Home » Posts tagged "php"

也是拿來掃 PHP 程式碼的 PHPStan...

PHPStan 也是 PHP 的靜態分析工具,官方給的 slogan 是「PHP Static Analysis Tool - discover bugs in your code without running it!」。然後官方給了一個 GIF,直接看就大概知道在幹什麼了:

Phan 類似,也是要 PHP 7+ 才能跑,不過實際測試發現不像 Phan 需要 php-ast

PHPStan requires PHP ^gt;= 7.0. You have to run it in environment with PHP 7.x but the actual code does not have to use PHP 7.x features. (Code written for PHP 5.6 and earlier can run on 7.x mostly unmodified.)

PHPStan works best with modern object-oriented code. The more strongly-typed your code is, the more information you give PHPStan to work with.

Properly annotated and typehinted code (class properties, function and method arguments, return types) helps not only static analysis tools but also other people that work with the code to understand it.

拿上一篇「用 Phan 檢查 PHP 程式的正確性」的例子測試,也可以抓到類似的問題:

vendor/bin/phpstan analyse -l 7 src/
 1/1 [▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓] 100%

 ------ --------------------------------------------------------------
  Line   src/Foo.php
 ------ --------------------------------------------------------------
  13     Method Gslin\Foo::g() should return string but returns null.
 ------ --------------------------------------------------------------

 [ERROR] Found 1 error

這樣總算把積壓在 tab 上關於 PHP 工具都寫完了,之後要用才有地方可以翻... XD

用 Phan 檢查 PHP 程式的正確性

Phan 這套也是拿來檢查 PHP 程式用的,也是儘量避免丟出 false alarm。不過 Phan 只能用在 PHP 7+ 環境,原因是使用 php-ast,另外有一些額外建議要裝的套件:

This version (branch) of Phan depends on PHP 7.1.x with the php-ast extension (0.1.5 or newer, uses AST version 50) and supports PHP version 7.1+ syntax. Installation instructions for php-ast can be found here. For PHP 7.0.x use the 0.8 branch. Having PHP's pcntl extension installed is strongly recommended (not available on Windows), in order to support using parallel processes for analysis (or to support daemon mode).

最新版還只能跑在 PHP 7.2 上面,用的時候要注意一下 XD (我在測試時,require-dev 指定 0.11.0,結果被說只有 PHP 7.1 不符合 dependency,後來放 * 讓他去抓適合的版本)


class Foo
     * @param string $p
     * @return string
     */    function g($p) {
        if (!$p) {
            return null;
        return $p;


src/Foo.php:13 PhanTypeMismatchReturn Returning type null but g() is declared to return string

也是掛進 CI 裡面的好東西...

用 Psalm 掃出 PHP 有問題的程式碼

Psalm 的 slogan 是「A static analysis tool for PHP」,由 Vimeo 發展並開放出來的軟體:「vimeo/psalm」。

目前是 v0.3.71,所以需要 PHP 5.6 以上才能跑:

  • v0.3.x supports checking PHP 5.4 - 7.1 code, and requires PHP 5.6+ to run.
  • v0.2.x supports checking PHP 5.4 - 7.0 code and requires PHP 5.4+ to run.

Psalm 主要的目標是找出哪邊「已經發生錯誤」,而不像其他幾套的目標是「預防」,這樣可以避免過高的 false alarm...

用 Composer 的 require 限制,擋掉有安全漏洞的 library...

查資料的時候查到的,在 GitHub 上的 Roave/SecurityAdvisories 這個專案利用 Composerrequire 條件限制,擋掉有安全漏洞的 library:

This package ensures that your application doesn't have installed dependencies with known security vulnerabilities.

看一下 composer.json 就知道作法了,裡面的 description 也說明了這個專案的用法:

Prevents installation of composer packages with known security vulnerabilities: no API, simply require it

這方法頗不賴的 XDDD

Amazon Athena 可以透過 ODBC 連接了

Amazon Athena 支援 ODBC 了 (先前直接連結只支援 JDBC):「Amazon Athena adds support for querying data using an ODBC driver」。

With the availability of a new ODBC driver, you can now connect popular business intelligence tools to Athena. This allows you to report and visualize all of your data in S3 with the tools of your choice. In addition to the ODBC driver, Customers can now connect to Amazon Athena using a JDBC driver, an API and via the AWS Console.

這讓非 Java 的程式語言可以更方便的接上去了,像是 PHPPDO 支援 ODBC 但不支援 JDBC,要用就得想其他辦法:「PHP: PDO Drivers - Manual」。

PHP {7.1,7.0,5.6} 總算成為主流了...

PHP {7.1,7.0,5.6} (至少有安全性支援的版本) 佔了 90% 以上的量... 至少是有用 Composer 族群的主流了:「PHP Versions Stats - 2017.2 Edition」。

All versions                    Grouped
PHP 7.1.10      11.63%          PHP 7.136.63% (+18.99)
PHP 7.0.22      7.95%           PHP 7.030.76% (-5.36)
PHP 5.6.31      7.38%           PHP 5.623.28% (-8.16)
PHP 5.6.30      7.23%           PHP 5.56.11% (-4.5)
PHP 7.0.24      5.45%           PHP 5.41.51% (-1.6)
PHP 7.1.11      4.55%           PHP 5.30.76% (-0.22)

可以看出大家都在往 PHP 7.1 推了...

PHP 7.3 的 function 也會支援 trailing comma 了

這投票殺來殺去了好幾次才過,從 PHP 7.3 開始在 function 呼叫時就能接受 trailing comma 了:「PHP RFC: Allow a trailing comma in function calls」。

Wait, didn't we just vote on this?

Yes, there was an RFC to add trailing commas to all list syntax in PHP 7.2. Unfortunately due to an oversight on my end, the vote for function calls and function declarations was combined into one vote so the vote failed (but just barely!)

I was contacted by many “no” voters saying that they would have voted “yes” for function calls, but “no” for function declarations. This RFC proposes allowing a trailing comma in function call syntax only.

We are allowed to put this feature up for vote again since the mandatory 6-month waiting period has passed since the last vote and this RFC targets a new major version of PHP.

這次以 30:10 過了... (需要 2/3 以上同意)