Products
In-IDE
IDE extension that lets you fix coding issues before they exist!
Discover SonarLint
SaaS
Setup is effortless and analysis is automatic for most languages
Discover SonarCloud
Self-Hosted
Fast, accurate analysis; enterprise scalability
Discover SonarQube

Secrets
ABAP
Apex
C
C++
CloudFormation
COBOL
C#
CSS
Docker
Flex
Go
HTML
Java
JavaScript
Kotlin
Kubernetes
Objective C
PHP
PL/I
PL/SQL
Python
RPG
Ruby
Scala
Swift
Terraform
Text
TypeScript
T-SQL
VB.NET
VB6
XML

PHP static code analysis

Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your PHP code

Tags

Credentials should not be hard-coded
Vulnerability
Include statements should not be vulnerable to injection attacks
Vulnerability
Dynamic code execution should not be vulnerable to injection attacks
Vulnerability
HTTP request redirections should not be open to forging attacks
Vulnerability
Deserialization should not be vulnerable to injection attacks
Vulnerability
Endpoints should not be vulnerable to reflected cross-site scripting (XSS) attacks
Vulnerability
Database queries should not be vulnerable to injection attacks
Vulnerability
XML parsers should not be vulnerable to XXE attacks
Vulnerability
A secure password should be used when connecting to a database
Vulnerability
XPath expressions should not be vulnerable to injection attacks
Vulnerability
I/O function calls should not be vulnerable to path injection attacks
Vulnerability
LDAP queries should not be vulnerable to injection attacks
Vulnerability
OS commands should not be vulnerable to command injection attacks
Vulnerability
Class of caught exception should be defined
Bug
Caught Exceptions must derive from Throwable
Bug
Raised Exceptions must derive from Throwable
Bug
"$this" should not be used in a static context
Bug
Hard-coded credentials are security-sensitive
Security Hotspot
Test class names should end with "Test"
Code Smell
Tests should include assertions
Code Smell
TestCases should contain tests
Code Smell
Variable variables should not be used
Code Smell
Switch cases should end with an unconditional "break" statement
Code Smell
A new session should be created during user authentication
Vulnerability
Cipher algorithms should be robust
Vulnerability
Encryption algorithms should be used with secure mode and padding scheme
Vulnerability
Server hostnames should be verified during SSL/TLS connections
Vulnerability
Server certificates should be verified during SSL/TLS connections
Vulnerability
LDAP connections should be authenticated
Vulnerability
Cryptographic keys should be robust
Vulnerability
Weak SSL/TLS protocols should not be used
Vulnerability
Regular expressions should not be vulnerable to Denial of Service attacks
Vulnerability
Hashes should include an unpredictable salt
Vulnerability
Regular expressions should have valid delimiters
Bug
Regex lookahead assertions should not be contradictory
Bug
Back references in regular expressions should only refer to capturing groups that are matched before the reference
Bug
Regex boundaries should not be used in a way that can never be matched
Bug
Regex patterns following a possessive quantifier should not always fail
Bug
Assertion failure exceptions should not be ignored
Bug
References used in "foreach" loops should be "unset"
Bug
Using clear-text protocols is security-sensitive
Security Hotspot
Expanding archive files without controlling resource consumption is security-sensitive
Security Hotspot
Signaling processes is security-sensitive
Security Hotspot
Configuring loggers is security-sensitive
Security Hotspot
Using weak hashing algorithms is security-sensitive
Security Hotspot
Disabling CSRF protections is security-sensitive
Security Hotspot
Using pseudorandom number generators (PRNGs) is security-sensitive
Security Hotspot
Dynamically executing code is security-sensitive
Security Hotspot
Unnecessary parentheses should not be used for constructs
Code Smell
`str_replace` should be preferred to `preg_replace`
Code Smell
"default" clauses should be first or last
Code Smell
A conditionally executed single line should be denoted by indentation
Code Smell
Conditionals should start on new lines
Code Smell
Cognitive Complexity of functions should not be too high
Code Smell
Functions should not be nested too deeply
Code Smell
References should not be passed to function calls
Code Smell
"switch" statements should have "default" clauses
Code Smell
Control structures should use curly braces
Code Smell
String literals should not be duplicated
Code Smell
Methods should not be empty
Code Smell
Constant names should comply with a naming convention
Code Smell
Secret keys and salt values should be robust
Vulnerability
