Is there a static code analyzer for PHP files? The binary itself can check for syntax errors, but I\'m looking for something that does more, like unused variable assignments, arrays that are assigned into without being initialized first, and possibly code style warnings. Open-source programs would be preferred, but we might convince the company to pay for something if it\'s highly recommended.

Run php in lint-mode from the command line to validate syntax without execution:

php -l FILENAME

Higher-level static analyzers include:

• php-sat - Requires http://strategoxt.org/
• PHP_Depend
• PHP_CodeSniffer
• PHP Mess Detector
• PHPStan
• PHP-CS-Fixer
• phan

Lower-level analyzers include:

• PHP_Parser
• token_get_all (primitive function)

Runtime analyzers, which are more useful for some things due to PHPs dynamic nature, include:

• Xdebug has code coverage and function traces.
• My PHP Tracer Tool uses a combined static/dynamic approach, building on Xdebug\'s function traces.

The documentation libraries phpdoc and doxygen perform a kind of code analysis. Doxygen, for example, can be configured to render nice inheritance graphs with graphviz.

Another option is xhprof, which is similar to xdebug, but lighter, making it suitable for production servers. The tool includes a PHP-based interface.

Online PHP lint

PHPLint

Unitialized variables check. Link 1 and 2 already seem to do this just fine, though.

I can\'t say I have used any of these intensively, though :)

For completeness -- also check phpCallGraph.

PHP Mess Detector is awesome and fast.

I have tried using $php -l and couple other tools. However the best one in my experience (YMMV, of course) is scheck of pfff toolset. I heard about pfff on Quora (http://www.quora.com/Is-there-a-good-PHP-lint-static-analysis-tool)

You can compile and install it. There are no nice packages (on my mint Debian, I had to install libpcre3-dev, ocaml, libcairo-dev, libgtk-3-dev and libgimp2.0-dev dependencies first) but it should be worth an intsall.

The results are reported like

rjha@mint ~ $ ~/sw/pfff/scheck ~/code/github/sc/
login-now.php:7:4: CHECK: Unused Local variable $title
go-automatic.php:14:77: CHECK: Use of undeclared variable $goUrl.

See Semantic Designs\' CloneDR, a \"clone detection\" tool that finds copy/paste/edited code. It will find exact and near miss code fragments, in spite of whitespace, comments and even variable renamings. A sample detection report for PHP can be found at the wesite. (I\'m the author).

The NetBeans IDE checks for syntax errors, unusued variables and such. It\'s not automated, but works fine for small or medium projects.

There a new tool called nWire for PHP. It is a code exploration plugin for Eclipse PDT and Zend Studio 7.x. It enables real-time code analysis for PHP and provides the following tools:

• Code visualization - interactive graphical representation of components and associations.
• Code navigation - unique navigation view shows all the associations and works with you while you write or read code.
• Quick search - search as you type for methods, fields, file, etc.

PHP PMD (project mess detector) and PHP CPD (copy paste detector) as the former part of PHPUnit

There is RIPS - A static source code analyser for vulnerabilities in PHP scripts. Sources of RIPS available at SourceForge.

From the RIPS site:

RIPS is a tool written in PHP to find vulnerabilities in PHP applications using static code analysis. By tokenizing and parsing all source code files RIPS is able to transform PHP source code into a program model and to detect sensitive sinks (potentially vulnerable functions) that can be tainted by userinput (influenced by a malicious user) during the program flow. Besides the structured output of found vulnerabilities RIPS also offers an integrated code audit framework for further manual analysis.

There is absolutely new tool for static code analysis called PHP Analyzer.

Among many types of static analysis it also provides basic auto-fixing functionality, see documentation.

UPDATE: PHP-Analyzer is now deprecated project but you still can access it on legacy branch

You may want to try compiling with Facebook\'s hiphop.

It does a static analysis on the entire project, and may be what you\'re looking for.

https://github.com/facebook/hiphop-php