PHP Scan rules
Contrast Scan supports these rules for PHP.
Severity | Contrast rule | Engine rule ID | Description |
|---|---|---|---|
Critical | Insecure Php Configuration | OPT.PHP.InsecurePhpConfiguration | InsecurePhpConfiguration: Avoid insecure configuration settings in php.ini / .htaccess descriptors |
Critical | Too Broad CORS Policy | OPT.PHP.TooBroadCORSPolicy | TooBroadCORSPolicy: CORS policy (Cross-origin resource sharing) too broad |
Critical | Code Injection | OPT.PHP.CodeInjection | CodeInjection: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') |
Critical | Command Injection | OPT.PHP.CommandInjection | CommandInjection: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
Critical | Connection String Parameter Pollution | OPT.PHP.ConnectionStringParameterPollution | ConnectionStringParameterPollution: Connection string polluted with untrusted input |
Critical | Cross Site Scripting | OPT.PHP.CrossSiteScripting | CrossSiteScripting: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
Critical | Csv Formula Injection | OPT.PHP.CsvFormulaInjection | CsvFormulaInjection: CSV Excel macro injection |
Critical | DoS Regexp | OPT.PHP.DoSRegexp | DoSRegexp: Prevent denial of service attack through malicious regular expression ('Regex Injection')] |
Critical | External Variable Modification | OPT.PHP.ExternalVariableModification | ExternalVariableModification: PHP External Variable Modification |
Critical | Http Parameter Pollution | OPT.PHP.HttpParameterPollution | HttpParameterPollution: HTTP parameter pollution (HPP) |
Critical | Http Splitting | OPT.PHP.HttpSplitting | HttpSplitting: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') |
Critical | Ldap Injection | OPT.PHP.LdapInjection | LdapInjection: Avoid non-neutralized user-controlled input in LDAP search filters |
Critical | Mail Header Manipulation | OPT.PHP.MailHeaderManipulation | MailHeaderManipulation: SMTP Header manipulation |
Critical | Open Redirect | OPT.PHP.OpenRedirect | OpenRedirect: URL Redirection to Untrusted Site ('Open Redirect') |
Critical | Resource Injection | OPT.PHP.ResourceInjection | ResourceInjection: Improper Control of Resource Identifiers ('Resource Injection') |
Critical | Mail Command Injection | OPT.PHP.SEC.MailCommandInjection | MailCommandInjection: Mail Command Injection |
Critical | No SQL Injection | OPT.PHP.SEC.NoSQLInjection | NoSQLInjection: Improper neutralization of special elements in data query logic (NoSQL injection) |
Critical | Server Side Request Forgery | OPT.PHP.ServerSideRequestForgery | ServerSideRequestForgery: Server-Side Request Forgery (SSRF) |
Critical | SQL Injection | OPT.PHP.SqlInjection | SqlInjection: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
Critical | Xml Entity Injection | OPT.PHP.XmlEntityInjection | XmlEntityInjection: XML entity injection |
Critical | Avoid Use Default Secret | OPT.PHP.AvoidUseDefaultSecret | AvoidUseDefaultSecret: Avoid using secret value default symfony: ThisTokenIsNotSoSecretChangeIt |
Critical | Assign Null In Function Call | OPT.PHP.AssignNullInFunctionCall | AssignNullInFunctionCall: Assignment of a function call to a variable when the function does not have a return value |
Critical | Avoid Exitor Die | OPT.PHP.AvoidExitorDie | AvoidExitorDie: Do not use exit() or die() for error processing |
Critical | Avoid Global Variableswithin Functions | OPT.PHP.AvoidGlobalVariableswithinFunctions | AvoidGlobalVariableswithinFunctions: Avoid global variables within functions |
Critical | Avoid Loop With Empty Body | OPT.PHP.AvoidLoopWithEmptyBody | AvoidLoopWithEmptyBody: Avoid loops (while, do/while, for) with empty body |
