php-nag

Static analysis tool for PHP source code by PHP.

for running on PHP >= 5.5
for parsing PHP 5.2 to PHP 7.1
(Depend on the PHP-Parser version 3)

Getting Started

Download phar

Usage

php -d "memory_limit=512M" phpnag.phar file.php

Windows:

> php phpnag.phar src | findstr /V "ORDER DEFAULT_NOTHING"

Linux:

$ php phpnag.phar src | grep -v 'ORDER|DEFAULT_NOTHING'

Summary

• Property/MULTIPLE

  class C
  {
      public $a, $b;
  }

• ClassConst/MULTIPLE

  class C
  {
      const A = 1, B = 2;
  }

• For/COND_MULTIPLE

  for (;$a < 2, $b < 3;) {}

• ErrorSuppress 🔰

  @file('test.txt');

• AssignRef/NEW 💣

  $instance =& new Class();

• Catch/EMPTY 🔰

  try {
      func();
  } catch (Error $e) {
      // empty.
  }

• Goto 🔰

• Variable/VARIABLE_VARIABLES 🔰

  $$value;

• Variable/DEPRECATED_GLOBALS 💣

• ArrayDimFetch/Const 💨

  $value[key];

• Equal/WEAK_COMP_NUM

  $value = '1abc';
  if ($value == 1) {};

• Equal/WEAK_COMP_FUNC

  if (strpos($value, 'startswith') == 0) {};

• BinaryOp/LOGICAL_OPERATOR 🔰

  if ($val1 and $val2) {};

• FuncCall/NON_BEGINNER_FUNC 🔰

• FuncCall/NON_OCT[chmod]

  chmod($filename, 755);

• FuncCall/DEFINE_CONST

  define(STRING, 'value');

• FuncCall/DEFINED_CONST

  defined(STRING);

• FuncCall/DEPRECATED_FUNC_PARAM[setlocale/$category] 💣

  setlocale('STRING', 0);

• FuncCall/DEPRECATED_INI_GET[$directive] 🔰

• FuncCall/DEPRECATED_INI_SET[$directive] 💣

• FuncCall/DEPRECATED_FUNC_PARAM[PREG_REPLACE_EVAL] 💣

  preg_replace('/pattern/e', 'value', $string);

• FuncCall/DEPRECATED_FUNC_PARAM_NUM[array_push] 💨

  array_push($array, 'value');

• FuncCall/WEAK_COMP_FUNC_PARAM[in_array]

  The third argument is not set.

• FuncCall/WEAK_COMP_FUNC_PARAM[array_search]

  The third argument is not set.

• FuncCall/DEPRECATED_FUNC_PARAM_NUM[htmlentities or htmlspecialchars] 😈

  The $flags argument is not set.

• FuncCall/DEPRECATED_FUNC_PARAM_ENC[htmlentities or htmlspecialchars]

  The $encoding argument is not set.

• FuncCall/RECOMMEND_FUNC_PARAM[htmlentities or htmlspecialchars]

  It is recommended that you use ENT_QUOTES flag.

• FuncCall/DEPRECATED_FUNC_PARAM[htmlentities or htmlspecialchars] 😈

  Deprecated flag(ENT_COMPAT, ENT_NOQUOTES, ENT_IGNORE)

• FuncCall/DEPRECATED_API[$funcName] 💣

• List/ASSIGN_ORDER 💣

  list($a[], $a[]);

• List/EMPTY 💣

  list(,);

• Print/USER_INPUT[$_GET or $_POST ...] 😈

• Echo/USER_INPUT[$_GET or $_POST ...] 😈

• ClassLike/PHP4CONSTRUCT 💣

• ClassLike/MIXED_ORDER[Method/Property]

  class Example {
      public $member1;
      public function func1(){};
      public $member2;
      public function func2(){};
  }

• ClassLike/VISIBILITY_MIXED_ORDER

• ClassLike/VISIBILITY_ORDER

  public, protected, private

• Unset/Superglobals 💥

  unset($_SESSION);

• Switch/FALL_THROUGH

  switch ($string) {
  case 'one':
      $value = 'string';
      //break; <= fall through
  case 'two':
      $value = 'string string';
      break;
  }

• Switch/CONTINUE_BREAK

• Switch/DEFAULT_NOTHING

• Switch/DEFAULT_MULTIPLE 💣

• Switch/DEFAULT_NON_TAIL 🔰

• FunctionLike/DUPLICATE_FUNC_PARAM 💣

  function func($a, $a) {}

• Cond/BITWISE_OPERATOR 🔰

  if ($a & $b) {}

• Cond/ASSIGN_IF (for, while ...)

  if ($a = func()) {}

• Cond/WEAK_COMP_IF (for, while ...)