PHP is dynamically typed language and that means the error detection present in statically typed languages is absent. If you have an error in your script, it will not be detected till you have actually run it(apart from parse errors). The big, shine in your eyes errors are never a problem because they are detected quite easily during development. It is the silent types (doing X when you meant Y and X is a perfectly legit operation) that are more difficult.
Like, I will show you a piece of code I had re-factored a while back
Here loginId was changed to subjectId in parameter list but I forgot to change the name of parameter I was passing to MySQL. This used to result in a notice that was going to logs but no sign of program failure outside. That led me to say, enough is enough and I need to have a good static analysis tool for my PHP code.
There are many posts dedicated to the topic of PHP static analysis, sort of things that lint does for c code. The aim is to catch errors from just scanning the PHP code. When I started looking around, everyone talked about their favorite static analysis tool but no one gave me hard data or how it actually looks on your terminal.
I looked at following tools
After a quick evaluation I (emphasized) found phpmd to be the best of the lot. Why?
One more tool worth checking should be https://github.com/sebastianbergmann/php-code-coverage
However I did not look at this one.
Like, I will show you a piece of code I had re-factored a while back
static function find($subjectId,$objectId,$verb) {
$mysqli = MySQL\Connection::getInstance()->getHandle();
//sanitize input
settype($subjectId,"integer");
settype($objectId,"integer");
settype($verb,"integer");
$sql = " select count(id) as count from sc_bookmark " ;
$sql .= " where subject_id = %d and object_id = %d and verb = %d ";
$sql = sprintf($sql,$loginId,$itemId,$verb);
$row = MySQL\Helper::fetchRow($mysqli, $sql);
return $row;
}
Here loginId was changed to subjectId in parameter list but I forgot to change the name of parameter I was passing to MySQL. This used to result in a notice that was going to logs but no sign of program failure outside. That led me to say, enough is enough and I need to have a good static analysis tool for my PHP code.
There are many posts dedicated to the topic of PHP static analysis, sort of things that lint does for c code. The aim is to catch errors from just scanning the PHP code. When I started looking around, everyone talked about their favorite static analysis tool but no one gave me hard data or how it actually looks on your terminal.
I looked at following tools
- PHP code sniffer (phpcs)
- PHP on command line with minus eel option (-l)
- PHP mess detector (phpmd)
- pfff/scheck
After a quick evaluation I (emphasized) found phpmd to be the best of the lot. Why?
One more tool worth checking should be https://github.com/sebastianbergmann/php-code-coverage
However I did not look at this one.
PHP code sniffer
phpcs looked too verbose out of the box. For 20 line perfectly legit code it generates 20 errors, most of that to do with style guidelines. Look at the output, I believe real error will be buried under tons of such warnings. Sure, I did not look at how to tweak it and all but I believe most of the time first impressions are confined to out of box experience. Also, it could not detect the error I had. (error inside a class method)
FILE: /home/rjha/code/github/sc/lib/com/indigloo/sc/util/Asset.php
--------------------------------------------------------------------------------
FOUND 16 ERROR(S) AND 1 WARNING(S) AFFECTING 11 LINE(S)
--------------------------------------------------------------------------------
2 | ERROR | Missing file doc comment
4 | ERROR | Missing class doc comment
4 | ERROR | Opening brace of a class must be on the line after the
| | definition
6 | ERROR | Missing function doc comment
6 | ERROR | Opening brace should be on a new line
17 | ERROR | Expected "if (...) {\n"; found "if(...) {\n"
20 | ERROR | No space found after comma in function call
24 | ERROR | Expected "if (...) {\n"; found "if(...) {\n"
28 | WARNING | Line exceeds 85 characters; contains 103 characters
31 | ERROR | Expected "if (...) {\n"; found "if(...) {\n"
31 | ERROR | No space found after comma in function call
33 | ERROR | No space found after comma in function call
33 | ERROR | No space found after comma in function call
36 | ERROR | Expected "if (...) {\n"; found "if(...) {\n"
36 | ERROR | No space found after comma in function call
38 | ERROR | No space found after comma in function call
38 | ERROR | No space found after comma in function call
--------------------------------------------------------------------------------
php -l (minus eel)
looks too limited. It could not detect errors inside class methods.
pfff/scheck
pfff is a project from facebook and it is a suite of tools. There are some interesting ocaml based tools there, like code map generator etc. scheck is the tool to do static checks. However pfff looks to be in alpha stage right now.
php mess detector
This could detect the problem inside a class method. Also, the tool is quick and you can decide on the kind of rules you would like to run.
rjha@mint ~/code/github/sc $ phpmd lib/com/indigloo/sc/util/Asset.php text codesize,design,naming,unusedcode
/home/rjha/code/github/sc/lib/com/indigloo/sc/util/Asset.php:13 Avoid variables with short names like $ts. Configured minimum length is 3.
