Skip to content

Implement applicable insight PHP checks #2

Open
Open
Implement applicable insight PHP checks#2
@stefk

Description

@stefk
stefk
opened on Jun 24, 2016

Those checks:

  • are a subset of insight checks, limited to single PHP files analysis
  • may not always be applicable (eg exit is valid in a CLI script, not elsewhere)
  • may imply not 100% reliable guessing techniques (eg query binding vs concat, flush loops, etc.)

A config mechanism and/or the ability to enable/disable particular checks (e.g. via annotations) is required before using the full ruleset.

Critical

Security

  • Database queries should use parameter binding
  • PHP debug statements found
  • eval() should never be used

Major

Bugrisk

  • Logical operators should be avoided
  • Missing use statement should be avoided
  • Static method should not contain $this reference
  • exit() and die() functions should be avoided
  • POSIX regex functions should never be used
  • Absolute path constants DIR and FILE should not be used
  • PHP response functions should not be used
  • PHP session functions should not be used
  • PHP super globals should never be used

Performance

  • The EntityManager should not be flushed within a loop
  • sleep() should not be used

Architecture

  • Global variable or function should never be used
  • Public methods in controller classes should only be actions
  • Controllers should contain a small set of actions
  • Print statements found
  • PHP database functions should not be used

Readability

  • Symfony controller action method should not be too long

Minor

Bugrisk

  • No absolute path should be hard-coded
  • Object parameters should be type hinted
  • Error silenced by the at sign (@)
  • Boolean should be compared strictly
  • Avoid using deprecated PHP functions

Performance

  • Usage of a function in loops should be avoided
  • The boot method in a bundle should be empty

Architecture

  • Code should not be duplicated
  • The Symfony Dependency Injection Container should not be passed as an argument
  • The Doctrine Entity Manager should not be passed as an argument
  • Include statements should not be used
  • Source code should not contain TODO comments
  • Source code should not contain XXX comments

Deadcode

  • Commented code should not be committed
  • PHP code should not contain unreachable code
  • Unused method, property, variable or parameter
  • Unused use statement should be avoided

Readability

  • PHP classes should be short
  • PHP methods should not contain too much logic

Info

Bugrisk

  • PHP short tags should not be used

Codestyle

  • Class should be unique per PHP file
  • Interfaces names should end with "Interface"

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions