SonarSource Rules
  • Products

    In-IDE

    Code Quality and Security in your IDE with SonarQube Ide

    IDE extension that lets you fix coding issues before they exist!

    Discover SonarQube for IDE

    SaaS

    Code Quality and Security in the cloud with SonarQube Cloud

    Setup is effortless and analysis is automatic for most languages

    Discover SonarQube Cloud

    Self-Hosted

    Code Quality and Security Self-Hosted with SonarQube Server

    Fast, accurate analysis; enterprise scalability

    Discover SonarQube Server
  • SecretsSecrets
  • ABAPABAP
  • AnsibleAnsible
  • ApexApex
  • AzureResourceManagerAzureResourceManager
  • CC
  • C#C#
  • C++C++
  • CloudFormationCloudFormation
  • COBOLCOBOL
  • CSSCSS
  • DartDart
  • DockerDocker
  • FlexFlex
  • GitHub ActionsGitHub Actions
  • GoGo
  • HTMLHTML
  • JavaJava
  • JavaScriptJavaScript
  • JSONJSON
  • JCLJCL
  • KotlinKotlin
  • KubernetesKubernetes
  • Objective CObjective C
  • PHPPHP
  • PL/IPL/I
  • PL/SQLPL/SQL
  • PythonPython
  • RPGRPG
  • RubyRuby
  • RustRust
  • ScalaScala
  • ShellShell
  • SwiftSwift
  • TerraformTerraform
  • TextText
  • TypeScriptTypeScript
  • T-SQLT-SQL
  • VB.NETVB.NET
  • VB6VB6
  • XMLXML
  • YAMLYAML
PHP

PHP static code analysis

Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your PHP code

  • All rules 273
  • Vulnerability42
  • Bug51
  • Security Hotspot34
  • Code Smell146
 
Tags
    Impact
      Clean code attribute
        1. The number of arguments passed to a function should match the number of parameters

           Bug
        2. "goto" statement should not be used

           Code Smell
        3. Non-empty statements should change control flow or have at least one side-effect

           Bug
        4. Increment (++) and decrement (--) operators should not be used in a method call or mixed with other operators in an expression

           Code Smell
        5. Variables should be initialized before use

           Bug
        6. Server-side requests should not be vulnerable to traversing attacks

           Vulnerability
        7. Unnecessary parentheses should not be used for constructs

           Code Smell
        8. Credentials should not be hard-coded

           Vulnerability
        9. Hard-coded secrets are security-sensitive

           Security Hotspot
        10. Character classes in regular expressions should not contain only one character

           Code Smell
        11. Superfluous curly brace quantifiers should be avoided

           Code Smell
        12. Non-capturing groups without quantifier should not be used

           Code Smell
        13. Regular expressions should have valid delimiters

           Bug
        14. Regular expression quantifiers and character classes should be used concisely

           Code Smell
        15. Constructing arguments of system commands from user input is security-sensitive

           Security Hotspot
        16. WordPress option names should not be misspelled

           Code Smell
        17. Allowing unfiltered HTML content in WordPress is security-sensitive

           Security Hotspot
        18. WordPress options should not be defined at the end of "wp-config.php"

           Code Smell
        19. Allowing unauthenticated database repair in WordPress is security-sensitive

           Security Hotspot
        20. Allowing all external requests from a WordPress server is security-sensitive

           Security Hotspot
        21. Constants should not be redefined

           Code Smell
        22. Disabling automatic updates is security-sensitive

           Security Hotspot
        23. WordPress theme and plugin editors are security-sensitive

           Security Hotspot
        24. Secret keys and salt values should be robust

           Vulnerability
        25. Regular expressions should not contain empty groups

           Code Smell
        26. Replacement strings should reference existing regular expression groups

           Bug
        27. Regular expressions should not contain multiple spaces

           Code Smell
        28. Alternation in regular expressions should not contain empty alternatives

           Bug
        29. Applications should not create session cookies from untrusted input

           Vulnerability
        30. Reflection should not be vulnerable to injection attacks

           Vulnerability
        31. Single-character alternations in regular expressions should be replaced with character classes

           Code Smell
        32. Reluctant quantifiers in regular expressions should be followed by an expression that can't match the empty string

           Code Smell
        33. Regex lookahead assertions should not be contradictory

           Bug
        34. Back references in regular expressions should only refer to capturing groups that are matched before the reference

           Bug
        35. Regex boundaries should not be used in a way that can never be matched

           Bug
        36. Regex patterns following a possessive quantifier should not always fail

