How can I perform static code analysis in PHP

Question

Is there a static analysis tool for PHP source files  The binary itself can check for syntax errors  but I m looking for something that does more  like   unused variable assignments arrays that are assigned into without being initialized first and possibly code style warnings

User · Answer

There a new tool called nWire for PHP  It is a code exploration plugin for Eclipse PDT and Zend Studio 7 x  It enables real-time code analysis for PHP and provides the following tools   Code visualization - interactive graphical representation of components and associations  Code navigation - unique navigation view shows all the associations and works with you while you write or read code  Quick search - search as you type for methods  fields  file  etc

User · Answer

Online PHP lint  PHPLint  Unitialized variables check  Link 1 and 2 already seem to do this just fine  though   I can t say I have used any of these intensively  though

User · Answer

Run php in lint mode from the command line to validate syntax without execution  php -l FILENAME Higher-level static analyzers include   php-sat - Requires http   strategoxt org  PHP Depend PHP CodeSniffer PHP Mess Detector PHPStan PHP-CS-Fixer phan  Lower-level analyzers include   PHP Parser token get all  primitive function   Runtime analyzers  which are more useful for some things due to PHP s dynamic nature  include   Xdebug has code coverage and function traces  My PHP Tracer Tool uses a combined static dynamic approach  building on Xdebug s function traces   The documentation libraries phpdoc and Doxygen perform a kind of code analysis  Doxygen  for example  can be configured to render nice inheritance graphs with Graphviz  Another option is xhprof  which is similar to Xdebug  but lighter  making it suitable for production servers  The tool includes a PHP-based interface

User · Answer

See Semantic Designs  CloneDR  a  quot clone detection quot  tool that finds copy paste edited code  It will find exact and near miss code fragments  in spite of white space  comments and even variable renamings  A sample detection report for PHP can be found at the website   I m the author

User · Answer

Online PHP lint  PHPLint  Unitialized variables check  Link 1 and 2 already seem to do this just fine  though   I can t say I have used any of these intensively  though

User · Answer

For completeness -- also check phpCallGraph

User · Answer

You may want to try compiling with Facebook s HipHop  It does a static analysis on the entire project and may be what you re looking for  GitHub page

User · Answer

PHP PMD  Programming Mistake Detector  and PHP CPD  Copy Paste Detector  as the former part of PHPUnit

User · Answer

Run php in lint mode from the command line to validate syntax without execution  php -l FILENAME Higher-level static analyzers include   php-sat - Requires http   strategoxt org  PHP Depend PHP CodeSniffer PHP Mess Detector PHPStan PHP-CS-Fixer phan  Lower-level analyzers include   PHP Parser token get all  primitive function   Runtime analyzers  which are more useful for some things due to PHP s dynamic nature  include   Xdebug has code coverage and function traces  My PHP Tracer Tool uses a combined static dynamic approach  building on Xdebug s function traces   The documentation libraries phpdoc and Doxygen perform a kind of code analysis  Doxygen  for example  can be configured to render nice inheritance graphs with Graphviz  Another option is xhprof  which is similar to Xdebug  but lighter  making it suitable for production servers  The tool includes a PHP-based interface

User · Answer

There is a tool for static code analysis called PHP Analyzer  PHP Analyzer is now a deprecated project  but you still can access it on the legacy branch  Among many types of static analysis it also provides basic auto-fixing functionality  see the documentation

User · Answer

The NetBeans IDE checks for syntax errors  unusued variables and such  It s not automated  but works fine for small or medium projects

User · Answer

PHP Mess Detector is awesome and fast

User · Answer

I have tried using php -l and a couple of other tools  However  the best one in my experience  your mileage may vary  of course  is scheck of pfff toolset  I heard about pfff on Quora  Is there a good PHP lint   static analysis tool    You can compile and install it  There are no nice packages  on my Linux Mint Debian system  I had to install the libpcre3-dev  ocaml  libcairo-dev  libgtk-3-dev and libgimp2 0-dev dependencies first  but it should be worth an install  The results are reported like     sw pfff scheck   code github sc  login-now php 7 4  CHECK  Unused Local variable  title go-automatic php 14 77  CHECK  Use of undeclared variable  goUrl

User · Answer

Run php in lint mode from the command line to validate syntax without execution  php -l FILENAME Higher-level static analyzers include   php-sat - Requires http   strategoxt org  PHP Depend PHP CodeSniffer PHP Mess Detector PHPStan PHP-CS-Fixer phan  Lower-level analyzers include   PHP Parser token get all  primitive function   Runtime analyzers  which are more useful for some things due to PHP s dynamic nature  include   Xdebug has code coverage and function traces  My PHP Tracer Tool uses a combined static dynamic approach  building on Xdebug s function traces   The documentation libraries phpdoc and Doxygen perform a kind of code analysis  Doxygen  for example  can be configured to render nice inheritance graphs with Graphviz  Another option is xhprof  which is similar to Xdebug  but lighter  making it suitable for production servers  The tool includes a PHP-based interface