Critical | Avoid SQL Queries Within Loop | OPT.PHP.AvoidSQLQueriesWithinLoop | AvoidSQLQueriesWithinLoop: Avoid doing SQL queries within a loop |
Critical | Avoid This In Static Methods | OPT.PHP.AvoidThisInStaticMethods | AvoidThisInStaticMethods: Avoid $this in static methods |
Critical | Avoid Using Echo HTML | OPT.PHP.AvoidUsingEchoHTML | AvoidUsingEchoHTML: Avoid using echo or print to construct HTML |
Critical | Dangerous File Upload | OPT.PHP.DangerousFileUpload | DangerousFileUpload: Unrestricted Upload of File with Dangerous Type |
Critical | Do Not Use Error Suppression | OPT.PHP.DoNotUseErrorSuppression | DoNotUseErrorSuppression: Do not use error suppression with @ |
Critical | Fingers Crossed Logger In Production | OPT.PHP.FingersCrossedLoggerInProduction | FingersCrossedLoggerInProduction: Logging should not use many resources in production. |
Critical | Function Arguments Uniqueness | OPT.PHP.FunctionArgumentsUniqueness | FunctionArgumentsUniqueness: Avoid duplicated argument names in function declarations |
Critical | Include File Injection | OPT.PHP.IncludeFileInjection | IncludeFileInjection: Improper Control of filename for include / require statement |
Critical | Nested If Statements | OPT.PHP.NestedIfStatements | NestedIfStatements: Avoid a high level of if statement nesting |
Critical | Optional Parameters At End | OPT.PHP.OptionalParametersAtEnd | OptionalParametersAtEnd: Optional parameters in a function or method declaration must be always declared at the end |
Critical | Path Traversal | OPT.PHP.PathTraversal | PathTraversal: Avoid non-neutralized user-controlled input to be part of a pathname (file or directory) used in I/O operations |
Critical | Persistent Database Connections | OPT.PHP.PersistentDatabaseConnections | PersistentDatabaseConnections: Use persistent database connections |
Critical | POSIX Extended Regular Expressions | OPT.PHP.POSIXExtendedRegularExpressions | POSIXExtendedRegularExpressions: Do not use POSIX Extended regular expression functions |
Critical | Return In Constructor | OPT.PHP.ReturnInConstructor | ReturnInConstructor: Constructor returns a value |
Critical | Too Many Parameters In Call | OPT.PHP.TooManyParametersInCall | TooManyParametersInCall: Avoid calling a function or method with more parameters than declared |
Critical | Password In Redirect Rule | OPT.PHP.SEC.PasswordInRedirectRule | PasswordInRedirectRule: Password Management - Password in Redirect |
Critical | Sensitive Data Non Parameter | OPT.PHP.SensitiveDataNonParameter | SensitiveDataNonParameter: Sensitive data such as database connection must be in a parameter file |
High | Cake PHP Configuration | OPT.PHP.CakePHPConfiguration | CakePHPConfiguration: CakePHP framework weak configuration |
High | Cookies Configuration | OPT.PHP.CookiesConfiguration | CookiesConfiguration: Weak cookies configuration |
High | Insufficient Session Expiration Rule | OPT.PHP.SEC.InsufficientSessionExpirationRule | InsufficientSessionExpirationRule: Checks that session expiration interval does not exceed a limit |
High | Session Cookie Configuration | OPT.PHP.SessionCookieConfiguration | SessionCookieConfiguration: Weak session cookies configuration |
High | Zend Configuration | OPT.PHP.ZendConfiguration | ZendConfiguration: Zend framework session management configuration |
High | Avoid Eval | OPT.PHP.AvoidEval | AvoidEval: Do not use eval() |
High | Cross Site Request Forgery | OPT.PHP.CrossSiteRequestForgery | CrossSiteRequestForgery: Cross-Site Request Forgery (CSRF) |
