 123) {
6:        throw new Exception("I can't happen");

          throw new Exception("I can't happen");
                                                \_ HERE
==== 6: notice: here generating exception(s) Exception

          throw new Exception("I can't happen");
                                                \_ HERE
==== 6: ERROR: exception(s) must be caught or declared to be thrown: Exception
7:       }
8:      }
9:      
10:     some();
==== 3: notice: guessed signature of the function `some()' as void()

        some();
             \_ HERE
==== 10: notice: here generating exception(s) Exception

        some();
             \_ HERE
==== 10: Warning: uncaught exception(s): Exception
END parsing of test-cSdHoW
==== ?: notice: unused package `dummy.php'
==== ?: notice: required module `standard'
Overall test results: 1 errors, 1 warnings.

So that's exactly what I was asking for :) Adding a docblock and catching the exception results in no more errors or warnings from PHPLint.


Related Topics

How to Extend a Class Using More Than 1 Class in PHP

Selecting a CSS Class With Xpath

How to Send a Get Request from PHP

Storing Files in Database VS File System

Ajax and PHP to Enter Multiple Forms Input to Database

Delete Directory With Files in It

How to Extend Access Token Validity Since Offline_Access Deprecation

Best Way to Parse Rss/Atom Feeds With PHP

Refresh a Page Using PHP

Generate Json String from Multidimensional Array Data

MySQLi Prepared Statements Error Reporting

Get Value from Simplexmlelement Object

PHP - Get Bool to Echo False When False

How to Delete a Line from the File With PHP

Setting Up a Deployment/Build/Ci Cycle For PHP Projects

Fixing Broken Utf-8 Encoding

How to Post Json to PHP With Curl

How to Create an Array from a CSV File Using PHP and the Fgetcsv Function


Leave a reply



Submit