Automated code audits

Oct 12, 20141 like591 views

Even nowadays, PHP code is mostly manually audited. Expert pore over actual code, in search for bugs or code smells. Actually, it is possible to have PHP do this work itself ! Strengthened with the internal Tokenizer, bolstered by the manual, it is able to scan thousands of lines of code, without getting bored, and bringing pragmatic pieces of wisdom: official manual recommendations, version migration, code pruning and security. In the end, it deliver a global overview of the code, without reading it.

Automatic code
audits
Rotterdam, Nederland, October 9th
010PHP

Definition
A kind of code analysis where the code is
reviewed without running it.
Just like we would do ourselves!

Who is speaking?
Damien Seguy
CTO at exakat
Phather of the plush toy elePHPant
Back from China
Stepping up automated code audit services

<?php!
function x($a) {
return $a;
}
x(1, 2);
?>

Found
Dead code
Undefined structures
Unused structures
Illogical exp.
Slow code
Bad practices
Unsafe code
Maintainability
Bug issue
Ancient style
Uninitialized vars
Taint propagation

<?php
switch ($this->consume())
{
case "x09":
case "x0A":
case "x0B":
case "x0B":
case "x0C":
case "x20":
case "x3C":
case "x26":
case false:
break;
case "x23":
switch ($this->consume())
{
case "x78":
case "x58":
$range = '0123456789ABCDEFabcdef';
$hex = true;
break;
}
}{
?>

$protected function openString($end, &$out=null, $nestingOpen, $rejectStrs = null) $nestingLevel = $count = 0; $content = array(); while ($this->match($patt, $m, false)) { $tok = $m[2]; if ($tok == "@{" && $this->interpolation($inter)) { $content[] = $inter; continue; } if (!empty($rejectStrs) && in_array($tok, $rejectStrs)) { $ount = null; break; } $content[] = $tok; $count += strlen($tok); } $this->eatWhiteDefault = $oldWhite; if (count($content) == 0) return false; $out = array("string", "", $content); return true; }$

Spot bugs early
Code Test PreProd Production
Run it at commit Run it as audit

Static audit vs Unit test
No running
100% of the code
Symbolic testing
Little configuration
Has false positive
Mostly internal
Needs dedicated servers
Will only scan a part
Test only provided data
Write scenario
Has false negative
Can be handed to users

When does it help
Help port to a new system
Search for weak code fragments
Audit external libraries
Hint at refactoring

$Bugs <?php ! ! if($content = file_get_contents($file)) { $content = trim($content); $content = substr($content, -2) == '?>' ? substr($content, 0, -2) : $content; } ! return true;! ?> !$

Useless code
<?php!
!
// inside a legit class
$this->module->xmlRequest;
$_G['setting']['debug'];
$post['usesig'] ? ($_G['setting']['sigviewcond'] ?
(strlen($post['message']) > $_G['setting']['sigviewcond'] ?!
! ! ! ! $post['signature'] : '') !
! ! ! ! ! : $post['signature']) : '';
?> !

Suggestions
<?php !
// Nested ternary should be turned into if then structures
$operation == 'ENCODE' ? sprintf('%010d', $expiry ? $expiry + time( ) : 0) . substr(($string . $egiskeys), 0, 16) . $string : base64_decode(substr($string, $key_length))
// Multiply by one is useless
SetCache($prefix, $key, $row, 60*60*1);
// Portable syntax
$bits = split('.', $string);
$y = $bits[0];
! // Modern syntax
$y = split('.', $string)[0];
?> !

Where it doesn’t help
Unit tests
Architecture
Old traditions that won’t change
Semantic errors

Architecture
No framework context
Conception is done before coding
Of course!
Static audit will report standards,
not norms

Old traditions
<?php
$pna = explode(')(', $pn);
while (list($k, $v) = each($pna)) {
$lst = explode('"', $v);
if (isset($lst[3])) {
$pn[$lst[1]] = $lst[3];
} else {
$pn[$lst[1]] = '';
}
}
?>
10 % of current applications uses this instead of foreach()

Semantic errors
<?php
$babycarriage = new carriage();
$wheel1 = new Racingwheel();
$wheel2 = new Racingwheel();
$wheel3 = new Racingwheel();
$wheel4 = new Rhinoceros();
$babycarriage->installWheels($wheel1, #
# # # # # # # # # # # # $wheel2, #
# # # # # # # # # # $wheel3, #
# # # # # # # # # # $wheel4);
?>
Undefined classes : Vehicle, Racingwheel, Rhinoceros

Available analyzers
PHP code sniffer
PHP MD
Scrutinizer-ci
Fortify
insight from Sensio

damien.seguy@
gmail.com
http://www.slideshare.net/
dseguy

THE END
http://010php.nl/
http://www.meetup.com/010PHP/

This document introduces PHPSpec, a BDD framework for PHP inspired by RSpec. It discusses the principles of behavior-driven development (BDD) and test-driven development (TDD), and how PHPSpec implements a domain-specific language (DSL) that allows developers to write specifications in a natural language style. The document provides examples of how to write PHPSpec specifications using its matchers and contexts, run the specifications, and handle pending and failing tests. It also briefly discusses related tools like mocks, screen scraping with Goutte, and how BDD fits into the development cycle.

The road to continuous deployment (PHPCon Poland 2016)Michiel Rook

As presented at PHPCon Poland 2016 It's a situation many of us are familiar with: a large legacy application, limited or no tests, slow & manual release process, low velocity, no confidence.... Oh, and management wants new features, fast. But how to proceed? Using examples and lessons learned from a real-world case, I'll show you how to strangle the legacy application with a modern service architecture and build a continuous deployment pipeline to deliver value from the first sprint. On the way, we take a look at testing strategies and various (possibly controversial!) tips and best practices.

Mocking Dependencies in PHPUnitmfrost503

This document discusses mocking dependencies in PHPUnit tests. It begins by defining dependencies and dependency injection, and why it is important to mock dependencies in unit tests. It then covers defining test doubles like mocks, stubs, and dummies to simulate dependencies. Various examples are provided for mocking different types of dependencies, like APIs, databases, and external data sources. The goal of mocking is to test units of code in isolation without relying on other components, in order to make tests faster and more reliable.

Building Testable PHP Applicationschartjes

The document discusses building testable PHP applications. It covers topics like testing code, testable architecture, dependency injection, and static code analysis tools like PHP Code Sniffer, PHP Mess Detector, and PHP Copy Paster Detector. The document emphasizes that writing tests and designing for testability leads to fewer bugs and more maintainable code. It provides examples of unit testing and recommends test-driven development practices.