High | Enabled Twig Auto Escaping | OPT.PHP.EnabledTwigAutoEscaping | EnabledTwigAutoEscaping: Twig auto-escaping must be enabled |
High | External Control Of Configuration Setting | OPT.PHP.SEC.ExternalControlOfConfigurationSetting | ExternalControlOfConfigurationSetting: External Control of System or Configuration Setting |
High | JSON Injection | OPT.PHP.SEC.JSONInjection | JSONInjection: Avoid using non-neutralized user-controlled input into JSON entities - JSON Injection |
High | Trust Boundary Violation Rule | OPT.PHP.SEC.TrustBoundaryViolationRule | TrustBoundaryViolationRule: Trust boundary violation |
High | Xslt Injection | OPT.PHP.SEC.XsltInjection | XsltInjection: XML Injection (aka Blind XPath Injection) |
High | Stored Cross Site Scripting | OPT.PHP.StoredCrossSiteScripting | StoredCrossSiteScripting: Improper neutralization of stored data during web content generation (Cross-site Scripting, XSS) |
High | XPath Injection | OPT.PHP.XPathInjection | XPathInjection: Improper Neutralization of Data within XPath Expressions ('XPath Injection') |
High | Assign Objects In Instantiation | OPT.PHP.AssignObjectsInInstantiation | AssignObjectsInInstantiation: Assign objects to a variable in instantiation |
High | Avoid Business Logic In Twig | OPT.PHP.AvoidBusinessLogicInTwig | AvoidBusinessLogicInTwig: Avoid too much logic in Twig templates |
High | Too Many Statements In Case | OPT.PHP.TooManyStatementsInCase | TooManyStatementsInCase: Avoid using too many statements in each case of a switch statement |
High | Avoid Auto Reload In Twig | OPT.PHP.AvoidAutoReloadInTwig | AvoidAutoReloadInTwig: Twig auto_reload must be disabled |
High | Avoid Create From Globals Request | OPT.PHP.AvoidCreateFromGlobalsRequest | AvoidCreateFromGlobalsRequest: Avoid use Request::createFromGlobals method |
High | Avoid High Number Of Files In Folder | OPT.PHP.AvoidHighNumberOfFilesInFolder | AvoidHighNumberOfFilesInFolder: Avoid handling of folders with many files |
High | Avoid Logical Operators | OPT.PHP.AvoidLogicalOperators | AvoidLogicalOperators: Avoid using logical operators |
High | Avoid Ref With Multidim Array | OPT.PHP.AvoidRefWithMultidimArray | AvoidRefWithMultidimArray: Avoid &-ref-operator to substitute (or alias) a complex mutidim-array |
High | Avoid Sleep Function | OPT.PHP.AvoidSleepFunction | AvoidSleepFunction: Avoid using the sleep function |
High | Avoid Strict Variables In Twig | OPT.PHP.AvoidStrictVariablesInTwig | AvoidStrictVariablesInTwig: Twig strict_variables must be disabled |
High | Avoid Action Method Too Long | OPT.PHP.AvoidActionMethodTooLong | AvoidActionMethodTooLong: Avoid using methods controllers "action" too long |
High | Break Non Empty Switch Clauses | OPT.PHP.BreakNonEmptySwitchClauses | BreakNonEmptySwitchClauses: Use break statement at the last statement of SwitchCase |
High | Call Time Pass By Reference Forbidden | OPT.PHP.CallTimePassByReferenceForbidden | CallTimePassByReferenceForbidden: Do not use call-time pass-by-reference arguments in function calls |
High | Catching Exception | OPT.PHP.CatchingException | CatchingException: Avoid catching exception base classes |
High | Check Parameters Number In Function | OPT.PHP.CheckParametersNumberInFunction | CheckParametersNumberInFunction: Too many parameters in function |
High | Class Includes | OPT.PHP.ClassIncludes | ClassIncludes: include / require / require_once / include_once is not allowed for loading class files |
High | Delete Acme Demo Bundle | OPT.PHP.DeleteAcmeDemoBundle | DeleteAcmeDemoBundle: Perform deletion of the AcmeDemoBundle that is included by default in Symfony2 |