Applications should not create session cookies from untrusted input
Vulnerability
Reflection should not be vulnerable to injection attacks
Vulnerability
Authorizations should be based on strong decisions
Vulnerability
Server-side requests should not be vulnerable to forging attacks
Vulnerability
The number of arguments passed to a function should match the number of parameters
Bug
Non-empty statements should change control flow or have at least one side-effect
Bug
Variables should be initialized before use
Bug
Replacement strings should reference existing regular expression groups
Bug
Alternation in regular expressions should not contain empty alternatives
Bug
Unicode Grapheme Clusters should be avoided inside regex character classes
Bug
Assertions should not compare an object to itself
Bug
Regex alternatives should not be redundant
Bug
Alternatives in regular expressions should be grouped when used with anchors
Bug
Array values should not be replaced unconditionally
Bug
Exceptions should not be created without being thrown
Bug
Array or Countable object count comparisons should make sense
Bug
All branches in a conditional structure should not have exactly the same implementation
Bug
The output of functions that don't return anything should not be used
Bug
Unary prefix operators should not be repeated
Bug
"=+" should not be used instead of "+="
Bug
A "for" loop update clause should move the counter in the right direction
Bug
Return values from functions without side effects should not be ignored
Bug
Values should not be uselessly incremented
Bug
Related "if/else if" statements and "cases" in a "switch" should not have the same condition
Bug
Objects should not be created to be dropped immediately without being used
Bug
Identical expressions should not be used on both sides of a binary operator
Bug
All code should be reachable
Bug
Loops with at most one iteration should be refactored
Bug
Short-circuit logic should be used to prevent null pointer dereferences in conditionals
Bug
Variables should not be self-assigned
Bug
Useless "if(true) {...}" and "if(false){...}" blocks should be removed
Bug
All "catch" blocks should be able to catch exceptions
Bug
Constructing arguments of system commands from user input is security-sensitive
Security Hotspot
Allowing unfiltered HTML content in WordPress is security-sensitive
Security Hotspot
Allowing unauthenticated database repair in WordPress is security-sensitive
Security Hotspot
Allowing all external requests from a WordPress server is security-sensitive
Security Hotspot
Disabling automatic updates is security-sensitive
Security Hotspot
WordPress theme and plugin editors are security-sensitive
Security Hotspot
Allowing requests with excessive content length is security-sensitive
Security Hotspot
Manual generation of session ID is security-sensitive
Security Hotspot
Setting loose POSIX file permissions is security-sensitive
Security Hotspot
Formatting SQL queries is security-sensitive
Security Hotspot
"goto" statement should not be used
Code Smell
Character classes in regular expressions should not contain only one character
Code Smell
Superfluous curly brace quantifiers should be avoided
Code Smell
Non-capturing groups without quantifier should not be used
Code Smell
WordPress option names should not be misspelled
Code Smell
WordPress options should not be defined at the end of "wp-config.php"
Code Smell
Constants should not be redefined
Code Smell
Regular expressions should not contain empty groups
Code Smell
Regular expressions should not contain multiple spaces
Code Smell
Single-character alternations in regular expressions should be replaced with character classes
Code Smell
Reluctant quantifiers in regular expressions should be followed by an expression that can't match the empty string
Code Smell
Character classes in regular expressions should not contain the same character twice
Code Smell
Regular expressions should not be too complicated
Code Smell
PHPUnit assertTrue/assertFalse should be simplified to the corresponding dedicated assertion
Code Smell
Use of namespaces should be preferred to "include" or "require" functions
Code Smell
Methods should not have identical implementations
Code Smell
Functions should use "return" consistently
Code Smell
Assertion arguments should be passed in the correct order
Code Smell
Ternary operators should not be nested
Code Smell
Reflection should not be used to increase accessibility of classes, methods, or fields
Code Smell
Multiline blocks should be enclosed in curly braces
Code Smell
Parameters should be passed in the correct order
Code Smell
Classes named like "Exception" should extend "Exception" or a subclass
Code Smell