Workshop quality assurance for php projects tek12Michelangelo van Dam

Beginning PHPUnitJace Ju

The document discusses how to write unit tests for PHP code using the PHPUnit testing framework. It provides an example of testing a Math class that contains a sum() method. It demonstrates creating a test case class called MathTest that extends PHPUnit's test case class. The MathTest class contains a testSum() method that asserts the expected output of calls to Math::sum() using PHPUnit's assertion methods. It also shows how to use a data provider method to pass multiple sets of parameters to the test method.

Testing in LaravelAhmed Yahia

The document discusses unit testing in Laravel. It provides an overview of why unit testing is important, how to set up and configure unit tests in Laravel using PHPUnit, and examples of writing different types of tests including HTTP requests, file uploads, database queries, and browser tests using Dusk. Key points covered include the benefits of testing, how to generate and structure test files, common assertions to make in tests, and tips for test-driven development.

Getting Testy With Perl6Workhorse Computing

Practical Ext JS DebuggingShea Frederick

null Pune meet - Application Security: Code injectionn|u - The Open Security Community

Code injection occurs when invalid data is injected as code instead of data and executed as part of a program. Common code injection techniques include buffer overflows, SQL injection, and cross-site scripting (XSS). Buffer overflows occur when input length exceeds the buffer size, overwriting the stack and potentially changing the return address. SQL injection happens when unsanitized user input is inserted into SQL queries, allowing manipulation of the database. XSS injects client-side script code by inputting it into a web application. To prevent code injection, developers must never trust unsanitized user input.

Debugging Your Ext JS CodeSencha

PhpUnit Best PracticesEdorian

- The document discusses best practices for writing PHPUnit tests, including writing tests, upgrading to PHPUnit 3.7, installing PHPUnit via different methods like PHAR, Composer, and PEAR, using specific assertions, and having a fast test suite. - It recommends separating tests by folder structure or config file, only testing relevant behaviors of classes rather than internal methods, and not testing simple getters and setters. The goal is writing clean, testable code and tests that verify class behaviors rather than implementation details.

Workshop quality assurance for php projects - ZendCon 2013Michelangelo van Dam

Everyone talks about raising the bar on quality of code, but it's always hard to start implementing it when you have no clue where to start. With this talk I'm shooing that there are many levels developers can improve themselves by using the right tools. In this talk I'll go over each tool with examples how to use them against your codebase. A must attend talk for every developer that wants to scale up their quality. Most PHP developers deploy code that does what the customer requested but they don't have a clue about the quality of the product they deliver. Without this knowledge, maintenance can be a hell and very expensive. In this workshop I cover unit testing, code measuring, performance testing, debugging and profiling and give tips and tricks how to continue after this workshop.

Quality Assurance for PHP projects - ZendCon 2012Michelangelo van Dam

This document provides an overview of quality assurance for PHP projects. It discusses the importance of revision control, documentation, testing, and automation in QA. Revision control systems like SVN and Git are recommended for team development and tracking code versions. PHP Lint is introduced for syntax checking files from the command line. Documenting code with PHPDoc is suggested. Unit testing forms and models is demonstrated using PHPUnit. Validation, filtering, and sanitizing user input is important for protection against exploits. Overall the document promotes establishing strong quality practices like testing, revision control, and documentation for PHP projects.

Testing JavaScript ApplicationsThe Rolling Scopes

Rails is not just RubyMarco Otte-Witte

PHP unserialization vulnerabilities: What are we missing?Sam Thomas

UA testing with Selenium and PHPUnit - PFCongres 2013Michelangelo van Dam

Nothing is as frustrated as deploying a new release of your web application to find out functionality you had doesn't work anymore. Of course you have all your unit tests in place and you run them through your CI environment, but nothing prepared you to a failing javascript error or a link that doesn't work anymore. Welcome to User Acceptance testing or UAT. Before you start putting real people in front of your application, create macros and export them as PHPUnit test classes. Then run them in an automated way just like your unit tests and hook them into your CI. In this talk I will show you how easy it is to create Selenium macros that can be converted into PHPUnit scripts and run automatically on different virtual machines (VM's) so you can test all different browsers on a diversity of operating systems.

Jasmine - why JS tests don't smell fishyIgor Napierala

Unit testing JavaScript code with Jasmine allows developers to test functionality in isolation through matchers, spies, and asynchronous handling. Key benefits include cheaper QA, better documentation, improved code quality, and easier debugging. While some are deterred by complex asynchronous code or small projects, unit testing pays off through early bug detection and confidence that features work as intended.

Testing Code and Assuring QualityKent Cowgill

RSpecMarco Otte-Witte

The document discusses RSpec, a behavior-driven development (BDD) framework for testing Ruby code. It describes how RSpec allows writing tests in a natural language style using "should" statements. Examples are provided for different types of RSpec tests, including model, controller, and view tests. Shared examples, custom matchers, and integration with Cucumber for writing tests in a storytelling format are also covered. The document concludes with information on installing and running RSpec and generating reports from test results.

Building Maintainable Applications in ApexJeffrey Kemp

The document is the agenda for a talk on building maintainable applications in Apex. It discusses maintainable PL/SQL and using an MVC architecture. It also provides examples of unclear and clear code and emphasizes consistency, readability, and writing code that future maintainers will appreciate. The document includes controversial statements, quotes, and code examples to illustrate techniques for writing maintainable code.

ExcellentMarco Otte-Witte

PHPUnit best practices presentationThanh Robi

This document provides best practices for writing PHPUnit tests, including: do not write tests that do not test anything or test too much; exploit dependencies between tests; use the most specific assertion; decouple test code from test data; organize tests by class; run tests via XML configuration; disable unnecessary PHPUnit features; use code coverage whitelisting; annotate tests to make coverage more meaningful; and avoid unnecessary patterns like singletons.

Workshop 10: ECMAScript 6Visual Engineering

Unit testing with mochaRevath S Kumar

Unit Testing in SilverStripeIngo Schommer

Old Oracle VersionsJeffrey Kemp

This document summarizes top gotchas or issues with older Oracle database versions, providing examples of outdated syntax or features no longer supported. It covers 20 topics such as using record types for inserts, temporary tables, analytic functions, writing BLOBs to files, and limitations of DBMS_OUTPUT in earlier versions. The document aims to help users of aged Oracle databases avoid problems by being aware of limitations and using alternative approaches as needed.

