Run php in lint-mode from the command line to validate syntax without execution:

从命令行以 lint-mode 运行 php 以验证语法而不执行：

php -l FILENAME

php -l FILENAME

Higher-level static analyzers include:

更高级别的静态分析器包括：

• php-sat- Requires http://strategoxt.org/
• PHP_Depend
• PHP_CodeSniffer
• PHP Mess Detector
• PHPStan
• PHP-CS-Fixer
• phan

• php-sat- 需要http://strategoxt.org/
• PHP_Depend
• PHP_CodeSniffer
• PHP 混乱检测器
• PHP斯坦
• PHP-CS-Fixer
• 范

Lower-level analyzers include:

低级分析器包括：

• PHP_Parser
• token_get_all(primitive function)

• PHP_解析器
• token_get_all（原始函数）

Runtime analyzers, which are more useful for some things due to PHPs dynamic nature, include:

由于 PHP 的动态特性，运行时分析器对某些事情更有用，包括：

• Xdebughas code coverageand function traces.
• My PHP Tracer Tooluses a combined static/dynamic approach, building on Xdebug's function traces.

• Xdebug有代码覆盖和函数跟踪。
• 我的PHP Tracer Tool使用组合的静态/动态方法，构建在 Xdebug 的函数跟踪之上。

The documentation libraries phpdocand doxygenperform a kind of code analysis. Doxygen, for example, can be configured to render nice inheritance graphs with graphviz.

文档库phpdoc和doxygen执行一种代码分析。例如，Doxygen 可以配置为使用graphviz渲染漂亮的继承图。

Another option is xhprof, which is similar to xdebug, but lighter, making it suitable for production servers. The tool includes a PHP-based interface.

另一种选择是xhprof，它与 xdebug 类似，但更轻，使其适用于生产服务器。该工具包括一个基于 PHP 的界面。

Online PHP lint

在线 PHP lint

PHPLint

PHPLint

Unitialized variables check. Link 1 and 2 already seem to do this just fine, though.

单元化变量检查。不过，链接 1 和 2 似乎已经很好地做到了这一点。

I can't say I have used any of these intensively, though :)

不过，我不能说我已经大量使用了其中的任何一个：)

For completeness -- also check phpCallGraph.

为了完整性 - 还要检查phpCallGraph。

PHP Mess Detectoris awesome and fast.

PHP Mess Detector很棒而且速度很快。

I have tried using $php -l and couple other tools. However the best one in my experience (YMMV, of course) is scheck of pfff toolset. I heard about pfff on Quora (http://www.quora.com/Is-there-a-good-PHP-lint-static-analysis-tool)

我试过使用 $php -l 和其他几个工具。然而，我的经验中最好的一个（当然是 YMMV）是检查 pff 工具集。我在 Quora 上听说过 pfff ( http://www.quora.com/Is-there-a-good-PHP-lint-static-analysis-tool)

You can compile and install it. There are no nice packages (on my mint Debian, I had to install libpcre3-dev, ocaml, libcairo-dev, libgtk-3-dev and libgimp2.0-dev dependencies first) but it should be worth an intsall.

您可以编译并安装它。没有好的软件包（在我的 mint Debian 上，我必须先安装 libpcre3-dev、ocaml、libcairo-dev、libgtk-3-dev 和 libgimp2.0-dev 依赖项），但它应该值得安装。

The results are reported like

结果报告如下

rjha@mint ~ $ ~/sw/pfff/scheck ~/code/github/sc/
login-now.php:7:4: CHECK: Unused Local variable $title
go-automatic.php:14:77: CHECK: Use of undeclared variable $goUrl.

See Semantic Designs' CloneDR, a "clone detection" tool that finds copy/paste/edited code. It will find exact and near miss code fragments, in spite of whitespace, comments and even variable renamings. A sample detection report for PHP can be found at the wesite. (I'm the author).

请参阅Semantic Designs 的 CloneDR，这是一种“克隆检测”工具，可查找复制/粘贴/编辑代码。尽管有空格、注释甚至变量重命名，它仍会找到准确的和几乎未命中的代码片段。PHP 的样本检测报告可以在网站上找到。（我是作者）。

The NetBeans IDE checks for syntax errors, unusued variables and such. It's not automated, but works fine for small or medium projects.

NetBeans IDE 检查语法错误、未使用的变量等。它不是自动化的，但适用于中小型项目。

There a new tool called nWire for PHP. It is a code exploration plugin for Eclipse PDT and Zend Studio 7.x. It enables real-time code analysis for PHP and provides the following tools:

有一个名为nWire for PHP的新工具。它是 Eclipse PDT 和 Zend Studio 7.x 的代码探索插件。它为 PHP 启用实时代码分析并提供以下工具：

• Code visualization - interactive graphical representation of components and associations.
• Code navigation - unique navigation view shows all the associations and works with you while you write or read code.
• Quick search - search as you type for methods, fields, file, etc.

• 代码可视化 - 组件和关联的交互式图形表示。
• 代码导航 - 独特的导航视图显示所有关联，并在您编写或阅读代码时与您一起使用。
• 快速搜索 - 键入时搜索方法、字段、文件等。

PHP PMD (project mess detector) and PHP CPD (copy paste detector) as the former part of PHPUnit

PHP PMD（项目混乱检测器）和 PHP CPD（复制粘贴检测器）作为 PHPUnit 的前一部分

There is RIPS - A static source code analyser for vulnerabilities in PHP scripts. Sources of RIPS available at SourceForge.

有RIPS——一个针对 PHP 脚本漏洞的静态源代码分析器。SourceForge提供 RIPS 的来源。

From the RIPS site:

从 RIPS 站点：

RIPS is a tool written in PHP to find vulnerabilities in PHP applications using static code analysis. By tokenizing and parsing all source code files RIPS is able to transform PHP source code into a program model and to detect sensitive sinks (potentially vulnerable functions) that can be tainted by userinput (influenced by a malicious user) during the program flow. Besides the structured output of found vulnerabilities RIPS also offers an integrated code audit framework for further manual analysis.

RIPS 是一种用 PHP 编写的工具，用于使用静态代码分析来查找 PHP 应用程序中的漏洞。通过标记和解析所有源代码文件，RIPS 能够将 PHP 源代码转换为程序模型，并检测在程序流程中可能被用户输入（受恶意用户影响）污染的敏感接收器（潜在易受攻击的函数）。除了发现漏洞的结构化输出外，RIPS 还提供了一个集成的代码审计框架，用于进一步的手动分析。