           Bug
        37. Framework-provided functions should be used to test exceptions

           Code Smell
        38. Assertions should not be made at the end of blocks expecting an exception

           Bug
        39. Class of caught exception should be defined

           Bug
        40. Test methods should be discoverable

           Code Smell
        41. OS commands should not be vulnerable to argument injection attacks

           Vulnerability
        42. A new session should be created during user authentication

           Vulnerability
        43. Character classes in regular expressions should not contain the same character twice

           Code Smell
        44. Unicode Grapheme Clusters should be avoided inside regex character classes

           Bug
        45. Unicode-aware versions of character classes should be preferred

           Code Smell
        46. Assertions should not compare an object to itself

           Bug
        47. Character classes should be preferred over reluctant quantifiers in regular expressions

           Code Smell
        48. Regular expressions should be syntactically valid

           Bug
        49. Regex alternatives should not be redundant

           Bug
        50. Alternatives in regular expressions should be grouped when used with anchors

           Bug
        51. Regular expressions should not be too complicated

           Code Smell
        52. Repeated patterns in regular expressions should not match the empty string

           Bug
        53. Authorizations should be based on strong decisions

           Vulnerability
        54. Constants should not be used as conditions

           Code Smell
        55. PHPUnit assertTrue/assertFalse should be simplified to the corresponding dedicated assertion

           Code Smell
        56. Only one method invocation is expected when testing exceptions

           Bug
        57. Assertion failure exceptions should not be ignored

           Bug
        58. A subclass should not be in the same "catch" clause as a parent class

           Code Smell
        59. Caught Exceptions must derive from Throwable

           Bug
        60. Allowing requests with excessive content length is security-sensitive

           Security Hotspot
        61. Raised Exceptions must derive from Throwable

           Bug
        62. Cipher algorithms should be robust

           Vulnerability
        63. Encryption algorithms should be used with secure mode and padding scheme

           Vulnerability
        64. Server hostnames should be verified during SSL/TLS connections

           Vulnerability
        65. `str_replace` should be preferred to `preg_replace`

           Code Smell
        66. Include expressions should not be vulnerable to injection attacks

           Vulnerability
        67. Dynamic code execution should not be vulnerable to injection attacks

           Vulnerability
        68. Using clear-text protocols is security-sensitive

           Security Hotspot
        69. Manual generation of session ID is security-sensitive

           Security Hotspot
        70. HTTP request redirections should not be open to forging attacks

           Vulnerability
        71. Logging should not be vulnerable to injection attacks

           Vulnerability
        72. Server-side requests should not be vulnerable to forging attacks

           Vulnerability
        73. Deserialization should not be vulnerable to injection attacks

           Vulnerability
        74. Endpoints should not be vulnerable to reflected cross-site scripting (XSS) attacks

           Vulnerability
        75. Having a permissive Cross-Origin Resource Sharing policy is security-sensitive

           Security Hotspot
        76. Expanding archive files without controlling resource consumption is security-sensitive

           Security Hotspot
        77. Controlling permissions is security-sensitive

           Security Hotspot
        78. Use of namespaces should be preferred to "include" or "require" functions

           Code Smell
        79. Server certificates should be verified during SSL/TLS connections

           Vulnerability
        80. Reading the Standard Input is security-sensitive

           Security Hotspot
        81. Signaling processes is security-sensitive

           Security Hotspot
        82. References used in "foreach" loops should be "unset"

           Bug
        83. Using command line arguments is security-sensitive

           Security Hotspot
        84. Using Sockets is security-sensitive

           Security Hotspot
        85. Configuring loggers is security-sensitive

           Security Hotspot
        86. Using weak hashing algorithms is security-sensitive

           Security Hotspot
        87. Encrypting data is security-sensitive

           Security Hotspot
        88. Using regular expressions is security-sensitive

           Security Hotspot
        89. "default" clauses should be first or last

           Code Smell
        90. Deserializing objects from an untrusted source is security-sensitive

           Security Hotspot
        91. Delivering code in production with debug features activated is security-sensitive

           Security Hotspot
        92. Disabling CSRF protections is security-sensitive

           Security Hotspot
        93. LDAP connections should be authenticated

           Vulnerability
        94. Cryptographic keys should be robust

           Vulnerability
        95. Weak SSL/TLS protocols should not be used

           Vulnerability
        96. Methods should not have identical implementations

           Code Smell
        97. Array values should not be replaced unconditionally

           Bug
        98. Duplicate values should not be passed as arguments

           Code Smell
        99. Exceptions should not be created without being thrown

           Bug
        100. Array or Countable object count comparisons should make sense

           Bug
        101. A conditionally executed single line should be denoted by indentation

