How can I perform static code analysis in PHP?

Is there a static analysis tool for PHP source files?

The binary itself can check for syntax errors, but I'm looking for something that does more, like:

• unused variable assignments
• arrays that are assigned into without being initialized first
• and possibly code style warnings
• ...

Run php in lint mode from the command line to validate syntax without execution:

php -l FILENAME

Higher-level static analyzers include:

• php-sat - Requires http://strategoxt.org/
• PHP_Depend
• PHP_CodeSniffer
• PHP Mess Detector
• PHPStan
• PHP-CS-Fixer
• phan

Lower-level analyzers include:

• PHP_Parser
• token_get_all (primitive function)

Runtime analyzers, which are more useful for some things due to PHP's dynamic nature, include:

• Xdebug has code coverage and function traces.
• My PHP Tracer Tool uses a combined static/dynamic approach, building on Xdebug's function traces.

The documentation libraries phpdoc and Doxygen perform a kind of code analysis. Doxygen, for example, can be configured to render nice inheritance graphs with Graphviz.

Another option is xhprof, which is similar to Xdebug, but lighter, making it suitable for production servers. The tool includes a PHP-based interface.

Online PHP lint

PHPLint

Unitialized variables check. Link 1 and 2 already seem to do this just fine, though.

I can't say I have used any of these intensively, though :)

For completeness -- also check phpCallGraph.

PHP Mess Detector is awesome and fast.

I have tried using php -l and a couple of other tools.

However, the best one in my experience (your mileage may vary, of course) is scheck of pfff toolset. I heard about pfff on Quora (Is there a good PHP lint / static analysis tool?).

You can compile and install it. There are no nice packages (on my Linux Mint Debian system, I had to install the libpcre3-dev, ocaml, libcairo-dev, libgtk-3-dev and libgimp2.0-dev dependencies first) but it should be worth an install.

The results are reported like

$ ~/sw/pfff/scheck ~/code/github/sc/
login-now.php:7:4: CHECK: Unused Local variable $title
go-automatic.php:14:77: CHECK: Use of undeclared variable $goUrl.

See Semantic Designs' CloneDR, a "clone detection" tool that finds copy/paste/edited code.

It will find exact and near miss code fragments, in spite of white space, comments and even variable renamings. A sample detection report for PHP can be found at the website. (I'm the author.)

The NetBeans IDE checks for syntax errors, unusued variables and such. It's not automated, but works fine for small or medium projects.

There a new tool called nWire for PHP. It is a code exploration plugin for Eclipse PDT and Zend Studio 7.x. It enables real-time code analysis for PHP and provides the following tools:

• Code visualization - interactive graphical representation of components and associations.
• Code navigation - unique navigation view shows all the associations and works with you while you write or read code.
• Quick search - search as you type for methods, fields, file, etc.

PHP PMD (Programming Mistake Detector) and PHP CPD (Copy/Paste Detector) as the former part of PHPUnit.

There is RIPS - A static source code analyser for vulnerabilities in PHP scripts. The source code of RIPS is available at SourceForge.

From the RIPS site:

> RIPS is a tool written in PHP to find vulnerabilities in PHP > applications using static code analysis. By tokenizing and parsing all > source code files RIPS is able to transform PHP source code into a > program model and to detect sensitive sinks (potentially vulnerable > functions) that can be tainted by userinput (influenced by a malicious > user) during the program flow. Besides the structured output of found > vulnerabilities RIPS also offers an integrated code audit framework > for further manual analysis.

There is a tool for static code analysis called PHP Analyzer. PHP Analyzer is now a deprecated project, but you still can access it on the legacy branch.

Among many types of static analysis it also provides basic auto-fixing functionality, see the documentation.

You may want to try compiling with Facebook's HipHop.

It does a static analysis on the entire project and may be what you're looking for.

GitHub page