EPIC : Exakat PHP Index of Coding (August 2018)

Exakat PHP Index of coding

Not using @ is the poster child of good practices. It’s also looked upon, as an impossible goal. Did you know that the @ operator is only merely used by 50% of PHP applications ? Same for parenthesis with include and co : don’t use them, like 50% of the developpers. This is how the Exakat PHP Index of coding was born.

Every month, Exakat runs thousands of analysis on half a million lines of PHP code. This is primarily for testing purpose, a kind of torture test that checks the engine run on any kind of code. And it is very useful to ensure all situations are correctly handled.

We also extracted the following stats out of 1700+ projects, analysis by analysis. This way, any issue may be ranked from ‘wide spread’ to ‘very unusual’. In fact, ‘wide spread’ may also be understood as : ‘almost a feature’. May be we can suggest a few of them to wiki.php.net.

Each analysis is ranked below, with its frequency of appearance in code, its progression. If you want to test your own code, just install exakat and run an audit.

is for new analysis, and is for old one.

May 2018	Aug 2018	Name	Rating	Change
1	1	Uses Default Values	94.44 %	-0.22 %
2	2	Used Once Variables (In Scope)	92.05 %	0.58 %
3	5	Should Use Local Class	91.95 %	1.37 %
4	3	Unused Methods	91.59 %	0.53 %
5	7	Overwriting Variable	87.57 %	-0.29 %
6	39	Bail Out Early	85.68 %	22.90 %
7	17	Used Once Variables	85.63 %	11.58 %
8	8	PHP Keywords As Names	84.46 %	2.13 %
9	160	Written Only Variables	84.10 %	57.54 %
10	9	Unresolved Classes	81.35 %	1.06 %
11	10	Property Used In One Method Only	81.04 %	2.23 %
12	100	Empty Blocks	80.99 %	38.81 %
13	12	Unused Classes	80.69 %	2.39 %
14	11	Undefined Classes	79.87 %	1.15 %
15	13	Unitialized Properties	79.62 %	2.52 %
16	15	Relay Function	78.24 %	2.34 %
17	14	Nested Ifthen	77.58 %	0.59 %
18	19	Unused Arguments	76.51 %	3.44 %
19	18	Should Make Ternary	74.83 %	0.87 %
20	20	Useless Parenthesis	74.42 %	1.57 %
21	26	Preprocessable	74.22 %	4.51 %
22	21	Mark Callable	73.81 %	1.83 %
23	22	No Boolean As Default	73.45 %	1.59 %
24	23	Use Named Boolean In Argument Definition	73.30 %	1.69 %
25	30	Long Arguments	72.64 %	3.92 %
26	25	Strict Comparison With Booleans	72.23 %	1.30 %
27	27	Avoid Optional Properties	72.18 %	2.94 %
28	29	Overwritten Literals	71.11 %	2.27 %
29	24	Buried Assignation	70.91 %	-0.16 %
30	44	Assigned Twice	69.38 %	7.98 %
31	28	Property Variable Confusion	69.28 %	0.34 %
32	32	Pre-increment	68.46 %	1.97 %
33	34	Constant Class	68.36 %	2.66 %
34	31	Use Positive Condition	67.90 %	0.05 %
35	16	Locally Unused Property	67.80 %	-7.21 %
36	37	Could Make A Function	67.14 %	3.08 %
37	36	Used Once Property	67.09 %	2.87 %
38	71	Undefined Parent	66.98 %	15.76 %
39	35	No Need For Else	66.07 %	1.48 %
40	73	Property Could Be Local	65.41 %	14.97 %
41	42	Never Used Properties	64.23 %	2.57 %
42	53	Drop Else After Return	64.18 %	6.63 %
43	46	No Class In Global	64.08 %	3.10 %
44	40	Switch To Switch	63.93 %	1.62 %
45	41	Iffectations	63.72 %	1.52 %
46	45	No Class As Typehint	63.42 %	2.28 %
47	56	Empty Function	62.91 %	5.88 %
48	49	Local Globals	61.94 %	3.14 %
49	51	Undefined Interfaces	60.72 %	2.65 %
50	38	Use Class Operator	60.46 %	-2.73 %
51	80	Missing Include	60.21 %	11.50 %
52	55	Dont Change The Blind Var	59.65 %	2.31 %