           Code Smell
        102. Conditionals should start on new lines

           Code Smell
        103. All branches in a conditional structure should not have exactly the same implementation

           Bug
        104. Functions should use "return" consistently

           Code Smell
        105. Cognitive Complexity of functions should not be too high

           Code Smell
        106. The output of functions that don't return anything should not be used

           Bug
        107. Database queries should not be vulnerable to injection attacks

           Vulnerability
        108. Jump statements should not be redundant

           Code Smell
        109. Assertion arguments should be passed in the correct order

           Code Smell
        110. Test class names should end with "Test"

           Code Smell
        111. Ternary operators should not be nested

           Code Smell
        112. "file_uploads" should be disabled

           Vulnerability
        113. "enable_dl" should be disabled

           Vulnerability
        114. "session.use_trans_sid" should not be enabled

           Vulnerability
        115. "cgi.force_redirect" should be enabled

           Vulnerability
        116. "allow_url_fopen" and "allow_url_include" should be disabled

           Vulnerability
        117. "open_basedir" should limit file access

           Vulnerability
        118. Session-management cookies should not be persistent

           Vulnerability
        119. Creating cookies with broadly defined "domain" flags is security-sensitive

           Security Hotspot
        120. Creating cookies without the "HttpOnly" flag is security-sensitive

           Security Hotspot
        121. Reflection should not be used to increase accessibility of classes, methods, or fields

           Code Smell
        122. "sleep" should not be called

           Vulnerability
        123. Configuration should not be changed dynamically

           Code Smell
        124. Class constructors should not create other objects

           Code Smell
        125. Unary prefix operators should not be repeated

           Bug
        126. Non-existent operators like "=+" should not be used

           Bug
        127. XML parsers should not be vulnerable to XXE attacks

           Vulnerability
        128. "catch" clauses should do more than rethrow

           Code Smell
        129. Literal boolean values and nulls should not be used in equality assertions

           Code Smell
        130. Tests should include assertions

           Code Smell
        131. Multiline blocks should be enclosed in curly braces

           Code Smell
        132. Regular expressions should not be vulnerable to Denial of Service attacks

           Vulnerability
        133. Setting loose POSIX file permissions is security-sensitive

           Security Hotspot
        134. Neither DES (Data Encryption Standard) nor DESede (3DES) should be used

           Vulnerability
        135. Cryptographic RSA algorithms should always incorporate OAEP (Optimal Asymmetric Encryption Padding)

           Vulnerability
        136. PHP parser failure

           Code Smell
        137. Writing cookies is security-sensitive

           Security Hotspot
        138. A "for" loop update clause should move the counter in the right direction

           Bug
        139. Using pseudorandom number generators (PRNGs) is security-sensitive

           Security Hotspot
        140. Parameters should be passed in the correct order

           Code Smell
        141. Return values from functions without side effects should not be ignored

           Bug
        142. TestCases should contain tests

           Code Smell
        143. Classes named like "Exception" should extend "Exception" or a subclass

           Code Smell
        144. Values should not be uselessly incremented

           Bug
        145. A secure password should be used when connecting to a database

           Vulnerability
        146. Creating cookies without the "secure" flag is security-sensitive

           Security Hotspot
        147. XPath expressions should not be vulnerable to injection attacks

           Vulnerability
        148. I/O function calls should not be vulnerable to path injection attacks

           Vulnerability
        149. LDAP queries should not be vulnerable to injection attacks

           Vulnerability
        150. Formatting SQL queries is security-sensitive

           Security Hotspot
        151. OS commands should not be vulnerable to command injection attacks

           Vulnerability
        152. SHA-1 and Message-Digest hash algorithms should not be used in secure contexts

           Vulnerability
        153. Hard-coded credentials are security-sensitive

           Security Hotspot
        154. Password hashing functions should use an unpredictable salt

           Vulnerability
        155. Alias functions should not be used

           Code Smell
        156. The names of methods with boolean return values should start with "is" or "has"

           Code Smell
        157. Perl-style comments should not be used

           Code Smell
        158. "php_sapi_name()" should not be used

           Code Smell
        159. Superglobals should not be accessed directly

           Code Smell
        160. Classes should not have too many lines of code

           Code Smell
        161. Parentheses should not be used for calls to "echo"

           Code Smell
        162. Colors should be defined in upper case

           Code Smell
        163. Static members should be referenced with "static::"