Beeckestijn masterclass e village 19 sept som | smart online marketing

Tips & tools for (starting) sourcersRené Bolier

The document provides 12 tips and accompanying tools for sourcing candidates. The tips include familiarizing yourself with a new city using Google Streetview, checking cost of living comparisons on Numbeo, and using tools like LinkedIn Alumni and Facebook Graph Search to research candidates' backgrounds and interests. Additional tips recommend tools for analyzing email open and response rates, and connecting with sourcing experts on social media. The document encourages recruiters to apply these tips and tools to improve their sourcing effectiveness.

More Related Content

What's hot (20)

Practical Ext JS DebuggingShea Frederick

null Pune meet - Application Security: Code injectionn|u - The Open Security Community

Debugging Your Ext JS CodeSencha

PhpUnit Best PracticesEdorian

Workshop quality assurance for php projects - ZendCon 2013Michelangelo van Dam

Quality Assurance for PHP projects - ZendCon 2012Michelangelo van Dam

Testing JavaScript ApplicationsThe Rolling Scopes

Rails is not just RubyMarco Otte-Witte

PHP unserialization vulnerabilities: What are we missing?Sam Thomas

UA testing with Selenium and PHPUnit - PFCongres 2013Michelangelo van Dam

Jasmine - why JS tests don't smell fishyIgor Napierala

Testing Code and Assuring QualityKent Cowgill

RSpecMarco Otte-Witte

Building Maintainable Applications in ApexJeffrey Kemp

ExcellentMarco Otte-Witte

PHPUnit best practices presentationThanh Robi

Workshop 10: ECMAScript 6Visual Engineering

Unit testing with mochaRevath S Kumar

Unit Testing in SilverStripeIngo Schommer

Old Oracle VersionsJeffrey Kemp

Practical Ext JS DebuggingShea Frederick

null Pune meet - Application Security: Code injectionn|u - The Open Security Community

Debugging Your Ext JS CodeSencha

PhpUnit Best PracticesEdorian

Workshop quality assurance for php projects - ZendCon 2013Michelangelo van Dam

Quality Assurance for PHP projects - ZendCon 2012Michelangelo van Dam

Testing JavaScript ApplicationsThe Rolling Scopes

Rails is not just RubyMarco Otte-Witte

PHP unserialization vulnerabilities: What are we missing?Sam Thomas

UA testing with Selenium and PHPUnit - PFCongres 2013Michelangelo van Dam

Jasmine - why JS tests don't smell fishyIgor Napierala

Testing Code and Assuring QualityKent Cowgill

RSpecMarco Otte-Witte

Building Maintainable Applications in ApexJeffrey Kemp

ExcellentMarco Otte-Witte

PHPUnit best practices presentationThanh Robi

Workshop 10: ECMAScript 6Visual Engineering

Unit testing with mochaRevath S Kumar

Unit Testing in SilverStripeIngo Schommer

Old Oracle VersionsJeffrey Kemp

Viewers also liked (19)

Beeckestijn masterclass e village 19 sept som | smart online marketing

Tips & tools for (starting) sourcersRené Bolier

Beste-werkgevers-onderzoek-2013Effectory

20120927 voordracht bij marnixring waregemTrigger - social media marketing & training

Beste Werkgeversonderzoek 2013 - Effectory & IntermediairEffectory

Girls of Promise-Schedule BWomen's Foundation of Arkansas

The document outlines an agenda for a conference that includes check-in and surveys from 8:15-9:00 AM, a morning general session from 9:00-9:20 AM, two breakout sessions and an alumnae track from 9:20-11:05 AM, a keynote general session from 11:05-12:05 PM, lunch and photos from 12:05-12:40 PM, a speaker extravaganza from 12:45-1:10 PM, two more breakout sessions from 1:20-2:55 PM, and a closing general session from 3:05-3:30 PM.

130131 marketing mogelijkheden liquid internetsom | smart online marketing

Ontwikkelen CRM / Marketing 2.0 bij schouwburgsom | smart online marketing

Mobile Convention Amsterdam 2015 / Vebego - Niels Sascha ReedijkMobile Convention Amsterdam 2015

Tradetracker affiliate day - Presentatie Herman MaesHerman Maes

Online Fundrasing Congres sept 2009 Maarssen met Canicassom | smart online marketing

Mobile Convention Amsterdam 2015 - University GFAF - Kimo QuaintanceMobile Convention Amsterdam 2015

The document discusses privacy and security in a networked world. It argues that shared consciousness and communication across dispersed organizations is only possible by rethinking security and privacy to allow for constant and transparent communications. As digitization increases the amount of information created, the concepts of security, privacy, and their management must change. Networks have replaced hierarchies, so individuals need to manage how they are represented rather than being left alone, and focus on health over security alone. The key is implementing and iterating approaches through awareness, discovery, and co-creation of knowledge.

Ian walden - data protection in cloud computingoiisdp

This document discusses privacy, data protection, and cloud computing. It covers several key topics: 1) Understanding applicable privacy and data protection laws and how they relate to personal data processing in the cloud. 2) Examining the complex relationships between cloud customers, providers, and other entities and determining responsibility under the laws. 3) Analyzing issues of data location, jurisdiction, and the challenges of applying privacy laws in a cloud context where data may be stored and processed worldwide.

090512 Pre Canicas Slidesharesom | smart online marketing

140221 Windesheim SATC gastcollege Hans Drenthsom | smart online marketing

Mobile Convention Amsterdam 2015 - Knab - Marcel KalseMobile Convention Amsterdam 2015

Kawser Hamid : ICO and Data Protection in the CloudGurbir Singh

Samenvatting Beeckestijn Gastcollege Sex & The City 2011som | smart online marketing

introductie YouTube marketing in boekensector- boekenbeurs 2014 Trigger - social media marketing & training

Beeckestijn masterclass e village 19 sept som | smart online marketing

Tips & tools for (starting) sourcersRené Bolier

Beste-werkgevers-onderzoek-2013Effectory

20120927 voordracht bij marnixring waregemTrigger - social media marketing & training

Beste Werkgeversonderzoek 2013 - Effectory & IntermediairEffectory

Girls of Promise-Schedule BWomen's Foundation of Arkansas

130131 marketing mogelijkheden liquid internetsom | smart online marketing

Ontwikkelen CRM / Marketing 2.0 bij schouwburgsom | smart online marketing

Mobile Convention Amsterdam 2015 / Vebego - Niels Sascha ReedijkMobile Convention Amsterdam 2015

