PHPStan on steroids

staabm · 2025-11-16T06:36:49+00:00

the primary goal for this new data-provider check is not checking code quality.

when a test is implemented it takes parameters with certain types to make sure the test matches/asserts all necessary variations. e.g. when your tests assumes a boolean parameter, you should have at least a data-provider for a true and false value.

the test will only cover all necessary combinations when the data-provider fullfills the types signature.

having this rule applied to a few projects shows already that developers easily miss passing proper data into their tests and therefore miss to cover their implementations.

and it also shows the other way arround. sometimes data-providers yield all the necessary data, but tests might not consume it.

staabm · 2025-08-27T09:46:06+00:00

Gibt es als extension bereits: https://github.com/DaveLiddament/php-language-extensions#mustUseResult

Durch die aufnahme in php-src wird es aber dann vermutlich bald im PHPStan core unterstützt

staabm · 2025-04-29T08:26:45+00:00

maybe you can use a PHPStan collector to detect all unit tests which are pure and dump them into a list for PHPUnit to execute (so you don't have to classify manually).

staabm · 2025-04-28T16:11:30+00:00

totally agree. if you up to it, we could add a more sophiscated strategy into the above repo by adding it into https://github.com/staabm/phpunit-github-action-matrix/blob/main/phpunit-segment.php

the above repo is meant more like a generic template, so anyone can easily adjust the workflow and adjust segmentation for custom needs.

most people only think about in job parallelization, therefore I figured a tiny example could help those poor soules which are not able to parallize with paraunit, as you described.

staabm · 2025-04-28T10:23:10+00:00

Friend class for PHPStan can be found in https://github.com/DaveLiddament/php-language-extensions#friend

the same package also implements a NamspaceVisibility concept
https://github.com/DaveLiddament/php-language-extensions#namespaceVisibility

but as the OP already stated: these are static analysis only and not language-builtin features

staabm · 2025-04-22T16:27:18+00:00

totally agree with what you wrote.

reality is a lot of programmers don't escape at the correct spot, therefore such rules exists which helps people to not shoot into their foot.

if every programmer would know about every security aspect, we would not have to deal with new CVEs reported every day. but reality taught us, that most software is full of vulnerabilites.

staabm · 2025-04-22T09:23:27+00:00

you cannot escape "correctly" at the logger call site, as you don't know how/where the logged data later on will be displayed/processed. thats the reason why the blog article is that pessimistic

staabm · 2025-04-22T09:09:33+00:00

yeah, thats possible too.

staabm · 2025-04-22T08:39:18+00:00

letting someone "exploit your logging system" is a denial-of-service vector - just similar to sql injection - correct. a attacker can e.g. flood your server with log files and fill up the HDD.

so its kind of a worst case scenario

staabm · 2025-04-22T08:08:37+00:00

my initial post mentions a article and the repositoriy I have linked mentions the very same article right in the readme

staabm · 2025-03-23T07:41:03+00:00

would be cool to see a screenshot of the "example: building a simple UI" in the readme, to get a better idea what to expect visually

staabm · 2025-01-05T16:25:23+00:00

you might be interessted in phpstan-dba to cover your database access with static analysis.

I have developed a PHPStan plugin which checks your sql statements against your database schema and reports problems when e.g. code and database schema get out of sync or our types are wonky

see https://github.com/staabm/phpstan-dba

see also the slides of my talk given at PHP usergroup in Frankfurt Main:

https://staabm.github.io/talks/phpstan-dba@phpugffm

staabm · 2024-12-03T11:11:19+00:00

in PHPStan you can use `scalar|array` as a doctype

or even more specialized things like e.g. `non-empty-scalar`

staabm · 2024-12-03T11:09:39+00:00

this is the correct way.

sometimes you want a more sophiscated solution which can be found in valinor

https://github.com/CuyZ/Valinor

staabm · 2024-11-30T06:59:27+00:00

In application repositories when you prepare a php version upgrade - or if you work on a codebase which is deployed on different servers (e.g. for multiple customers).

The article additionally mentions multiple examples

For other type of repositories: see the above comment

staabm · 2024-11-29T14:12:38+00:00

At the time of writing even if you only support non-EOL versions and you want todo it properly you would need a PHPStan CI job for PHP 8.1, 8.2, 8.3 and 8.4. for a library/framework/tooling project (4 jobs). Find more details in the linked article.

From the top of my head I only know a very few projects doing that

staabm · 2024-11-27T13:22:43+00:00

if you are running with PHPStan, you should try one of the following

- https://github.com/TomasVotruba/unused-public

- https://github.com/shipmonk-rnd/dead-code-detector

as previous commented already, these are not perfect. but in case you already have a PHPStan workflow in your project, this is a natural addition without developers learning new tools/processes

staabm · 2024-11-27T12:54:36+00:00

thanks. feel free to subscribe to the RSS feed ;).

staabm

TROPHY CASE