Custom sniffs for PHP_CodeSniffer
This package is auto-updated.
Last update: 2023-09-28 09:34:42 UTC
This is a collection of our custom PHP_Codesniffer (3.x) sniffs for detecting potential bugs and unexpected behavior in PHP code. It may be used as a ruleset on its own, but it is mainly intended as a set of separate sniffs that can be integrated into other standards.
We described the motivation behind some of these sniffs on our blog.
Install as a development dependency using composer:
$ composer require --dev moxio/php-codesniffer-sniffs
Check your files against this set of sniffs:
$ ./vendor/bin/phpcs --standard=vendor/moxio/php-codesniffer-sniffs/MoxioSniffs path/to/your/files
More sniffs will be added soon.
MoxioSniffs.PHP.DisallowBareContinueInSwitch: Disallows the
continue statement without a numeric
argument when used directly within a
case. This prevents silent bugs caused by PHP
switch to be a looping structure.
MoxioSniffs.PHP.DisallowImplicitLooseComparison: Disallows implicit non-strict comparisons by functions
array_search. Requires that the
$strict-parameter to these functions is
explicitly set. This prevents hidden bugs due to counter-intuitive behavior of non-strict
MoxioSniffs.PHP.DisallowImplicitLooseBase64Decode: Disallows implicit non-strict usage of the
Requires that the
$strict-parameter to this function is explicitly set.
MoxioSniffs.PHP.DisallowUniqidWithoutMoreEntropy: Disallows calls to
$more_entropy = true. When
false (which is the default),
usleep() to avoid
collisions, which can be a substantial performance hit.
$more_entropy = true avoids these problems.
MoxioSniffs.PHP.DisallowArrayCombinersWithSingleArray: Disallows calls to functions that combine two or more
arrays with only a single array given as an argument. This applies to functions like
array_replace(_recursive) and all variants of
array_intersect. Such a call does not make sense,
and is most likely a result of a misplaced comma or parenthesis. To re-index a single array, just use
MoxioSniffs.PHP.DisallowImplicitMicrotimeAsString: Disallows calls to
microtime() without the
argument being explicitly set. By default,
microtime has a string as its return value ("msec sec"), which
is unexpected and cannot be naively cast to float, making it error-prone. It is still possible to set this
false, but in that case you have probably thought about this.
MoxioSniffs.PHP.DisallowImplicitIteratorToArrayWithUseKeys: Disallows calls to
iterator_to_array() without the
$use_keys argument being explicitly set. By default,
iterator_to_array uses the keys provided
by the iterator. This behavior is often desired for associative arrays, but can cause unexpected
results for 'list-like' arrays. Explicitly
requiring the parameter to be set ensures that the developer has to think about which behavior is desired
for the situation at hand.
MoxioSniffs.PHP.DisallowDateTime: Disallows usage of
\DateTime and promotes the use of
instead. The former being mutable can lead to some subtle but nasty bugs. See this post
for more background on why you would want to discourage using
MoxioSniffs.PHP.DisallowMbDetectEncoding: Disallows usage of
mb_detect_encoding. This function has a misleading
name that implies it can actually detect the encoding of a string, a problem which is generally impossible. Rather
it checks a list of encodings until it finds one that could be the right one (i.e. the string is a valid byte sequence
according to that encoding). Using
mb_check_encoding (possibly in a loop) instead makes this much more explicit. See
this talk for more background information on this topic.
MoxioSniffs.PHP.DisallowUtf8EncodeDecode: Disallows calls to
utf8_decode(). These functions
can be considered misleading because they only convert to/from ISO-8859-1, and do not 'magically' detect the
source/target encoding. Using
mb_convert_encoding() instead makes both character encodings that play a
role in the conversion explicit.
MoxioSniffs.PHP.DisallowDateCreateFromFormatWithUnspecifiedTimeComponent: Disallows calls to
date_create_immutable_from_format with formats which do not specify a time component and do not initialize fields to
null. This would otherwise create DateTime(Immutable) objects with a time component set to the current (creation) time,
which is probably never what you want and can be a source of bugs.
After installing dependencies (including development dependencies) using Composer, run
from the project root dir.
This project adheres to Semantic Versioning.
Please note that, from the perspective of this library as a pick-and-match collection of sniffs (and not a complete coding standard), the addition of new sniffs will not be considered a breaking change and thus does not cause an increase in the major version number.
These sniffs are released under the MIT license.