High | Delete Unused Libraries | OPT.PHP.DeleteUnusedLibraries | DeleteUnusedLibraries: Remove references to libraries that are not used |
High | Default Arguments On The Right Side | OPT.PHP.DefaultArgumentsOnTheRightSide | DefaultArgumentsOnTheRightSide: Default arguments must be on the right side of any non-default arguments |
High | Default Clause Switch Statements | OPT.PHP.DefaultClauseSwitchStatements | DefaultClauseSwitchStatements: Use default clause at the end of the switch statement |
High | Efficient Php Ini Configuration | OPT.PHP.EfficientPhpIniConfiguration | EfficientPhpIniConfiguration: Certain configuration properties should be set for efficiency |
High | Establish New Path Cache | OPT.PHP.EstablishNewPathCache | EstablishNewPathCache: Set a new path for the cache |
High | Fav Icon In Web Directory | OPT.PHP.FavIconInWebDirectory | FavIconInWebDirectory: Use favicon in the web application |
High | Few Action Methods In Controller | OPT.PHP.FewActionMethodsInController | FewActionMethodsInController: Use a controller by specific concept |
High | Get Action Should Not Modify Resources | OPT.PHP.GetActionShouldNotModifyResources | GetActionShouldNotModifyResources: Use GET method only to get information |
High | Include Require Without Parentheses | OPT.PHP.IncludeRequireWithoutParentheses | IncludeRequireWithoutParentheses: Do not use include and its variants with parentheses |
High | Keywords Case | OPT.PHP.KeywordsCase | KeywordsCase: Write PHP keywords in lower-case |
High | Many Cases | OPT.PHP.ManyCases | ManyCases: Avoid too many choices in switch structures |
High | Max Methods | OPT.PHP.MaxMethods | MaxMethods: Maximum allowed number of methods |
High | Missing Authorization | OPT.PHP.MissingAuthorization | MissingAuthorization: Inadequate authorization check to access a resource or perform an action |
High | No Update Loop Vars In For Body | OPT.PHP.NoUpdateLoopVarsInForBody | NoUpdateLoopVarsInForBody: Do not update control vars in 'for' loop body |
High | No Use Flush In Loop | OPT.PHP.NoUseFlushInLoop | NoUseFlushInLoop: Avoid calling to the flush() method within a loop |
High | No Use Data Base Functions Specific Provider | OPT.PHP.NoUseDataBaseFunctionsSpecificProvider | NoUseDataBaseFunctionsSpecificProvider: Avoid use specific functions of a database provider |
High | No Use PHP Response Functions | OPT.PHP.NoUsePHPResponseFunctions | NoUsePHPResponseFunctions: Avoid using php response functions |
High | No Use PHP Session Functions | OPT.PHP.NoUsePHPSessionFunctions | NoUsePHPSessionFunctions: Do not use PHP session functions |
High | No Use PHP Super Global | OPT.PHP.NoUsePHPSuperGlobal | NoUsePHPSuperGlobal: Use Request Object instead of super-global variables PHP |
High | Numerically Indexed Arrays | OPT.PHP.NumericallyIndexedArrays | NumericallyIndexedArrays: Negative numbers are not permitted as indices |
High | Php Tags | OPT.PHP.PhpTags | PhpTags: Do not use the short form for the PHP opening tag |
High | Public Method Only Actions | OPT.PHP.PublicMethodOnlyActions | PublicMethodOnlyActions: In controllers can only be public the "Action" methods |
High | Rethrowing Exceptions | OPT.PHP.RethrowingExceptions | RethrowingExceptions: When rethrowing, the original exception must be wrapped inside the one being thrown |
High | Return Value Ignored | OPT.PHP.ReturnValueIgnored | ReturnValueIgnored: Function call return value ignored |
High | Robots Txt In Web Directory | OPT.PHP.RobotsTxtInWebDirectory | RobotsTxtInWebDirectory: Use robots.txt in the web application |