53	50	Check All Types	59.55 %	1.40 %
54	58	include_once() Usage	59.50 %	3.47 %
55	54	Else If Versus Elseif	58.68 %	1.18 %
56	61	Method Used Below	57.31 %	3.58 %
57	59	No Parenthesis For Language Construct	57.20 %	1.38 %
58	N/A	Check JSON	56.90 %	56.90 %
59	63	Exit() Usage	55.37 %	2.16 %
60	62	@ Operator	55.32 %	1.95 %
61	N/A	Ambiguous Visibilities	54.86 %	54.86 %
62	65	Echo With Concat	54.81 %	2.67 %
63	66	Switch Without Default	54.71 %	2.60 %
64	72	Unresolved Use	53.84 %	3.03 %
65	69	Uncaught Exceptions	53.74 %	2.23 %
66	308	Non Ascii Variables	53.64 %	52.34 %
67	76	Logical To in_array	52.16 %	2.56 %
68	77	Use Instanceof	51.70 %	2.31 %
69	67	Static Loop	51.65 %	0.06 %
70	200	Too Many Local Variables	51.55 %	32.37 %
71	163	Hardcoded Passwords	51.50 %	25.21 %
72	74	Common Alternatives	51.50 %	1.69 %
73	176	Useless Abstract Class	51.34 %	26.93 %
74	84	No Public Access	51.09 %	3.47 %
75	83	Use random_int()	50.89 %	3.01 %
76	78	Several Instructions On The Same Line	50.28 %	1.15 %
77	81	Use === null	50.07 %	1.88 %
78	131	Should Use Coalesce	50.02 %	15.82 %
79	68	Empty Classes	49.36 %	-2.15 %
80	91	Undefined Properties	49.31 %	4.36 %
81	79	Empty Instructions	49.26 %	0.44 %
82	75	Function Subscripting, Old Style	48.75 %	-0.85 %
83	87	Mismatched Ternary Alternatives	48.75 %	2.28 %
84	88	Useless Referenced Argument	48.65 %	2.50 %
85	114	Useless Instructions	48.39 %	11.33 %
86	70	Undefined Functions	48.34 %	-2.99 %
87	90	String May Hold A Variable	48.24 %	2.85 %
88	89	Could Use Short Assignation	48.19 %	2.25 %
89	57	Undefined Constants	47.27 %	-9.23 %
90	N/A	Mismatch Type And Default	47.07 %	47.07 %
91	85	Could Typehint	46.91 %	-0.26 %
92	96	Ambiguous Static	46.66 %	2.96 %
93	94	Use const	46.51 %	2.08 %
94	60	Class Name Case Difference	46.35 %	-9.00 %
95	93	No Substr() One	46.20 %	1.72 %
96	82	Identical Consecutive Expression	46.15 %	-1.78 %
97	204	Strange Name For Variables	45.23 %	26.62 %
98	109	Double Instructions	45.18 %	5.20 %
99	95	Useless Interfaces	45.08 %	1.23 %
100	101	Aliases Usage	44.88 %	2.75 %
101	103	Unused Use	44.47 %	2.71 %
102	99	Should Typecast	43.81 %	1.53 %
103	106	Double Assignation	43.81 %	3.30 %
104	104	Undefined Class Constants	43.65 %	1.94 %
105	102	No array_merge() In Loops	43.55 %	1.77 %
106	108	Repeated print()	42.43 %	2.39 %
107	115	Cast To Boolean	42.33 %	5.38 %
108	117	Forgotten Visibility	41.97 %	5.26 %
109	110	Parent First	41.97 %	1.99 %
110	105	Return True False	41.26 %	0.16 %
111	86	Strpos()-like Comparison	41.11 %	-5.57 %
112	111	Unreachable Code	40.70 %	1.85 %
113	92	Could Be Typehinted Callable	40.14 %	-4.36 %
114	113	Timestamp Difference	39.68 %	2.36 %
115	52	Altering Foreach Without Reference	38.86 %	-18.69 %
116	118	Global Usage	38.51 %	2.29 %
117	N/A	Strpos Too Much	38.15 %	38.15 %
118	119	Useless Check	38.05 %	1.83 %
119	121	Logical Should Use Symbolic Operators	37.79 %	2.09 %
120	140	Unused Private Methods	37.74 %	6.38 %
121	150	Assign Default To Properties	37.44 %	8.75 %
122	124	Could Use self	37.08 %	2.11 %
123	250	Unknown Directive Name	36.93 %	27.06 %
124	123	Modernize Empty With Expression	36.93 %	1.75 %
125	127	Could Use __DIR__	36.88 %	2.31 %
126	122	If With Same Conditions	36.83 %	1.50 %
127	126	Same Conditions In Condition	36.67 %	1.89 %
128	130	Could Be Else	36.62 %	2.39 %
129	N/A	Method Signature Must Be Compatible	36.47 %	36.47 %