Two branches in a conditional structure should not have exactly the same implementation
Code Smell
Unused assignments should be removed
Code Smell
Method arguments with default values should be last
Code Smell
A reason should be provided when skipping a test
Code Smell
"__construct" functions should not make PHP 4-style calls to parent constructors
Code Smell
PHP 4 constructor declarations should not be used
Code Smell
Deprecated predefined variables should not be used
Code Smell
"switch" statements should not have too many "case" clauses
Code Smell
Classes should not have too many methods
Code Smell
Functions should not have too many lines of code
Code Smell
"for" loop stop conditions should be invariant
Code Smell
Sections of code should not be commented out
Code Smell
Unused function parameters should be removed
Code Smell
Unused "private" methods should be removed
Code Smell
Functions should not contain too many return statements
Code Smell
Track uses of "FIXME" tags
Code Smell
Generic exceptions ErrorException, RuntimeException and Exception should not be thrown
Code Smell
Redundant pairs of parentheses should be removed
Code Smell
Inheritance tree of classes should not be too deep
Code Smell
Nested blocks of code should not be left empty
Code Smell
Functions should not have too many parameters
Code Smell
Unused "private" fields should be removed
Code Smell
Collapsible "if" statements should be merged
Code Smell
Lines should not be too long
Code Smell
OS commands should not be vulnerable to argument injection attacks
Vulnerability
Logging should not be vulnerable to injection attacks
Vulnerability
Repeated patterns in regular expressions should not match the empty string
Bug
"require_once" and "include_once" should be used instead of "require" and "include"
Bug
Method visibility should be explicitly declared
Bug
Function and method parameters' initial values should not be ignored
Bug
Having a permissive Cross-Origin Resource Sharing policy is security-sensitive
Security Hotspot
Delivering code in production with debug features activated is security-sensitive
Security Hotspot
Creating cookies without the "HttpOnly" flag is security-sensitive
Security Hotspot
Creating cookies without the "secure" flag is security-sensitive
Security Hotspot
Using hardcoded IP addresses is security-sensitive
Security Hotspot
Regular expression quantifiers and character classes should be used concisely
Code Smell
Character classes should be preferred over reluctant quantifiers in regular expressions
Code Smell
A subclass should not be in the same "catch" clause as a parent class
Code Smell
Jump statements should not be redundant
Code Smell
"catch" clauses should do more than rethrow
Code Smell
"&&" and "||" should be used
Code Smell
Boolean checks should not be inverted
Code Smell
Source code should comply with formatting standards
Code Smell
"elseif" keyword should be used in place of "else if" keywords
Code Smell
PHP keywords and constants "true", "false", "null" should be lower case
Code Smell
Closing tag "?>" should be omitted on files containing only PHP
Code Smell
Only LF character (Unix-like) should be used to end lines
Code Smell
More than one property should not be declared per statement
Code Smell
The "var" keyword should not be used
Code Smell
"<?php" and "<?=" tags should be used
Code Smell
Local variables should not be declared and then immediately returned or thrown
Code Smell
Unused local variables should be removed
Code Smell
"switch" statements should have at least 3 "case" clauses
Code Smell
A "while" loop should be used instead of a "for" loop
Code Smell
Overriding methods should do more than simply call the same method in the super class
Code Smell
Local variable and function parameter names should comply with a naming convention
Code Smell
Field names should comply with a naming convention
Code Smell
"empty()" should be used to test for emptiness
Code Smell
Interface names should comply with a naming convention
Code Smell
Lines should not end with trailing whitespaces
Code Smell
Files should contain an empty newline at the end
Code Smell
Return of boolean expressions should not be wrapped into an "if-then-else" statement
Code Smell
Boolean literals should not be redundant
Code Smell
Modifiers should be declared in the correct order
Code Smell
Empty statements should be removed
Code Smell
A close curly brace should be located at the beginning of a line
Code Smell
URIs should not be hardcoded
Code Smell
Tabulation characters should not be used
Code Smell
Class names should comply with a naming convention
Code Smell
Method and function names should comply with a naming convention
Code Smell
Track uses of "TODO" tags