High | Routes Should Reference Existing Actions | OPT.PHP.RoutesShouldReferenceExistingActions | RoutesShouldReferenceExistingActions: Avoid routes that reference a non-existant actions |
High | Cookies In Security Decision | OPT.PHP.SEC.CookiesInSecurityDecision | CookiesInSecurityDecision: Reliance on Cookies without Validation and Integrity Checking in a Security Decision |
High | User Controlled SQL Primary Key | OPT.PHP.SEC.UserControlledSQLPrimaryKey | UserControlledSQLPrimaryKey: Avoid using an user controlled Primary Key into a query. |
High | Should Not Throw Access Denied Http Exception | OPT.PHP.ShouldNotThrowAccessDeniedHttpException | ShouldNotThrowAccessDeniedHttpException: Avoid throwing AccessDeniedHttpException |
High | Smart Substring Matching | OPT.PHP.SmartSubstringMatching | SmartSubstringMatching: Smart substring matching |
High | Too Many Break Or Continue In Loop | OPT.PHP.TooManyBreakOrContinueInLoop | TooManyBreakOrContinueInLoop: Avoid using more than one break or continue statement in each loop |
High | Throwing Exception | OPT.PHP.ThrowingException | ThrowingException: Avoid throwing exception base classes |
High | Unused Function Parameter | OPT.PHP.UnusedFunctionParameter | UnusedFunctionParameter: Avoid unused function parameters |
High | Unused Local Var | OPT.PHP.UnusedLocalVar | UnusedLocalVar: Avoid unused local variables |
High | Unused Private Field | OPT.PHP.UnusedPrivateField | UnusedPrivateField: Avoid unused private fields |
High | Unused Private Method | OPT.PHP.UnusedPrivateMethod | UnusedPrivateMethod: Avoid unused private methods |
High | Use Redirect After Posting Data | OPT.PHP.UseRedirectAfterPostingData | UseRedirectAfterPostingData: Is recommended to use redirect after doing a POST |
High | Avoid Inject Request Service | OPT.PHP.AvoidInjectRequestService | AvoidInjectRequestService: Avoid injecting the service request |
High | Do Not Debug In Twig Templates | OPT.PHP.DoNotDebugInTwigTemplates | DoNotDebugInTwigTemplates: Avoid using debug tag in Twig templates |
High | Http To Send Data | OPT.PHP.HttpToSendData | HttpToSendData: Avoid using HTTP instead of HTTPS |
High | Information Exposure Through Error Message | OPT.PHP.InformationExposureThroughErrorMessage | InformationExposureThroughErrorMessage: Avoid sensitive information exposure through error messages |
High | Password Management | OPT.PHP.PasswordManagement | PasswordManagement: Use of empty or hardcoded password, or storing password in comments |
High | Hardcoded Crypto Key | OPT.PHP.HardcodedCryptoKey | HardcodedCryptoKey: Use of Hard-coded Cryptographic Key |
High | Hardcoded Salt | OPT.PHP.HardcodedSalt | HardcodedSalt: Use of hardcoded salt |
High | Insecure Randomness | OPT.PHP.InsecureRandomness | InsecureRandomness: Standard pseudo-random number generators cannot withstand cryptographic attacks |
High | Missing Encryption Of Sensitive Data | OPT.PHP.MissingEncryptionOfSensitiveData | MissingEncryptionOfSensitiveData: Encrypt sensitive data before transmission or storage |
High | Insufficient Key Size Rule | OPT.PHP.SEC.InsufficientKeySizeRule | InsufficientKeySizeRule: Weak cryptography, insufficient key length |
High | Weak Cryptographic Hash | OPT.PHP.WeakCryptographicHash | WeakCryptographicHash: Weak cryptographic hash |
High | Weak Encryption Algorithm | OPT.PHP.WeakEncryptionAlgorithm | WeakEncryptionAlgorithm: Weak symmetric encryption algorithm |
Info | Log Forging | OPT.PHP.LogForging | LogForging: Improper Output Neutralization for Logs |