130	97	Mixed Concat And Interpolation	36.01 %	-7.40 %
131	112	Unused Functions	35.86 %	-1.82 %
132	137	Don’t Change Incomings	35.86 %	3.40 %
133	128	Unresolved Instanceof	35.65 %	1.14 %
134	138	var_dump()… Usage	35.35 %	3.10 %
135	136	Useless Catch	35.04 %	2.43 %
136	134	Htmlentities Calls	34.99 %	1.70 %
137	144	Too Many Native Calls	34.69 %	4.27 %
138	139	Should Make Alias	34.64 %	3.23 %
139	125	Repeated Regex	34.38 %	-0.55 %
140	135	Wrong Parameter Type	33.92 %	0.68 %
141	107	Class Should Be Final By Ocramius	33.92 %	-6.17 %
142	141	Empty Try Catch	33.82 %	2.72 %
143	142	Unchecked Resources	33.82 %	3.14 %
144	148	Never Used Parameter	33.67 %	4.14 %
145	145	Unconditional Break In Loop	33.41 %	3.20 %
146	43	Could Use Alias	32.80 %	-28.72 %
147	288	Callback Needs Return	32.70 %	28.68 %
148	146	No Choice	32.60 %	2.44 %
149	157	Avoid Using stdClass	32.39 %	5.26 %
150	143	Multiple Type Variable	32.09 %	1.57 %
151	133	No Return Used	31.83 %	-2.32 %
152	149	Multiple Alias Definitions	31.78 %	2.56 %
153	199	Don’t Unset Properties	31.73 %	12.50 %
154	155	Randomly Sorted Arrays	31.12 %	3.82 %
155	129	Unused Constants	31.02 %	-3.42 %
156	147	Unthrown Exception	30.87 %	1.27 %
157	153	Printf Number Of Arguments	30.41 %	2.71 %
158	165	No Hardcoded Hash	30.31 %	4.13 %
159	151	Implicit Global	30.05 %	1.62 %
160	161	No Direct Call To Magic Method	30.05 %	3.54 %
161	N/A	Incompatible Signature Methods	29.69 %	29.69 %
162	154	Make Global A Property	29.49 %	1.89 %
163	N/A	Weak Typing	29.34 %	29.34 %
164	156	Wrong Number Of Arguments	29.19 %	1.96 %
165	N/A	Dont Mix ++	29.13 %	29.13 %
166	158	Eval() Usage	28.88 %	2.07 %
167	159	Multiple Constant Definition	28.83 %	2.12 %
168	166	list() May Omit Variables	28.73 %	2.74 %
169	162	Wrong Optional Parameter	28.62 %	2.12 %
170	168	Static Methods Called From Object	28.37 %	2.80 %
171	167	Sequences In For	28.27 %	2.49 %
172	213	Don’t Echo Error	28.22 %	10.71 %
173	164	Don’t Send This In Constructor	28.17 %	1.88 %
174	152	Only Variable Passed By Reference	27.96 %	0.04 %
175	170	Unused Returned Value	27.15 %	2.12 %
176	175	Useless Constructor	26.84 %	2.38 %
177	171	One Variable String	26.69 %	1.71 %
178	116	Unused Private Properties	26.54 %	-10.31 %
179	169	Objects Don’t Need References	26.49 %	1.14 %
180	182	Incompilable Files	26.18 %	2.77 %
181	180	Dangling Array References	26.03 %	1.78 %
182	174	Implied If	25.92 %	1.25 %
183	181	Should Chain Exception	25.92 %	1.98 %
184	178	Empty Interfaces	25.77 %	1.47 %
185	172	Print And Die	25.77 %	1.05 %
186	185	No Hardcoded Path	25.67 %	2.67 %
187	183	No Direct Usage	25.06 %	1.65 %
188	187	Useless Return	24.19 %	2.19 %
189	188	Undefined static:: Or self::	24.09 %	2.35 %
190	177	Forgotten Interface	23.73 %	-0.59 %
191	186	Useless Global	23.68 %	1.25 %
192	190	Adding Zero	23.58 %	2.73 %
193	192	Useless Casting	22.97 %	2.38 %
194	191	Multiple Index Definition	22.72 %	2.12 %
195	198	Mistaken Concatenation	22.61 %	3.22 %
196	189	Unset In Foreach	22.56 %	1.08 %
197	193	Useless Switch	22.31 %	1.92 %
198	196	Unused Global	21.80 %	1.98 %
199	217	$this Belongs To Classes Or Traits	21.44 %	6.18 %
200	195	Var Keyword	21.34 %	1.48 %
201	N/A	Undefined ::class	21.34 %	21.34 %
202	206	Redefined Default	21.19 %	2.69 %
203	N/A	Cant Instantiate Class	21.03 %	21.03 %
204	194	Forgotten Thrown	20.98 %	0.69 %