Tradetracker affiliate day - Presentatie Herman MaesHerman Maes

Online Fundrasing Congres sept 2009 Maarssen met Canicassom | smart online marketing

Mobile Convention Amsterdam 2015 - University GFAF - Kimo QuaintanceMobile Convention Amsterdam 2015

Ian walden - data protection in cloud computingoiisdp

090512 Pre Canicas Slidesharesom | smart online marketing

140221 Windesheim SATC gastcollege Hans Drenthsom | smart online marketing

Mobile Convention Amsterdam 2015 - Knab - Marcel KalseMobile Convention Amsterdam 2015

Kawser Hamid : ICO and Data Protection in the CloudGurbir Singh

Samenvatting Beeckestijn Gastcollege Sex & The City 2011som | smart online marketing

introductie YouTube marketing in boekensector- boekenbeurs 2014 Trigger - social media marketing & training

Similar to Automated code audits (20)

Automated code auditsexakat

1) The document discusses automatic code audits, which analyze code without running it to find issues like dead code, bugs, and inefficiencies. 2) It provides examples of issues found by code audits and suggestions for improvements. 3) While code audits are useful for porting to new systems and auditing libraries, they have limitations like not finding semantic errors or testing architectural issues. Unit tests are still needed to complement code audits.

PHP Static Code ReviewDamien Seguy

OWASP Top 10 - DrupalCon Amsterdam 2019Ayesh Karunaratne

Creating "Secure" PHP Applications, Part 1, Explicit Code & QAarchwisp

Unit testing with zend framework tek11Michelangelo van Dam

The document discusses unit testing Zend Framework applications. It provides an overview of setting up PHPUnit for testing, including creating a phpunit.xml file and TestHelper bootstrap file. It also discusses testing Zend Forms and Models, including writing tests to validate form data and test that models are empty on construction. Code examples are provided for writing tests for a CommentForm and CommentModel class.

Building and Incredible Machine with Pipelines and Generators in PHP (IPC Ber...dantleech

Did you know that Generators and Pipelines can be combined in order to solve software engineering problems? Generators have been available to us in PHP for about 5 years, they are a very powerful tool in a developers toolbox, they can be used to make your life easier (e.g. as data providers in PHPUnit), to help process large amounts of data, and even to enable co-operative multi-tasking. Pipelines provide a way to compose complex tasks from stages. In this talk we will briefly discuss a specific problem in PHPBench (a benchmarking tool for PHP) which can be solved through the use of Generators (and pipelines!). We will then explore both topics generally, before combining them into an Incredible Machine in a live coding session.

Zend Certification PHP 5 Sample QuestionsJagat Kothari

Review unknown code with static analysis Zend con 2017Damien Seguy

Code quality is not just for Christmas, it is a daily part of the job. So, what do you do when you're handed with a five feet long pole a million lines of code that must be vetted? You call static analysis to the rescue. During one hour, we'll be reviewing totally unknown code: no name, no usage, not a clue. We'll apply a wide range of tools, reaching for anything that helps us understand the code and form an opinion on it. Can we break this mystery and learn how everyone else is looking at our code?

Unit testing with zend framework PHPBeneluxMichelangelo van Dam

The document discusses unit testing Zend Framework applications. It begins by explaining the importance of testing and some common excuses for not testing. It then provides examples of setting up PHPUnit configuration and bootstrap files for testing Zend Framework applications. The document demonstrates how to write tests for Zend Forms and models, including testing with both valid and invalid data. It shows how to modify models to add validation filters and validators.

99% is not enoughtech.kartenmacherei

Clear php referenceDamien Seguy

Clear PHP is a coding reference for all of us. It tracks recommendations to write clear code, avoiding the classic traps, keeping options opened for the future and preventing decayed code. Those recommendations are above coding conventions, that focuses on code writing, and code architecture, with its design patterns and conceptions. This is the first time in history where an effort was made to collect all those rules, so every project can choose among them, and define exactly his own coding standard.

Review unknown code with static analysisDamien Seguy

Review unknown code with static analysis Code quality is not just for christmas, it is a daily part of the job. So, what do you do when you’re handed with a five feet long pole a million lines of code that must be vetted ? You call static analysis to the rescue. During one hour, we’ll be reviewing totally unknown code code : no name, no usage, not a clue. We’ll apply a wide range of tools, reaching for anything that helps us understand the code and form an opinion on it. Can we break this mystery and learn how everyone else is looking at our code ?

Top 10 php classic traps confooDamien Seguy

PHP has its own treasure chest of classic mistakes that surprises even the most seasoned expert : code that dies just by changing its namespace, strpos() that fails to find strings or arrays that changes without touching them. Do that get on your nerves too ? Let’s make a list of them, so we can always teach them to the new guys, spot them during code reviews and kick them out of our code once and for all. Come on, you’re not frightening us !

Workshop quality assurance for php projects - phpbelfastMichelangelo van Dam

PHPSpec BDD for PHPMarcello Duarte

This document discusses PHPSpec, a behavior-driven development (BDD) framework for PHP. It begins by explaining what PHPSpec is and how it implements BDD through a domain-specific language (DSL) based on RSpec. The document then covers how PHPSpec specifies tests using contexts, examples, expectations, matchers, mocks, and stubs. It provides examples of writing PHPSpec tests and using various PHPSpec features. The document concludes by mentioning upcoming PHPSpec features and linking to resources for learning more.

Api Designsumithra jonnalagadda

The document discusses API design in PHP, focusing on Ning's PHP API. Some key points: - Ning's PHP API provides a REST interface to its social networking platform and has been in use since 2005. - The API is used for content storage, user profile management, tagging, search, and other functions. - Good API design principles include making things predictable, modular, stable, and prioritizing human performance over computer performance. - API design should be use case driven and additions should be easy while removals are hard. Names, versioning, and documentation are important.

Bonnes pratiques de développement avec Node jsFrancois Zaninotto

This document discusses best practices for developing Node.js applications. It recommends using frameworks like Express for building web apps, libraries like Async to avoid callback hell, and organizing code into modular sub-applications. It also covers testing, error handling, documentation, and open-sourcing projects. Standards like Felix's Style Guide and domain-driven design principles are advocated. Communication channels like events, HTTP APIs, and WebSockets are examined.

