Sunday, May 27, 2012

Is there a static code analyzer [like Lint] for PHP files?

Is there a static code analyzer for PHP files? The binary itself can check for syntax errors, but I'm looking for something that does more, like unused variable assignments, arrays that are assigned into without being initialized first, and possibly code style warnings. Open-source programs would be preferred, but we might convince the company to pay for something if it's highly recommended.

Source: Tips4all


  1. For static analysis, there are php-sat, php-ast, PHP_Depend and PHP_CodeSniffer, that I know of. These are fairly high level tools; You can also dabble in stuff like PHP_Parser or the more primitive token_get_all function. Finally, you can also run php in lint-mode (php -l FILENAME), from the command line. It will check the file for valid syntax (eg. parse it), but won't execute it.

    There are also some runtime analysis options, which are more useful for some things, because of PHPs dynamic nature. Xdebug has a few nifty features, such as code coverage and function traces. Just recently, I put a small tool together, using a combined static/dynamic approach, which builds on xdebugs function traces.

    And of course, there are phpdoc and doxygen, which both perform a kind of code analysis (Doxygen can be configured to render nice inheritance graphs with graphviz)

    A recent newcomer is xhprof, which can do much of the same things as xdebug, but the extension is more lightweight, making it better suitable for running on a production server, and it includes a nice php-based interface.

  2. Online PHP lint


    Unitialized variables check. Link 1 and 2 already seem to do this just fine, though.

    I can't say I have used any of these intensively, though :)

  3. For completeness -- also check phpCallGraph.

  4. There a new tool called nWire for PHP. It is a code exploration plugin for Eclipse PDT and Zend Studio 7.x. It enables real-time code analysis for PHP and provides the following tools:

    Code visualization - interactive graphical representation of components and associations.
    Code navigation - unique navigation view shows all the associations and works with you while you write or read code.
    Quick search - search as you type for methods, fields, file, etc.

  5. See Semantic Designs' CloneDR, a "clone detection" tool that finds copy/paste/edited code. It will find exact and near miss code fragments, in spite of whitespace, comments and even variable renamings. A sample detection report for PHP can be found at the wesite. (I'm the author).

  6. The NetBeans IDE checks for syntax errors, unusued variables and such. It's not automated, but works fine for small or medium projects.

  7. PHP Mess Detector is awesome and fast.

  8. PHP PMD (project mess detector) and PHP CPD (copy paste detector) as the former part of PHPUnit

  9. Also, PHP Compiler maybe worth a try. Its main function is to produce PHP binaries but it does have some analysis capabilities.

  10. I have tried using $php -l and couple other tools. However the best one in my experience (YMMV, of course) is scheck of pfff toolset. I heard about pfff on Quora (

    You can compile and install it. There are no nice packages (on my mint Debian, I had to install libpcre3-dev, ocaml, libcairo-dev, libgtk-3-dev and libgimp2.0-dev dependencies first) but it should be worth an intsall.

    The results are reported like

    rjha@mint ~ $ ~/sw/pfff/scheck ~/code/github/sc/
    login-now.php:7:4: CHECK: Unused Local variable $title
    go-automatic.php:14:77: CHECK: Use of undeclared variable $goUrl.