           Bug
        164. Files that define symbols should not cause side-effects

           Bug
        165. "$this" should not be used in a static context

           Bug
        166. "global" should not be used

           Code Smell
        167. "&&" and "||" should be used

           Code Smell
        168. Functions and variables should not be defined outside of classes

           Code Smell
        169. String literals should not be concatenated

           Code Smell
        170. Functions should not be nested too deeply

           Code Smell
        171. "require_once" and "include_once" should be used instead of "require" and "include"

           Bug
        172. Errors should not be silenced

           Bug
        173. Deprecated features should not be used

           Code Smell
        174. Files should not contain characters before "<?php"

           Bug
        175. References should not be passed to function calls

           Code Smell
        176. Files should not contain inline HTML

           Code Smell
        177. Files should contain only one top-level class or interface each

           Code Smell
        178. "final" should not be used redundantly

           Code Smell
        179. Boolean checks should not be inverted

           Code Smell
        180. Two branches in a conditional structure should not have exactly the same implementation

           Code Smell
        181. Related "if/else if" statements and "cases" in a "switch" should not have the same condition

           Bug
        182. Unused assignments should be removed

           Code Smell
        183. Objects should not be created to be dropped immediately without being used

           Bug
        184. "switch" statements should not be nested

           Code Smell
        185. Classes should not have too many fields

           Code Smell
        186. Source code should comply with formatting standards

           Code Smell
        187. "exit(...)" and "die(...)" statements should not be used

           Bug
        188. "elseif" keyword should be used in place of "else if" keywords

           Code Smell
        189. Method arguments with default values should be last

           Code Smell
        190. Method visibility should be explicitly declared

           Bug
        191. PHP keywords and constants "true", "false", "null" should be lower case

           Code Smell
        192. Closing tag "?>" should be omitted on files containing only PHP

           Code Smell
        193. Only LF character (Unix-like) should be used to end lines

           Code Smell
        194. More than one property should not be declared per statement

           Code Smell
        195. The "var" keyword should not be used

           Code Smell
        196. Identical expressions should not be used on both sides of a binary operator

           Bug
        197. All code should be reachable

           Bug
        198. "<?php" and "<?=" tags should be used

           Code Smell
        199. Loops with at most one iteration should be refactored

           Bug
        200. Short-circuit logic should be used to prevent null pointer dereferences in conditionals

           Bug
        201. Variables should not be self-assigned

           Bug
        202. A reason should be provided when skipping a test

           Code Smell
        203. "__construct" functions should not make PHP 4-style calls to parent constructors

           Code Smell
        204. Deprecated constructor declarations should not be used

           Code Smell
        205. Deprecated predefined variables should not be used

           Code Smell
        206. Variable variables should not be used

           Code Smell
        207. File names should comply with a naming convention

           Code Smell
        208. Cyclomatic Complexity of functions should not be too high

           Code Smell
        209. Dynamically executing code is security-sensitive

           Security Hotspot
        210. Local variables should not be declared and then immediately returned or thrown

           Code Smell
        211. Unused local variables should be removed

           Code Smell
        212. "switch" statements should not have too many "case" clauses

           Code Smell
        213. Track lack of copyright and license headers

           Code Smell
        214. Classes should not have too many methods

           Code Smell
        215. Comments should not be located at the end of lines of code

           Code Smell
        216. Functions should not have too many lines of code

           Code Smell
        217. Control flow statements "if", "for", "while", "switch" and "try" should not be nested too deeply

           Code Smell
        218. Octal values should not be used

           Code Smell
        219. Using hardcoded IP addresses is security-sensitive

           Security Hotspot
        220. Cyclomatic Complexity of classes should not be too high

           Code Smell
        221. "switch" statements should have "default" clauses

           Code Smell
        222. "switch" statements should have at least 3 "case" clauses

           Code Smell
        223. Track uses of "NOSONAR" comments

           Code Smell
        224. Switch cases should end with an unconditional "break" statement

           Code Smell
        225. "for" loop stop conditions should be invariant

           Code Smell
        226. A "while" loop should be used instead of a "for" loop

           Code Smell
        227. "if ... else if" constructs should end with "else" clauses

           Code Smell
        228. Sections of code should not be commented out

           Code Smell
        229. Function and method parameters' initial values should not be ignored

           Bug
        230. Statements should be on separate lines

           Code Smell
        231. Control structures should use curly braces

           Code Smell
        232. Classes should not be coupled to too many other classes

           Code Smell
        233. String literals should not be duplicated

           Code Smell
        234. Methods should not be empty

           Code Smell
        235. Overriding methods should do more than simply call the same method in the super class