Automated Frontend TestingNeil Crosby

Whatever it takes - Fixing SQLIA and XSS in the processguest3379bd

This document discusses techniques for preventing SQL injection and cross-site scripting (XSS) vulnerabilities. It proposes using prepared statements with separate data and control planes as a "safe query object" approach. It also discusses policy-based sanitization of HTML and focusing code reviews on defect detection through annotating suspicious code regions. The overall goal is to help developers adopt architectures and techniques that thoroughly apply technical solutions to recognize and fix security weaknesses.

Review unknown code with static analysis php ce 2018Damien Seguy

Code quality is not just for christmas, it is a daily part of the job. So, what do you do when you're handed with a five feet long pole a million lines of code that must be vetted ? You call static analysis to the rescue. During one hour, we'll be reviewing totally unknown code code : no name, no usage, not a clue. We'll apply a wide range of tools, reaching for anything that helps us understand the code and form an opinion on it. Can we break this mystery and learn how everyone else is looking at our code ?

Automated code auditsexakat

PHP Static Code ReviewDamien Seguy

OWASP Top 10 - DrupalCon Amsterdam 2019Ayesh Karunaratne

Creating "Secure" PHP Applications, Part 1, Explicit Code & QAarchwisp

Unit testing with zend framework tek11Michelangelo van Dam

Building and Incredible Machine with Pipelines and Generators in PHP (IPC Ber...dantleech

Zend Certification PHP 5 Sample QuestionsJagat Kothari

Review unknown code with static analysis Zend con 2017Damien Seguy

Unit testing with zend framework PHPBeneluxMichelangelo van Dam

99% is not enoughtech.kartenmacherei

Clear php referenceDamien Seguy

Review unknown code with static analysisDamien Seguy

Top 10 php classic traps confooDamien Seguy

Workshop quality assurance for php projects - phpbelfastMichelangelo van Dam

PHPSpec BDD for PHPMarcello Duarte

Api Designsumithra jonnalagadda

Bonnes pratiques de développement avec Node jsFrancois Zaninotto

Automated Frontend TestingNeil Crosby

Whatever it takes - Fixing SQLIA and XSS in the processguest3379bd

Review unknown code with static analysis php ce 2018Damien Seguy

More from Damien Seguy (20)

Strong typing @ php leedsDamien Seguy

There are tactical reasons to adopt strong typehint: easy validation, less code, fashionable. Besides, the first typehints blend in effortlessly with the current application: it is as if typehint was already there. Later, it appears that scalar types paved the way to more substantial code refactoring. Classes emerge from the initial scalar types, code congregate around important values, types gets more complex. Finally, systemic typehint arrives. Type hints become systemic when they help tame the class dependency hell, and help us plan for the new code. During the session, we'll cover the various stages of using typehints, with their advantages, and when not to overuse them.

Strong typing : adoption, adaptation and organisationDamien Seguy

There are tactical reasons to adopt strong typehint: easy validation, less code, fashionable. Besides, the first typehints blend in effortlessly with the current application: it is as if typehint was already there. Later, it appears that scalar types paved the way to more substantial code refactoring. Classes emerge from the initial scalar types, code congregate around important values, types gets more complex. Finally, systemic typehint arrives. Type hints become systemic when they help tame the class dependency hell, and help us plan for the new code. During the session, we’ll cover the various stages of using typehints, with their advantages, and when not to overuse them.

Qui a laissé son mot de passe dans le codeDamien Seguy

Analyse statique et applicationsDamien Seguy

Top 10 pieges php afup limogesDamien Seguy

Top 10 php classic traps DPC 2020Damien Seguy

Meilleur du typage fort (AFUP Day, 2020)Damien Seguy

Le typage se propage à tout PHP : la 7.4 l’ajoute aux propriétés, après les arguments et les valeurs de retours. Bien qu’opposé aux choix initiaux de typage faible de PHP, le typage augmente significativement la cohérence du code, son niveau d’auto-validation et les possibilités de dépendances inextricables. Le typage contribue à aider les outils d’introspection, à débuguer le code au plus tôt, et à adopter des techniques de développement comme le motif de l’objet null. C’est un outil supplémentaire, pratique pour les grands projets, et facilement déployé. https://event.afup.org/afup-day-2020/afup-day-2020-tours/programme/#3246

Tout pour se préparer à PHP 7.4Damien Seguy

Déjà, PHP 7.4 toque à la porte, et il arrive les bras chargés de fonctionnalités et de modernisations. Que ce soit les FFI, le support du typage pour les propriétés, l’abandon des nombres real, la covariance, et même la modernisation de strip_tags, array_merge sans argument, et l’imbrication d’opérateurs ternaires : ouf, il va falloir se retrousser les manches. Durant la session, nous passerons en revue les nouvelles fonctionnalités, les incompatibilités, et nous verrons comment préparer son code dès maintenant.

Top 10 php classic traps php serbiaDamien Seguy

PHP has its own treasure chest of classic mistakes that surprises even the most seasoned expert: code that dies just by changing its namespace, strpos() that fails to find strings or arrays that changes without touching them. Do that get on your nerves too? Let's make a list of them, so we can always teach them to the new guys, spot them during code reviews and kick them out of our code once and for all. Come on, you're not frightening us!

Top 10 php classic trapsDamien Seguy

PHP has its own treasure chest of classic mistakes that surprises even the most seasoned expert : code that dies just by changing its namespace, strpos() that fails to find strings or arrays that changes without touching them. Do that get on your nerves too? Let’s make a list of them, so we can always teach them to the new guys, spot them during code reviews and kick them out of our code once and for all. Come on, you’re not frightening us?

Top 10 chausse trappesDamien Seguy

PHP a son lot de surprises qui pimente notre vie de développeur : le code qui meurt d’un coup de namespace, strpos qui ne trouve pas sa chaîne et les tableaux qui se modifient sans qu’on y touche. Ca vous énerve vous aussi ? Alors, en 20 minutes, on va dresser un florilège des erreurs les plus vicieuses, comment les corriger et comment les garder loin de votre code. Attachez vos ceintures !

Code review workshopDamien Seguy

Static analysis is an emerging field, in particular in the PHP world. Reviewing source code at the speed of a computer requires powerful theoretical tools: control flow diagram, abstract syntactic trees, acyclic dependency graph. If all this seems far and remote from PHP, come and learn how they apply to your favorite language! They are all useful when it comes to detecting early those errors that end up in production, and sometimes, even before the code may compile. We’ll see how to combine all those aspects to build a useful auditing engine.