Info | Change Default Favicon | OPT.PHP.ChangeDefaultFavicon | ChangeDefaultFavicon: Replace the default favicon.ico icon |
Info | Line Length | OPT.PHP.LineLength | LineLength: Lines should not exceed a maximum size |
Info | Methods Name Convention | OPT.PHP.MethodsNameConvention | MethodsNameConvention: Function / method names should comply with the naming convention |
Info | Php Comments Rule | OPT.PHP.PhpCommentsRule | PhpCommentsRule: Code must be commented according to comments standard |
Info | Variable Substitution | OPT.PHP.VariableSubstitution | VariableSubstitution: Avoid using ${...} style for variable substitutions |
Info | Avoid Using Request | OPT.PHP.AvoidUsingRequest | AvoidUsingRequest: Using $_REQUEST is strongly discouraged |
Low | Do Not Use Default Session Cookies Name | OPT.PHP.DoNotUseDefaultSessionCookiesName | DoNotUseDefaultSessionCookiesName: Do not use the default session cookie's name |
Low | Avoid Complex Methods | OPT.PHP.AvoidComplexMethods | AvoidComplexMethods: Avoid too long methods |
Low | Avoid Functions In Loops | OPT.PHP.AvoidFunctionsInLoops | AvoidFunctionsInLoops: Avoid calling functions from evaluation or update part of the loops |
Low | Avoid Many Variables In Twig | OPT.PHP.AvoidManyVariablesInTwig | AvoidManyVariablesInTwig: Avoid return too many variables to a Twig template |
Low | Avoid Special Comment | OPT.PHP.AvoidSpecialComment | AvoidSpecialComment: Avoid using comments to indicate parts of code that need to be revised |
Low | Avoid Too Long Twig Templates | OPT.PHP.AvoidTooLongTwigTemplates | AvoidTooLongTwigTemplates: Too long Twig templates make code harder to understand and maintain |
Low | Avoid Var Name Prefix Is | OPT.PHP.AvoidVarNamePrefixIs | AvoidVarNamePrefixIs: PHP variables should not have the prefix "is" |
Low | Class Format PSR-0 | OPT.PHP.ClassFormatPSR0 | ClassFormatPSR0: PHP classes must have name and namespace compliant with PSR-0 (autoloading) standard |
Low | Closing Php Tag | OPT.PHP.ClosingPhpTag | ClosingPhpTag: Omit closing tag in files with only php code |
Low | Constants Name Convention | OPT.PHP.ConstantsNameConvention | ConstantsNameConvention: Constant names should comply with the naming convention |
Low | Customize Error Pages | OPT.PHP.CustomizeErrorPages | CustomizeErrorPages: Customize Symfony error pages |
Low | Declarations Without Side Effects | OPT.PHP.DeclarationsWithoutSideEffects | DeclarationsWithoutSideEffects: PHP files declaring global symbols (functions, classes) should not have side effects |
Low | Dependency Injection Container | OPT.PHP.DependencyInjectionContainer | DependencyInjectionContainer: Hide dependencies between services |
Low | Else In Else If Statement | OPT.PHP.ElseInElseIfStatement | ElseInElseIfStatement: Else if statements should finish with an else clause |
Low | Empty Boot Method In Bundle | OPT.PHP.EmptyBootMethodInBundle | EmptyBootMethodInBundle: The boot() method of all bundles must be empty |
Low | Exception Extension | OPT.PHP.ExceptionExtension | ExceptionExtension: Properly custom classes that extend from Exception class |
Low | Modifiers Order | OPT.PHP.ModifiersOrder | ModifiersOrder: Abstract, final and static modifiers declaration order |
Low | Names Suffix Conventions | OPT.PHP.NamesSuffixConventions | NamesSuffixConventions: Comply with the naming conventions for interfaces, traits and exception classes |
Low | Not Mix End Of Lines | OPT.PHP.NotMixEndOfLines | NotMixEndOfLines: The files must have a only newline format |
Low | No Use Debug Statements | OPT.PHP.NoUseDebugStatements | NoUseDebugStatements: No use debug statement in production |