Code Smell
"file_uploads" should be disabled
Vulnerability
"enable_dl" should be disabled
Vulnerability
"session.use_trans_sid" should not be enabled
Vulnerability
"allow_url_fopen" and "allow_url_include" should be disabled
Vulnerability
"open_basedir" should limit file access
Vulnerability
Neither DES (Data Encryption Standard) nor DESede (3DES) should be used
Vulnerability
"exit(...)" and "die(...)" statements should not be used
Bug
Functions and variables should not be defined outside of classes
Code Smell
Track lack of copyright and license headers
Code Smell
Octal values should not be used
Code Smell
Session-management cookies should not be persistent
Vulnerability
Cryptographic RSA algorithms should always incorporate OAEP (Optimal Asymmetric Encryption Padding)
Vulnerability
SHA-1 and Message-Digest hash algorithms should not be used in secure contexts
Vulnerability
Assertions should not be made at the end of blocks expecting an exception
Bug
Regular expressions should be syntactically valid
Bug
Only one method invocation is expected when testing exceptions
Bug
Reading the Standard Input is security-sensitive
Security Hotspot
Using command line arguments is security-sensitive
Security Hotspot
Using Sockets is security-sensitive
Security Hotspot
Encrypting data is security-sensitive
Security Hotspot
Using regular expressions is security-sensitive
Security Hotspot
Deserializing objects from an untrusted source is security-sensitive
Security Hotspot
Literal boolean values and nulls should not be used in equality assertions
Code Smell
Parentheses should not be used for calls to "echo"
Code Smell
"global" should not be used
Code Smell
"switch" statements should not be nested
Code Smell
Cyclomatic Complexity of functions should not be too high
Code Smell
Control flow statements "if", "for", "while", "switch" and "try" should not be nested too deeply
Code Smell
Cyclomatic Complexity of classes should not be too high
Code Smell
"if ... else if" constructs should end with "else" clauses
Code Smell
Expressions should not be too complex
Code Smell
"cgi.force_redirect" should be enabled
Vulnerability
Files that define symbols should not cause side-effects
Bug
Increment (++) and decrement (--) operators should not be used in a method call or mixed with other operators in an expression
Code Smell
Test methods should be discoverable
Code Smell
Duplicate values should not be passed as arguments
Code Smell
Configuration should not be changed dynamically
Code Smell
Class constructors should not create other objects
Code Smell
PHP parser failure
Code Smell
The names of methods with boolean return values should start with "is" or "has"
Code Smell
"php_sapi_name()" should not be used
Code Smell
Classes should not have too many lines of code
Code Smell
Deprecated features should not be used
Code Smell
Files should not contain inline HTML
Code Smell
Files should contain only one top-level class or interface each
Code Smell
Classes should not have too many fields
Code Smell
Track uses of "NOSONAR" comments
Code Smell
Statements should be on separate lines
Code Smell
Classes should not be coupled to too many other classes (Single Responsibility Principle)
Code Smell
"switch case" clauses should not have too many lines of code
Code Smell
Assignments should not be made from within sub-expressions
Code Smell
Local variables should not have the same name as class fields
Code Smell
Files should not have too many lines of code
Code Smell
HTTP response headers should not be vulnerable to injection attacks
Vulnerability
"sleep" should not be called
Vulnerability
Static members should be referenced with "static::"
Bug
Errors should not be silenced
Bug
Files should not contain characters before "<?php"
Bug
Controlling permissions is security-sensitive
Security Hotspot
Writing cookies is security-sensitive
Security Hotspot
Framework-provided functions should be used to test exceptions
Code Smell
Unicode-aware versions of character classes should be preferred
Code Smell
Alias functions should not be used
Code Smell
Perl-style comments should not be used
Code Smell
Superglobals should not be accessed directly
Code Smell
Colors should be defined in upper case
Code Smell
String literals should not be concatenated
Code Smell
"final" should not be used redundantly
Code Smell
File names should comply with a naming convention
Code Smell
Comments should not be located at the end of lines of code
Code Smell
An open curly brace should be located at the beginning of a line
Code Smell
An open curly brace should be located at the end of a line
Code Smell
Creating cookies with broadly defined "domain" flags is security-sensitive
Security Hotspot