Understanding static analysis php amsterdam 2018Damien Seguy

Static analysis for PHP Static analysis is an emerging field, in particular in the PHP world. Reviewing source code at the speed of a computer requires powerful theoretical tools: control flow diagram, abstract syntactic trees, acyclic dependency graph. If all this seems far and remote from PHP, come and learn how they apply to your favorite language! We'll see how to combine all those aspects to build a useful auditing engine.

Everything new with PHP 7.3Damien Seguy

PHP 7.3 is already bet3 and we will get the final version shortly after Sinterklaas. A wide range of new features are already available for testing, including the relaxed syntax for Heredocs, the final comma in function calls, and a crowd of smaller increments. We’ll review those evolutions, check the incompatibilities, and try to find the in PHP code. Finally, we’ll present the RFC process that leads to new features : we can start to discover PHP 7.4 together!

Php 7.3 et ses RFC (AFUP Toulouse)Damien Seguy

PHP 7.3 sera en beta à la fin de l'été, et cible une sortie avant Noel. De nombreuses nouveautés sont prévues de longue date, comme l'évolution de la syntaxe heredoc, ou les , finales pour les appels de fonctions, tandis qu'une rafale de nouveautés se bousculent au portillon, et ont même généré une alpha 4. Nous passerons en revue toutes ces évolutions, ainsi que les incompatibilités, comment les trouver dans du code, et comment fonctionnent les RFC de PHP.

Tout sur PHP 7.3 et ses RFCDamien Seguy

Review unknown code with static analysis php ipc 2018Damien Seguy

Code quality is not just for christmas, it is a daily part of the job. So, what do you do when you’re handed with a five feet long pole a million lines of code that must be vetted ? You call static analysis to the rescue. During one hour, we’ll be reviewing totally unknown code code : no name, no usage, not a clue. We’ll apply a wide range of tools, reaching for anything that helps us understand the code and form an opinion on it. Can we break this mystery and learn how everyone else is looking at our code ?

Code review for busy peopleDamien Seguy

This document discusses tips for conducting quick and useful code reviews. It recommends including code reviews in your daily coding routine by dedicating short periods of time, such as 15 minutes, to focused code reviews. The document provides suggestions for what to review, such as choosing common bugs or static analysis rules to search for issues. It emphasizes fixing easy bugs first and using code reviews as an opportunity to learn new techniques and document local coding idioms.

Static analysis saved my code tonightDamien Seguy

Static analysis tools checks PHP code without running them. Fully automated, they bring expertise to review the code, enforce good practices when programming, keep code ready for the next PHP version. PHP 7 has developed tremendously our capacity to audit code. Thanks to AST and return types, it is possible to go deeper and prevent more bugs. During this session, we'll review the current state of static analysis tools, learn what they can find for us, and how to integrate it in the development cycle: security bugs, migration incompatibilities, and directives recommendations. Simply said, better PHP coding.

Machine learning in php las vegasDamien Seguy

Machine learning for PHP Machine learning is teaching the computer how to learn by itself. It is far easier to be done, especially when you have small data set and a good level of expertise in your field. Classifying objects, predicting who will buy, spotting comments in code is achieved with grassy algorithms like neural networks, genetic algorithms or ant herding. PHP is in good position to make use of such teachings, and take advantages of related technologies like fann. By the end of the session, you’ll know where you want to try it.

Strong typing @ php leedsDamien Seguy

Strong typing : adoption, adaptation and organisationDamien Seguy

Qui a laissé son mot de passe dans le codeDamien Seguy

Analyse statique et applicationsDamien Seguy

Top 10 pieges php afup limogesDamien Seguy

Top 10 php classic traps DPC 2020Damien Seguy

Meilleur du typage fort (AFUP Day, 2020)Damien Seguy

Tout pour se préparer à PHP 7.4Damien Seguy

Top 10 php classic traps php serbiaDamien Seguy

Top 10 php classic trapsDamien Seguy

Top 10 chausse trappesDamien Seguy

Code review workshopDamien Seguy

Understanding static analysis php amsterdam 2018Damien Seguy

Everything new with PHP 7.3Damien Seguy

Php 7.3 et ses RFC (AFUP Toulouse)Damien Seguy

Tout sur PHP 7.3 et ses RFCDamien Seguy

Review unknown code with static analysis php ipc 2018Damien Seguy

Code review for busy peopleDamien Seguy

Static analysis saved my code tonightDamien Seguy

Machine learning in php las vegasDamien Seguy

Recently uploaded (20)

What is Model Context Protocol(MCP) - The new technology for communication bw...Vishnu Singh Chundawat

The MCP (Model Context Protocol) is a framework designed to manage context and interaction within complex systems. This SlideShare presentation will provide a detailed overview of the MCP Model, its applications, and how it plays a crucial role in improving communication and decision-making in distributed systems. We will explore the key concepts behind the protocol, including the importance of context, data management, and how this model enhances system adaptability and responsiveness. Ideal for software developers, system architects, and IT professionals, this presentation will offer valuable insights into how the MCP Model can streamline workflows, improve efficiency, and create more intuitive systems for a wide range of use cases.

Dev Dives: Automate and orchestrate your processes with UiPath MaestroUiPathCommunity

This session is designed to equip developers with the skills needed to build mission-critical, end-to-end processes that seamlessly orchestrate agents, people, and robots. 📕 Here's what you can expect: - Modeling: Build end-to-end processes using BPMN. - Implementing: Integrate agentic tasks, RPA, APIs, and advanced decisioning into processes. - Operating: Control process instances with rewind, replay, pause, and stop functions. - Monitoring: Use dashboards and embedded analytics for real-time insights into process instances. This webinar is a must-attend for developers looking to enhance their agentic automation skills and orchestrate robust, mission-critical processes. 👨‍🏫 Speaker: Andrei Vintila, Principal Product Manager @UiPath This session streamed live on April 29, 2025, 16:00 CET. Check out all our upcoming Dev Dives sessions at https://community.uipath.com/dev-dives-automation-developer-2025/.

