Php Sat Bug Patterns

Static analysis for PHP

What is a bug-pattern?

Let us start with a definition:
  A bug-pattern describes a common mistake at the application level.
So each bug-pattern describes a pattern that is correct according to the grammar of PHP, but holds a mistake that is probably not intended by the programmer. The patterns are based on the documentation of PHP, past experience and common sense. Notice that the patterns holds information about possible mistakes, the programmer has to decide whether the pattern is an actual mistake in the specific situation.


Each pattern is described according to this structure:
  Number of the pattern, First capitals of the category followed by a three-digit number.

[Affected versions]
  PHP versions that are affected by this pattern.

  Code example that shows the pattern in a generalized way.
  The situations in which this pattern can arise.
  Explanation of the mistake in this pattern.

  How the pattern can be eliminated. 

The bug-patterns are divided into the following categories:

  • Correctness
  • Exposing Info
  • Optimization
  • Style
  • Malicious Code Vulnerability
There is no nicely formatted descriptions of the patterns (yet), but there is documentation about the patterns in the SVN-repository. Some of the patterns are not implemented, see this issue-list for the status of these patterns. If you have a pattern that can is useful, please share your idea!


These patterns describe a situation that is incorrect according to type-casting, control-flow or the PHP documentation.

Exposing Info

These patterns describe a situation where information can leak from your application to the outside world. This is a mistake in general because it reveals information to attackers.


These patterns indicate places where you can gain a (microscopic) performance boost. None of the patterns will double the speed of your application at once, but together they help you to get the best out of your server resources.


These patterns flag situations that violate a certain style-guide. Notice that they are subjective, but they also have a non-arbitrary reason to flag the situation.

Malicious Code Vulnerability

This category consists of only one bug-pattern MCV000. This pattern flags parameters that do not meet the pre-condition of the called function. This pattern finds pieces of code that might have security issues, please take a good look at the code before ignoring the pattern.


The files that come out of PHP-Sat contain special code blocks that look like this:
   * PHP-SAT check (Category name)
   * Pattern ID : Pattern code
   * Description: Short description / pattern name
It is a bit elaborate, if you have an idea for a more compact and better output please let us know.
The current way to get a more compact output is to use the following command to get a list of the required bug-patterns:
$ grep -R --include=*.php-sat "Pattern ID : " .


The patterns that PHP-Sat flags are common mistakes, but not necessarily bad in your situation. You have to decide for yourself whether or not you want to adjust your code. We just want to provide you with more information to make the right decision, we know you can do it!

-- EricBouwers - 26 Dec 2006