Static analysis tools checks PHP code without running them. Fully automated, they bring expertise to review the code, enforce good practices when programming, keep code ready for the next PHP version. PHP 7 has developed tremendously our capacity to audit code. Thanks to AST and return types, it is possible to go deeper and prevent more bugs. During this session, we'll review the current state of static analysis tools, learn what they can find for us, and how to integrate it in the development cycle: security bugs, migration incompatibilities, and directives recommendations. Simply said, better PHP coding.
8. Switch statements may only
contain one default clause
<?php
switch($x) {
case '1' :
break;
default :
break;
default :
break;
case '2' :
break;
}
9. Switch statements may only
contain one default clause
switch($x) {
case 1 :
break;
case 0+1 :
break;
case '1' :
break;
case true :
break;
case 1.0 :
break;
case $y :
break;
}
16. PHP as a database
Source code is a highly organized dataset
We need a way to query it
There are over 84 static analysis tools for PHP
https://github.com/exakat/php-static-analysis-tools
17. Harnessing legacy code
Get a legacy code base to maintain
Assess the code and clean it
Set up a dev team
Update systems
19. Find Bugs
Find bugs
PHP, logical, frameworks
Create a new coding reference
Choose a rule, fix the issues, clean around, repeat
20. Lists of issues
------ ---------------------------------------------------------------------------------------
Line src/Database.php
------ ---------------------------------------------------------------------------------------
33 Return typehint of method CorcelDatabase::connect() has invalid type CorcelIlluminat
35 Instantiated class IlluminateDatabaseCapsuleManager not found.
37 Call to method addConnection() on an unknown class IlluminateDatabaseCapsuleManager
38 Call to method bootEloquent() on an unknown class IlluminateDatabaseCapsuleManager.
40 Method CorcelDatabase::connect() should return CorcelIlluminateDatabaseCapsuleMan
----------------------------------------------------------------------------------------------
------ ---------------------------------------------------------------------------
Line src/Password/PasswordService.php
------ ---------------------------------------------------------------------------
11 Access to an undefined property CorcelPasswordPasswordService::$hasher.
11 Instantiated class HautelookPhpassPasswordHash not found.
28 Access to an undefined property CorcelPasswordPasswordService::$hasher.
58 Access to an undefined property CorcelPasswordPasswordService::$hasher.
------ ---------------------------------------------------------------------------
33. [file]
; Unless you need to access remote files, it is better to be safe and forbid this
; feature
allow_url_fopen = Off
; Determines the size of the realpath cache to be used by PHP. The default value
; of "16k" is usually too low for modern application that open many files
; (autoload, fopen, filet_get_contents...). It is recommended to make this value
; up to 128 to 256k, and reduce it by testing with realpath_cache_get().
realpath_cache_size = 128k
; Duration of time (in seconds) for which to cache realpath information for a
; given file or directory. If the application's code doesn't change too often, you
; may set this directive to 3600 (one hour) or even more.
realpath_cache_ttl = 3600
; More information about file :
;http://php.net/manual/en/filesystem.configuration.php
[File Upload]
; This is the maximum uploaded size. It is recommended to keep this value as low
; as possible.
upload_max_filesize = 2M
; This is the maximum number of uploaded files in a single request.
max_file_uploads = 1
; Upload directory where PHP stores the temporary files. It is recommended to set
; this value, and separate it from other temporary directories.
upload_tmp_dir = /tmp/php_upload
; This is the maximum amount of data that PHP will accept in a POST request. It
; has to be higher or equal to upload_max_filesize. For security reasons, it
php.ini suggestions
35. Help your own users
Beyond documentation
Automate code review
Help users learn, promote best practices
Drive your users directly where it is important
36.
37. Enrich your code today
Capitalize a lot of experience
Provides someone else
point of view
Without anyone judging
Prepare for the future
Code fixing as relaxation
38. Tools used as illustration
https://github.com/exakat/php-static-analysis-tools
Exakat
Larashift
PHP Inspection
PHP Metrics
PHPStan