Linux Professional Institute LPIC-1 Exam.pdfRHCSA Guru

Electronic_Mail_Attacks-1-35.pdf by xploitniftliyevhuseyn

#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025BookNet Canada

Book industry standards are evolving rapidly. In the first part of this session, we’ll share an overview of key developments from 2024 and the early months of 2025. Then, BookNet’s resident standards expert, Tom Richardson, and CEO, Lauren Stewart, have a forward-looking conversation about what’s next. Link to recording, transcript, and accompanying resource: https://bnctechforum.ca/sessions/standardsgoals-for-2025-standards-certification-roundup/ Presented by BookNet Canada on May 6, 2025 with support from the Department of Canadian Heritage.

IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...organizerofv

Cyber Awareness overview for 2025 month of securityriccardosl1

TrsLabs - Fintech Product & Business ConsultingTrs Labs

Hybrid Growth Mandate Model with TrsLabs Strategic Investments, Inorganic Growth, Business Model Pivoting are critical activities that business don't do/change everyday. In cases like this, it may benefit your business to choose a temporary external consultant. An unbiased plan driven by clearcut deliverables, market dynamics and without the influence of your internal office equations empower business leaders to make right choices. Getting things done within a budget within a timeframe is key to Growing Business - No matter whether you are a start-up or a big company Talk to us & Unlock the competitive advantage

Drupalcamp Finland – Measuring Front-end Energy ConsumptionExove

Generative Artificial Intelligence (GenAI) in BusinessDr. Tathagat Varma

Big Data Analytics Quick Research Guide by Arthur MorganArthur Morgan

This is a Quick Research Guide (QRG). QRGs include the following: - A brief, high-level overview of the QRG topic. - A milestone timeline for the QRG topic. - Links to various free online resource materials to provide a deeper dive into the QRG topic. - Conclusion and a recommendation for at least two books available in the SJPL system on the QRG topic. QRGs planned for the series: - Artificial Intelligence QRG - Quantum Computing QRG - Big Data Analytics QRG - Spacecraft Guidance, Navigation & Control QRG (coming 2026) - UK Home Computing & The Birth of ARM QRG (coming 2027) Any questions or comments? - Please contact Arthur Morgan at [email protected]. 100% human made.

DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptxJustin Reock

Building 10x Organizations with Modern Productivity Metrics 10x developers may be a myth, but 10x organizations are very real, as proven by the influential study performed in the 1980s, ‘The Coding War Games.’ Right now, here in early 2025, we seem to be experiencing YAPP (Yet Another Productivity Philosophy), and that philosophy is converging on developer experience. It seems that with every new method we invent for the delivery of products, whether physical or virtual, we reinvent productivity philosophies to go alongside them. But which of these approaches actually work? DORA? SPACE? DevEx? What should we invest in and create urgency behind today, so that we don’t find ourselves having the same discussion again in a decade?

How analogue intelligence complements AIPaul Rowe

Artificial Intelligence is providing benefits in many areas of work within the heritage sector, from image analysis, to ideas generation, and new research tools. However, it is more critical than ever for people, with analogue intelligence, to ensure the integrity and ethical use of AI. Including real people can improve the use of AI by identifying potential biases, cross-checking results, refining workflows, and providing contextual relevance to AI-driven results. News about the impact of AI often paints a rosy picture. In practice, there are many potential pitfalls. This presentation discusses these issues and looks at the role of analogue intelligence and analogue interfaces in providing the best results to our audiences. How do we deal with factually incorrect results? How do we get content generated that better reflects the diversity of our communities? What roles are there for physical, in-person experiences in the digital world?

Procurement Insights Cost To Value Guide.pptxJon Hansen

AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...SOFTTECHHUB

I started my online journey with several hosting services before stumbling upon Ai EngineHost. At first, the idea of paying one fee and getting lifetime access seemed too good to pass up. The platform is built on reliable US-based servers, ensuring your projects run at high speeds and remain safe. Let me take you step by step through its benefits and features as I explain why this hosting solution is a perfect fit for digital entrepreneurs.

AI and Data Privacy in 2025: Global TrendsInData Labs

In this infographic, we explore how businesses can implement effective governance frameworks to address AI data privacy. Understanding it is crucial for developing effective strategies that ensure compliance, safeguard customer trust, and leverage AI responsibly. Equip yourself with insights that can drive informed decision-making and position your organization for success in the future of data privacy. This infographic contains: -AI and data privacy: Key findings -Statistics on AI data privacy in the today’s world -Tips on how to overcome data privacy challenges -Benefits of AI data security investments. Keep up-to-date on how AI is reshaping privacy standards and what this entails for both individuals and organizations.

Complete Guide to Advanced Logistics Management Software in Riyadh.pdfSoftware Company

Explore the benefits and features of advanced logistics management software for businesses in Riyadh. This guide delves into the latest technologies, from real-time tracking and route optimization to warehouse management and inventory control, helping businesses streamline their logistics operations and reduce costs. Learn how implementing the right software solution can enhance efficiency, improve customer satisfaction, and provide a competitive edge in the growing logistics sector of Riyadh.

Cybersecurity Identity and Access Solutions using Azure ADVICTOR MAESTRE RAMIREZ

Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...BookNet Canada

Book industry standards are evolving rapidly. In the first part of this session, we’ll share an overview of key developments from 2024 and the early months of 2025. Then, BookNet’s resident standards expert, Tom Richardson, and CEO, Lauren Stewart, have a forward-looking conversation about what’s next. Link to recording, presentation slides, and accompanying resource: https://bnctechforum.ca/sessions/standardsgoals-for-2025-standards-certification-roundup/ Presented by BookNet Canada on May 6, 2025 with support from the Department of Canadian Heritage.

AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...Alan Dix

Talk at the final event of Data Fusion Dynamics: A Collaborative UK-Saudi Initiative in Cybersecurity and Artificial Intelligence funded by the British Council UK-Saudi Challenge Fund 2024, Cardiff Metropolitan University, 29th April 2025 https://alandix.com/academic/talks/CMet2025-AI-Changes-Everything/ Is AI just another technology, or does it fundamentally change the way we live and think? Every technology has a direct impact with micro-ethical consequences, some good, some bad. However more profound are the ways in which some technologies reshape the very fabric of society with macro-ethical impacts. The invention of the stirrup revolutionised mounted combat, but as a side effect gave rise to the feudal system, which still shapes politics today. The internal combustion engine offers personal freedom and creates pollution, but has also transformed the nature of urban planning and international trade. When we look at AI the micro-ethical issues, such as bias, are most obvious, but the macro-ethical challenges may be greater. At a micro-ethical level AI has the potential to deepen social, ethnic and gender bias, issues I have warned about since the early 1990s! It is also being used increasingly on the battlefield. However, it also offers amazing opportunities in health and educations, as the recent Nobel prizes for the developers of AlphaFold illustrate. More radically, the need to encode ethics acts as a mirror to surface essential ethical problems and conflicts. At the macro-ethical level, by the early 2000s digital technology had already begun to undermine sovereignty (e.g. gambling), market economics (through network effects and emergent monopolies), and the very meaning of money. Modern AI is the child of big data, big computation and ultimately big business, intensifying the inherent tendency of digital technology to concentrate power. AI is already unravelling the fundamentals of the social, political and economic world around us, but this is a world that needs radical reimagining to overcome the global environmental and human challenges that confront us. Our challenge is whether to let the threads fall as they may, or to use them to weave a better future.