Low | Organize Forms In Categories | OPT.PHP.OrganizeFormsInCategories | OrganizeFormsInCategories: Forms directory must be structured |
Low | Improper Validation Of Array Index | OPT.PHP.SEC.ImproperValidationOfArrayIndex | ImproperValidationOfArrayIndex: Array index coming from a non neutralized vulnerable input |
Low | Specify The Allowed Methods For The Routes | OPT.PHP.SpecifyTheAllowedMethodsForTheRoutes | SpecifyTheAllowedMethodsForTheRoutes: Specify the allowed methods for each route |
Low | String Concatenation | OPT.PHP.StringConcatenation | StringConcatenation: Add an space before and after '.' operator. In multiple line concatenating statements, pad each line to align '.' operator under ' {} |
Low | Text Files End Properly | OPT.PHP.TextFilesEndProperly | TextFilesEndProperly: The files must end with newline character |
Low | Type Hint Object Arguments | OPT.PHP.TypeHintObjectArguments | TypeHintObjectArguments: Specify argument's type of each method |
Low | Use Strict Comparisons | OPT.PHP.UseStrictComparisons | UseStrictComparisons: Use strict comparisons |
Low | Variable As String | OPT.PHP.VariableAsString | VariableAsString: Use of a string created just from a variable |
Medium | Avoid Contain Config File | OPT.PHP.AvoidContainConfigFile | AvoidContainConfigFile: config.php should be removed before the project goes into production |
Medium | Plaintext Storage In A Cookie Rule | OPT.PHP.SEC.PlaintextStorageInACookieRule | PlaintextStorageInACookieRule: Cleartext Storage of Sensitive Information in a Cookie |
Medium | Cross Site History Manipulation | OPT.PHP.SEC.CrossSiteHistoryManipulation | CrossSiteHistoryManipulation: Cross-Site History Manipulation (XSHM) |
Medium | Format String Injection Rule | OPT.PHP.SEC.FormatStringInjectionRule | FormatStringInjectionRule: Exclude unsanitized user input from format strings |
Medium | Serialization Injection | OPT.PHP.SerializationInjection | SerializationInjection: Deserialization of untrusted data |
Medium | Avoid Concat In Echo | OPT.PHP.AvoidConcatInEcho | AvoidConcatInEcho: Avoid concatenations in echo statement |
Medium | Use Switch Instead Of If Else If | OPT.PHP.UseSwitchInsteadOfIfElseIf | UseSwitchInsteadOfIfElseIf: Avoid using if-elseif-else chains |
Medium | Avoid Large Classes | OPT.PHP.AvoidLargeClasses | AvoidLargeClasses: Avoid classes with too many lines of code |
Medium | Avoid Large Methods | OPT.PHP.AvoidLargeMethods | AvoidLargeMethods: Avoid functions and methods with too many lines of code |
Medium | Avoid Magic Numbers | OPT.PHP.AvoidMagicNumbers | AvoidMagicNumbers: Avoid literals in method calls. Named constants make source code easier to understand and maintain |
Medium | Avoid Pass Entity Manager As Argument | OPT.PHP.AvoidPassEntityManagerAsArgument | AvoidPassEntityManagerAsArgument: Avoid passing as arguments the entity manager |
Medium | Avoid Unecessary Replacements In Loops | OPT.PHP.AvoidUnecessaryReplacementsInLoops | AvoidUnecessaryReplacementsInLoops: Avoid unnecessary string replacements in loops |
Medium | Avoid Unreachable Code | OPT.PHP.AvoidUnreachableCode | AvoidUnreachableCode: Avoid implementing code will never be executed |
Medium | Check Field Number In Class | OPT.PHP.CheckFieldNumberInClass | CheckFieldNumberInClass: Avoid classes with too many fields by class |
Medium | Check Public Methods Number In Class | OPT.PHP.CheckPublicMethodsNumberInClass | CheckPublicMethodsNumberInClass: Avoid classes with too many methods |
