Language Guides

PHP Static Code Analysis: A Developer's Guide

A practical guide to static code analysis for PHP — PHPStan, Psalm, PHP_CodeSniffer, and how to identify common web vulnerabilities in PHP applications.

By the Hyrax team·5 min read·May 1, 2026
TL;DR
  1. 1.PHP and Static Analysis
  2. 2.Key PHP Static Analysis Tools
  3. 3.Common Issues Detected
  4. 4.Running Static Analysis
  5. 5.Connection to Autonomous Code Governance

PHP and Static Analysis

PHP powers a large portion of the web — WordPress, Drupal, Magento, and many custom applications. Its permissive design (loose typing, global variables, dynamic includes) makes it productive for rapid development but challenging to analyze statically. Modern PHP (8.x) has significantly improved with strict types, union types, enums, and fibers — features that enable more precise static analysis.

PHP applications are frequent targets for web application attacks: SQL injection, XSS, RFI, LFI, and CSRF. Static analysis is a primary defense for catching these vulnerability classes before deployment.

Key PHP Static Analysis Tools

PHPStan

The most widely adopted PHP static analysis tool. Uses a rule level system (0-9) where higher levels enable stricter checks. PHPStan catches type errors, undefined variables, null dereferences, and many common bugs without running the code. The phpdoc type system allows precise type annotations even in codebases without strict_types. Plugin ecosystem adds framework-specific rules for Laravel, Symfony, and Doctrine.

Psalm

Vimeo's PHP static analysis tool. Similar to PHPStan but with stronger taint analysis capabilities for security. Psalm's taint analysis tracks user-supplied data from input sources (superglobals, request data) through the code to sinks (database queries, HTML output, system calls) to detect injection vulnerabilities. Excellent for security-focused analysis of web applications.

PHP_CodeSniffer

A coding standards checker. Enforces PSR-1, PSR-2, PSR-12, and custom coding standards. Less focused on bugs and security than PHPStan/Psalm, more on code style consistency. Often used alongside PHPStan for complete coverage.

PHPMD (PHP Mess Detector)

Detects code quality issues: cyclomatic complexity, naming issues, unused variables, and design problems. Similar to PMD for Java. Useful for identifying complex, difficult-to-maintain code.

Common Issues Detected

  • SQL injection via string concatenation with user input
  • XSS via unsanitized output of user-controlled data
  • Remote file inclusion (RFI) via dynamic includes with user input
  • Local file inclusion (LFI) via path traversal in file operations
  • Command injection via exec(), system(), passthru() with user input
  • Unvalidated redirects via header() with user input
  • Hardcoded credentials in database configuration
  • Weak session management and CSRF vulnerabilities
  • Type juggling bugs from loose comparison (== instead of ===)

Running Static Analysis

PHP CI analysis pipeline:

  1. Install PHPStan: composer require --dev phpstan/phpstan
  2. Run PHPStan: vendor/bin/phpstan analyse src/ --level=6
  3. Install Psalm: composer require --dev vimeo/psalm
  4. Run Psalm with taint analysis: vendor/bin/psalm --taint-analysis
  5. Run PHP_CodeSniffer: vendor/bin/phpcs --standard=PSR12 src/
  6. Fail CI on any error-level finding from PHPStan or Psalm

Connection to Autonomous Code Governance

PHP web applications are high-value targets for injection attacks — and injection vulnerabilities have well-defined fix patterns. Prepared statements replace concatenated SQL; htmlspecialchars() or a template engine sanitizes output; basename() prevents path traversal. Hydra identifies these patterns through Psalm's taint analysis, generates parameterized fixes, and verifies them against the application's test suite before opening a remediation PR.

Frequently Asked Questions

What is PHP taint analysis?

Taint analysis tracks the flow of user-supplied data (from superglobals like $_GET, $_POST, $_COOKIE) through a PHP application. When tainted data reaches a "sink" — a database query, HTML output, system call, or file operation — without being properly sanitized or validated, taint analysis flags the path as a potential injection vulnerability.

What is PHPStan's level system?

PHPStan analyzes code at levels 0 through 9. Level 0 is the most permissive (basic checks only). Level 9 is the strictest (requires precise types for all operations). Most new projects start at level 6 and work toward 8 or 9. Legacy codebases often start at level 0 and raise the level incrementally.

How do I prevent SQL injection in PHP?

Use PDO or MySQLi with prepared statements. Never concatenate user input into SQL strings. Use query parameters: $stmt = $pdo->prepare("SELECT * FROM users WHERE id = ?"); $stmt->execute([$id]). PHP_CodeSniffer and Psalm can flag direct string concatenation in database queries.

What PHP version should I use for best static analysis support?

PHP 8.x, ideally the latest stable release. PHP 8.0 introduced union types, match expressions, and constructor promotion. PHP 8.1 added enums, readonly properties, and intersection types. PHP 8.2+ added readonly classes. All of these help PHPStan and Psalm build more precise type models, resulting in more accurate analysis.

Stop flagging. Start fixing.

Hyrax reviews your pull requests, remediates issues autonomously, and closes the ticket.

Join the waitlist