Reflection should not be used to increase accessibility of classes, methods, or fields

Code Smell

MajorSonarSource default severity
click to learn more

This rule raises an issue when reflection is used to change the visibility of a class, method or field, and when it is used to directly update a field value. Altering or bypassing the accessibility of classes, methods, or fields violates the encapsulation principle and could lead to run-time errors.

Noncompliant Code Example

class MyClass
{
    public static $publicstatic = 'Static';
    private static $privatestatic = 'private Static';
    private $private = 'Private';
    private const CONST_PRIVATE = 'Private CONST';
    public $myfield = 42;

    private function __construct() {}
    private function privateMethod() {}
    public function __set($property, $value)  {}
    public function __get($property) {}
}

$clazz = new ReflectionClass('MyClass');

$clazz->getstaticProperties(); // Noncompliant . This gives access to private static properties

$clazz->setStaticPropertyValue('publicstatic', '42'); // OK as there is no overloading to bypass and it respects access control.
$clazz->getStaticPropertyValue('publicstatic'); // OK as there is no overloading to bypass and it respects access control.

// The following calls can access private or protected constants.
$clazz->getConstant('CONST_PRIVATE'); // Noncompliant.
$clazz->getConstants(); // Noncompliant.
$clazz->getReflectionConstant('CONST_PRIVATE'); // Noncompliant.
$clazz->getReflectionConstants(); // Noncompliant.

$obj = $clazz->newInstanceWithoutConstructor(); // Noncompliant. Bypassing private constructor.

$constructor = $clazz->getConstructor();
$constructorClosure = $constructor->getClosure($obj); // Noncompliant. It is possible to call private methods with closures.
$constructor->setAccessible(true); // Noncompliant. Bypassing constructor accessibility.

$prop = new ReflectionProperty('MyClass', 'private');
$prop->setAccessible(true); // Noncompliant. Change accessibility of a property.
$prop->setValue($obj, "newValue"); // Noncompliant. Bypass of the __set method.
$prop->getValue($obj); // Noncompliant. Bypass of the __get method.

$prop2 = $clazz->getProperties()[2];
$prop2->setAccessible(true); // Noncompliant. Change accessibility of a property.
$prop2->setValue($obj, "newValue"); // Noncompliant. Bypass of the __set method.
$prop2->getValue($obj); // Noncompliant. Bypass of the __get method.

$meth = new ReflectionMethod('MyClass', 'privateMethod');
$clos = $meth->getClosure($obj); // Noncompliant. It is possible to call private methods with closures.
$meth->setAccessible(true); // Noncompliant. Change accessibility of a method.

$meth2 = $clazz->getMethods()[0];
$clos2 = $meth2->getClosure($obj); // Noncompliant. It is possible to call private methods with closures.
$meth2->setAccessible(true); // Noncompliant. Change accessibility of a method.

// Using a ReflectionObject instead of the class

$objr = new ReflectionObject($obj);
$objr->newInstanceWithoutConstructor(); // Noncompliant. Bypassing private constructor.

$objr->getStaticPropertyValue("publicstatic"); // OK as there is no overloading to bypass and it respects access control.
$objr->setStaticPropertyValue("publicstatic", "newValue"); // OK as there is no overloading to bypass and it respects access control.

$objr->getStaticProperties(); // Noncompliant. This gives access to private static properties

// The following calls can access private or protected constants.
$objr->getConstant('CONST_PRIVATE'); // Noncompliant.
$objr->getConstants(); // Noncompliant.
$objr->getReflectionConstant('CONST_PRIVATE'); // Noncompliant.
$objr->getReflectionConstants(); // Noncompliant.

$constructor = $objr->getConstructor();
$constructorClosure = $constructor->getClosure($obj); // Noncompliant. It is possible to call private methods with closures.
$constructor->setAccessible(true); // Noncompliant. Bypassing constructor accessibility.

$prop3 = $objr->getProperty('private');
$prop3->setAccessible(true); // Noncompliant. Change accessibility of a property.
$prop3->setValue($obj, "newValue"); // Noncompliant. Bypass of the __set method.
$prop3->getValue($obj); // Noncompliant. Bypass of the __get method.

$prop4 = $objr->getProperties()[2];
$prop4->setAccessible(true); // Noncompliant. Change accessibility of a property.
$prop4->setValue($obj, "newValue"); // Noncompliant. Bypass of the __set method.
$prop4->getValue($obj); // Noncompliant. Bypass of the __get method.

$meth3 = $objr->getMethod('privateMethod');
$clos3 = $meth3->getClosure($obj); // Noncompliant. It is possible to call private methods with closures.
$meth3->setAccessible(true); // Noncompliant. Change accessibility of a method.

$meth4 = $objr->getMethods()[0];
$clos4 = $meth4->getClosure($obj); // Noncompliant. It is possible to call private methods with closures.
$meth4->setAccessible(true); // Noncompliant. Change accessibility of a method.

Available In:

Catch issues on the fly,
in your IDE

Detect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories

Analyze code in your
on-premise CI

© 2008-2023 SonarSource S.A., Switzerland. All content is copyright protected. SONAR, SONARSOURCE, SONARLINT, SONARQUBE, and SONARCLOUD are trademarks of SonarSource S.A. All other trademarks and copyrights are the property of their respective owners. All rights are expressly reserved.
Privacy Policy

In-IDE

SaaS

Self-Hosted