           Code Smell
        236. Unused function parameters should be removed

           Code Smell
        237. Local variable and function parameter names should comply with a naming convention

           Code Smell
        238. Field names should comply with a naming convention

           Code Smell
        239. "empty()" should be used to test for emptiness

           Code Smell
        240. "switch case" clauses should not have too many lines of code

           Code Smell
        241. Constant names should comply with a naming convention

           Code Smell
        242. Useless "if(true) {...}" and "if(false){...}" blocks should be removed

           Bug
        243. Unused "private" methods should be removed

           Code Smell
        244. Functions should not contain too many return statements

           Code Smell
        245. Interface names should comply with a naming convention

           Code Smell
        246. Track uses of "TODO" tags

           Code Smell
        247. Track uses of "FIXME" tags

           Code Smell
        248. Lines should not end with trailing whitespaces

           Code Smell
        249. Files should end with a newline

           Code Smell
        250. Return of boolean expressions should not be wrapped into an "if-then-else" statement

           Code Smell
        251. Boolean literals should not be redundant

           Code Smell
        252. Modifiers should be declared in the correct order

           Code Smell
        253. Assignments should not be made from within sub-expressions

           Code Smell
        254. Generic exceptions ErrorException, RuntimeException and Exception should not be thrown

           Code Smell
        255. Local variables should not have the same name as class fields

           Code Smell
        256. Empty statements should be removed

           Code Smell
        257. Redundant pairs of parentheses should be removed

           Code Smell
        258. A close curly brace should be located at the beginning of a line

           Code Smell
        259. An open curly brace should be located at the beginning of a line

           Code Smell
        260. An open curly brace should be located at the end of a line

           Code Smell
        261. Inheritance tree of classes should not be too deep

           Code Smell
        262. Nested blocks of code should not be left empty

           Code Smell
        263. URIs should not be hardcoded

           Code Smell
        264. Functions should not have too many parameters

           Code Smell
        265. Unused "private" fields should be removed

           Code Smell
        266. Expressions should not be too complex

           Code Smell
        267. Mergeable "if" statements should be combined

           Code Smell
        268. Tabulation characters should not be used

           Code Smell
        269. All "catch" blocks should be able to catch exceptions

           Bug
        270. Files should not have too many lines of code

           Code Smell
        271. Lines should not be too long

           Code Smell
        272. Class names should comply with a naming convention

           Code Smell
        273. Function names should comply with a naming convention

           Code Smell

        Writing cookies is security-sensitive

        Security Hotspot

          This rule is deprecated, and will eventually be removed.

          Using cookies is security-sensitive. It has led in the past to the following vulnerabilities:

          • CVE-2018-11639
          • CVE-2016-6537

          Attackers can use widely-available tools to read cookies. Any sensitive information they may contain will be exposed.

          This rule flags code that writes cookies.

          Ask Yourself Whether

          • sensitive information is stored inside the cookie.

          You are at risk if you answered yes to this question.

          Recommended Secure Coding Practices

          Cookies should only be used to manage the user session. The best practice is to keep all user-related information server-side and link them to the user session, never sending them to the client. In a very few corner cases, cookies can be used for non-sensitive information that need to live longer than the user session.

          Do not try to encode sensitive information in a non human-readable format before writing them in a cookie. The encoding can be reverted and the original information will be exposed.

          Using cookies only for session IDs doesn’t make them secure. Follow OWASP best practices when you configure your cookies.

          As a side note, every information read from a cookie should be Sanitized.

          Sensitive Code Example

          $value = "1234 1234 1234 1234";
          
          // Review this cookie as it seems to send sensitive information (credit card number).
          setcookie("CreditCardNumber", $value, $expire, $path, $domain, true, true); // Sensitive
          setrawcookie("CreditCardNumber", $value, $expire, $path, $domain, true, true); // Sensitive
          

          See

          • OWASP - Top 10 2017 Category A3 - Sensitive Data Exposure
          • CWE - CWE-312 - Cleartext Storage of Sensitive Information
          • CWE - CWE-315 - Cleartext Storage of Sensitive Information in a Cookie
          • Derived from FindSecBugs rule COOKIE_USAGE
            Available In:
          • SonarQube IdeCatch issues on the fly,
            in your IDE
          • SonarQube CloudDetect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories
          • SonarQube Community BuildAnalyze code in your
            on-premise CI
            Available Since
            9.1
          • SonarQube ServerAnalyze code in your
            on-premise CI
            Developer Edition
            Available Since
            9.1

          © 2008-2025 SonarSource SA. All rights reserved.

          Privacy Policy | Cookie Policy | Terms of Use