Medium | Close Opened Database Connections | OPT.PHP.CloseOpenedDatabaseConnections | CloseOpenedDatabaseConnections: Close non-persistent connections as soon as they are no longer required |
Medium | Counter Functions In Loops | OPT.PHP.CounterFunctionsInLoops | CounterFunctionsInLoops: Do not use counter functions in loop expressions |
Medium | Exceptions Disable In Production | OPT.PHP.ExceptionsDisableInProduction | ExceptionsDisableInProduction: Disable exceptions when the application is in production |
Medium | Foreach To Loop Through Arrays | OPT.PHP.ForeachToLoopThroughArrays | ForeachToLoopThroughArrays: Use foreach to loop through arrays |
Medium | If Variable To Check Initialization | OPT.PHP.IfVariableToCheckInitialization | IfVariableToCheckInitialization: Do not use if ($var) to check if a variable is initializated |
Medium | MIME Type Detection | OPT.PHP.MIMETypeDetection | MIMETypeDetection: Avoid MIME type detection using 'type' attribute of a file in $_FILES array |
Medium | No Use Deprecated Functions | OPT.PHP.NoUseDeprecatedFunctions | NoUseDeprecatedFunctions: Do not use deprecated functions |
Medium | No Use Magic Constant __DIR__ and __FILE__ | OPT.PHP.NoUseMagicConstant__DIR__and__FILE__ | NoUseMagicConstant__DIR__and__FILE__: Avoid using of the magic constants (__FILE__ and __DIR__) |
Medium | Num Max Class By Namespace | OPT.PHP.NumMaxClassByNamespace | NumMaxClassByNamespace: Avoid an excessive number of classes per package/namespace |
Medium | Return Value Without Parentheses | OPT.PHP.ReturnValueWithoutParentheses | ReturnValueWithoutParentheses: The return value must not be enclosed in parentheses |
Medium | Execution After Redirect | OPT.PHP.SEC.ExecutionAfterRedirect | ExecutionAfterRedirect: Execution After Redirect (EAR) |
Medium | Potential Infinite Loop | OPT.PHP.SEC.PotentialInfiniteLoop | PotentialInfiniteLoop: Loop with Unreachable Exit Condition ('Infinite Loop') |
Medium | Unchecked Input In Loop Condition | OPT.PHP.SEC.UncheckedInputInLoopCondition | UncheckedInputInLoopCondition: Unchecked input in loop condition |
Medium | Set For Attibutes With Get | OPT.PHP.SetForAttibutesWithGet | SetForAttibutesWithGet: Create '__set' method when exists '__get' method |
Medium | Single Line Comments | OPT.PHP.SingleLineComments | SingleLineComments: Do not use inline comments starting with the sharp character |
Medium | String Literals | OPT.PHP.StringLiterals | StringLiterals: Use simple quotes to demarcate string literals, except when containing apostrophes, escaped chars or variable substitutions |
Medium | Unsafe Function | OPT.PHP.UnsafeFunction | UnsafeFunction: Use of Potentially Dangerous Function |
Medium | Use Latest Symfony Version | OPT.PHP.UseLatestSymfonyVersion | UseLatestSymfonyVersion: Use latest stable Symfony version |
Medium | Use Maintained Symfony Version | OPT.PHP.UseMaintainedSymfonyVersion | UseMaintainedSymfonyVersion: Use maintained Symfony versions |
Medium | Use Relative Path | OPT.PHP.UseRelativePath | UseRelativePath: Using relative paths to access resources |
Medium | Variable Initialization | OPT.PHP.VariableInitialization | VariableInitialization: Variable initialization |
Medium | Privacy Violation | OPT.PHP.PrivacyViolation | PrivacyViolation: Exposure of Private Information |
Medium | Autocomplete On For Sensitive Fields | OPT.PHP.SEC.AutocompleteOnForSensitiveFields | AutocompleteOnForSensitiveFields: Autocomplete enabled for sensitive form fields |
Medium | Plaintext Storage Of Password | OPT.PHP.SEC.PlaintextStorageOfPassword | PlaintextStorageOfPassword: Plaintext Storage of a Password |