What is Model Context Protocol(MCP) - The new technology for communication bw...Vishnu Singh Chundawat

Dev Dives: Automate and orchestrate your processes with UiPath MaestroUiPathCommunity

Linux Professional Institute LPIC-1 Exam.pdfRHCSA Guru

Electronic_Mail_Attacks-1-35.pdf by xploitniftliyevhuseyn

#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025BookNet Canada

IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...organizerofv

Cyber Awareness overview for 2025 month of securityriccardosl1

TrsLabs - Fintech Product & Business ConsultingTrs Labs

Drupalcamp Finland – Measuring Front-end Energy ConsumptionExove

Generative Artificial Intelligence (GenAI) in BusinessDr. Tathagat Varma

Big Data Analytics Quick Research Guide by Arthur MorganArthur Morgan

DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptxJustin Reock

How analogue intelligence complements AIPaul Rowe

Procurement Insights Cost To Value Guide.pptxJon Hansen

AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...SOFTTECHHUB

AI and Data Privacy in 2025: Global TrendsInData Labs

Complete Guide to Advanced Logistics Management Software in Riyadh.pdfSoftware Company

Cybersecurity Identity and Access Solutions using Azure ADVICTOR MAESTRE RAMIREZ

Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...BookNet Canada

AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...Alan Dix

Automated code audits

1. Automatic code audits Rotterdam, Nederland, October 9th 010PHP

2. Definition A kind of code analysis where the code is reviewed without running it. Just like we would do ourselves!

3. Who is speaking? Damien Seguy CTO at exakat Phather of the plush toy elePHPant Back from China Stepping up automated code audit services

5. Internals Code AST Analyze Report

7. <?php! function x($a) { return $a; } x(1, 2); ?>

8. Found Dead code Undefined structures Unused structures Illogical exp. Slow code Bad practices Unsafe code Maintainability Bug issue Ancient style Uninitialized vars Taint propagation

9. <?php switch ($this->consume()) { case "x09": case "x0A": case "x0B": case "x0B": case "x0C": case "x20": case "x3C": case "x26": case false: break; case "x23": switch ($this->consume()) { case "x78": case "x58": $range = '0123456789ABCDEFabcdef'; $hex = true; break; } }{ ?>

10. protected function openString($end, &$out=null, $nestingOpen, $rejectStrs = null) $nestingLevel = $count = 0; $content = array(); while ($this->match($patt, $m, false)) { $tok = $m[2]; if ($tok == "@{" && $this->interpolation($inter)) { $content[] = $inter; continue; } if (!empty($rejectStrs) && in_array($tok, $rejectStrs)) { $ount = null; break; } $content[] = $tok; $count += strlen($tok); } $this->eatWhiteDefault = $oldWhite; if (count($content) == 0) return false; $out = array("string", "", $content); return true; }

11. Spot bugs early Code Test PreProd Production Run it at commit Run it as audit

12. Static audit vs Unit test No running 100% of the code Symbolic testing Little configuration Has false positive Mostly internal Needs dedicated servers Will only scan a part Test only provided data Write scenario Has false negative Can be handed to users

13. When does it help Help port to a new system Search for weak code fragments Audit external libraries Hint at refactoring

14. Report Bugs Useless code Suggestions

15. Bugs <?php ! ! if($content = file_get_contents($file)) { $content = trim($content); $content = substr($content, -2) == '?>' ? substr($content, 0, -2) : $content; } ! return true;! ?> !

16. Useless code <?php! ! // inside a legit class $this->module->xmlRequest; $_G['setting']['debug']; $post['usesig'] ? ($_G['setting']['sigviewcond'] ? (strlen($post['message']) > $_G['setting']['sigviewcond'] ?! ! ! ! ! $post['signature'] : '') ! ! ! ! ! ! : $post['signature']) : ''; ?> !

17. Suggestions <?php ! // Nested ternary should be turned into if then structures $operation == 'ENCODE' ? sprintf('%010d', $expiry ? $expiry + time( ) : 0) . substr(($string . $egiskeys), 0, 16) . $string : base64_decode(substr($string, $key_length)) // Multiply by one is useless SetCache($prefix, $key, $row, 60*60*1); // Portable syntax $bits = split('.', $string); $y = $bits[0]; ! // Modern syntax $y = split('.', $string)[0]; ?> !

18. Where it doesn’t help Unit tests Architecture Old traditions that won’t change Semantic errors

19. Architecture No framework context Conception is done before coding Of course! Static audit will report standards, not norms

20. Old traditions <?php $pna = explode(')(', $pn); while (list($k, $v) = each($pna)) { $lst = explode('"', $v); if (isset($lst[3])) { $pn[$lst[1]] = $lst[3]; } else { $pn[$lst[1]] = ''; } } ?> 10 % of current applications uses this instead of foreach()

21. Semantic errors <?php $babycarriage = new carriage(); $wheel1 = new Racingwheel(); $wheel2 = new Racingwheel(); $wheel3 = new Racingwheel(); $wheel4 = new Rhinoceros(); $babycarriage->installWheels($wheel1, # # # # # # # # # # # # # $wheel2, # # # # # # # # # # # $wheel3, # # # # # # # # # # # $wheel4); ?> Undefined classes : Vehicle, Racingwheel, Rhinoceros

22. Semantic errors

23. Available analyzers PHP code sniffer PHP MD Scrutinizer-ci Fortify insight from Sensio

24. damien.seguy@ gmail.com http://www.slideshare.net/ dseguy

25. THE END http://010php.nl/ http://www.meetup.com/010PHP/

Automated code audits

Recommended

More Related Content

What's hot (20)

Viewers also liked (19)

Similar to Automated code audits (20)

More from Damien Seguy (20)

Recently uploaded (20)

Automated code audits