User · Answer

Run php in lint mode from the command line to validate syntax without execution  php -l FILENAME Higher-level static analyzers include   php-sat - Requires http   strategoxt org  PHP Depend PHP CodeSniffer PHP Mess Detector PHPStan PHP-CS-Fixer phan  Lower-level analyzers include   PHP Parser token get all  primitive function   Runtime analyzers  which are more useful for some things due to PHP s dynamic nature  include   Xdebug has code coverage and function traces  My PHP Tracer Tool uses a combined static dynamic approach  building on Xdebug s function traces   The documentation libraries phpdoc and Doxygen perform a kind of code analysis  Doxygen  for example  can be configured to render nice inheritance graphs with Graphviz  Another option is xhprof  which is similar to Xdebug  but lighter  making it suitable for production servers  The tool includes a PHP-based interface

User · Answer

For completeness -- also check phpCallGraph

User · Answer

There a new tool called nWire for PHP  It is a code exploration plugin for Eclipse PDT and Zend Studio 7 x  It enables real-time code analysis for PHP and provides the following tools   Code visualization - interactive graphical representation of components and associations  Code navigation - unique navigation view shows all the associations and works with you while you write or read code  Quick search - search as you type for methods  fields  file  etc

User · Answer

There is RIPS - A static source code analyser for vulnerabilities in PHP scripts  The source code of RIPS is available at SourceForge  From the RIPS site   RIPS is a tool written in PHP to find vulnerabilities in PHP applications using static code analysis  By tokenizing and parsing all source code files RIPS is able to transform PHP source code into a program model and to detect sensitive sinks  potentially vulnerable functions  that can be tainted by userinput  influenced by a malicious user  during the program flow  Besides the structured output of found vulnerabilities RIPS also offers an integrated code audit framework for further manual analysis

User · Answer

There is a tool for static code analysis called PHP Analyzer  PHP Analyzer is now a deprecated project  but you still can access it on the legacy branch  Among many types of static analysis it also provides basic auto-fixing functionality  see the documentation

User · Answer

For completeness -- also check phpCallGraph

User · Answer

PHP Mess Detector is awesome and fast

User · Answer

The NetBeans IDE checks for syntax errors  unusued variables and such  It s not automated  but works fine for small or medium projects

User · Answer

There is RIPS - A static source code analyser for vulnerabilities in PHP scripts  The source code of RIPS is available at SourceForge  From the RIPS site   RIPS is a tool written in PHP to find vulnerabilities in PHP applications using static code analysis  By tokenizing and parsing all source code files RIPS is able to transform PHP source code into a program model and to detect sensitive sinks  potentially vulnerable functions  that can be tainted by userinput  influenced by a malicious user  during the program flow  Besides the structured output of found vulnerabilities RIPS also offers an integrated code audit framework for further manual analysis

User · Answer

For completeness -- also check phpCallGraph

User · Answer

PHP PMD  Programming Mistake Detector  and PHP CPD  Copy Paste Detector  as the former part of PHPUnit

User · Answer

I have tried using php -l and a couple of other tools  However  the best one in my experience  your mileage may vary  of course  is scheck of pfff toolset  I heard about pfff on Quora  Is there a good PHP lint   static analysis tool    You can compile and install it  There are no nice packages  on my Linux Mint Debian system  I had to install the libpcre3-dev  ocaml  libcairo-dev  libgtk-3-dev and libgimp2 0-dev dependencies first  but it should be worth an install  The results are reported like     sw pfff scheck   code github sc  login-now php 7 4  CHECK  Unused Local variable  title go-automatic php 14 77  CHECK  Use of undeclared variable  goUrl

User · Answer

Online PHP lint  PHPLint  Unitialized variables check  Link 1 and 2 already seem to do this just fine  though   I can t say I have used any of these intensively  though

User · Answer

Online PHP lint  PHPLint  Unitialized variables check  Link 1 and 2 already seem to do this just fine  though   I can t say I have used any of these intensively  though

User · Answer

You may want to try compiling with Facebook s HipHop  It does a static analysis on the entire project and may be what you re looking for  GitHub page

User · Answer

See Semantic Designs  CloneDR  a  quot clone detection quot  tool that finds copy paste edited code  It will find exact and near miss code fragments  in spite of white space  comments and even variable renamings  A sample detection report for PHP can be found at the website   I m the author

[php] How can I perform static code analysis in PHP?

Examples related to php

Examples related to code-analysis

Examples related to static-analysis