205	197	Should Use Prepared Statement	20.83 %	1.23 %
206	203	Avoid get_class()	20.78 %	1.97 %
207	229	eval() Without Try	20.73 %	7.25 %
208	202	No Isset With Empty	20.47 %	1.45 %
209	208	Test Then Cast	20.42 %	2.23 %
210	N/A	Classes/CouldBeAbstractClass	20.42 %	20.42 %
211	209	Logical Mistakes	20.27 %	2.18 %
212	212	No Hardcoded Ip	20.02 %	2.30 %
213	214	Useless Unset	19.91 %	2.45 %
214	207	Deprecated Functions	19.81 %	1.47 %
215	201	Alternative Syntax Consistence	19.61 %	0.53 %
216	184	Mismatched Default Arguments	19.51 %	-3.90 %
217	215	Use Object Api	19.10 %	2.16 %
218	340	Implemented Methods Are Public	19.05 %	19.00 %
219	210	Multiply By One	19.00 %	1.18 %
220	205	Could Be Static	18.79 %	0.24 %
221	216	Non-constant Index In Array	17.37 %	1.48 %
222	219	One Letter Functions	16.76 %	1.71 %
223	220	Foreach Reference Is Not Modified	16.65 %	1.65 %
224	222	Use With Fully Qualified Name	16.35 %	1.93 %
225	223	Should Use Constants	16.35 %	1.93 %
226	218	Non Static Methods Called In A Static	16.30 %	1.14 %
227	179	Use Constant As Arguments	16.04 %	-8.26 %
228	230	Identical Conditions	15.94 %	2.51 %
229	221	Results May Be Missing	15.89 %	1.10 %
230	228	Undefined Trait	15.84 %	2.04 %
231	232	Illegal Name For Method	15.69 %	3.04 %
232	132	Unused Inherited Variable In Closure	15.63 %	-18.55 %
233	225	Forgotten Whitespace	15.38 %	1.17 %
234	233	Unpreprocessed Values	15.23 %	3.00 %
235	211	Unused Interfaces	15.18 %	-2.64 %
236	226	Old Style Constructor	15.07 %	1.16 %
237	240	Strings With Strange Space	14.92 %	3.63 %
238	227	While(List() = Each())	14.26 %	0.46 %
239	241	Dependant Trait	13.70 %	2.57 %
240	238	Redeclared PHP Functions	13.55 %	2.00 %
241	236	Hidden Use Expression	13.55 %	1.79 %
242	235	Indices Are Int Or String	13.24 %	1.12 %
243	239	self, parent, static Outside Class	13.14 %	1.80 %
244	237	Suspicious Comparison	13.14 %	1.38 %
245	242	Catch Overwrite Variable	12.88 %	1.91 %
246	246	Lone Blocks	12.37 %	1.87 %
247	247	Useless Brackets	12.37 %	1.87 %
248	244	Already Parents Interface	12.27 %	1.40 %
249	243	Nested Ternary	12.22 %	1.30 %
250	231	Must Return Methods	12.17 %	-0.68 %
251	248	Identical On Both Sides	12.17 %	1.67 %
252	224	Could Use str_repeat()	11.71 %	-2.51 %
253	245	Or Die	11.36 %	0.64 %
254	249	Phpinfo	11.25 %	1.11 %
255	257	No Real Comparison	11.10 %	2.21 %
256	173	Invalid Regex	11.00 %	-13.72 %
257	251	Overwritten Exceptions	10.95 %	1.18 %
258	253	Wrong fopen() Mode	10.95 %	1.28 %
259	252	Deep Definitions	10.39 %	0.72 %
260	255	Unknown Pcre2 Option	10.39 %	1.14 %
261	256	Avoid Parenthesis	9.98 %	0.84 %
262	258	Redefined Class Constants	9.88 %	1.00 %
263	259	Not Not	9.73 %	1.37 %
264	N/A	Typehinted References	9.32 %	9.32 %
265	262	Multiples Identical Case	8.91 %	1.07 %
266	280	Redefined Private Property	8.66 %	3.86 %
267	234	Assign With And	8.50 %	-3.67 %
268	261	preg_replace With Option e	8.35 %	0.20 %
269	260	Scalar Or Object Property	8.04 %	-0.32 %
270	263	Same Variables Foreach	7.53 %	0.69 %
271	264	No Hardcoded Port	7.38 %	0.64 %
272	273	Class, Interface Or Trait With Identical Names	7.23 %	1.54 %
273	287	Is Actually Zero	7.18 %	2.90 %
274	270	$this Is Not An Array	6.62 %	0.72 %
275	266	Queries In Loops	6.62 %	0.20 %
276	269	Missing Parenthesis	6.62 %	0.51 %
277	275	Missing New ?	6.57 %	0.98 %
278	277	__DIR__ Then Slash	6.52 %	1.19 %
279	265	Use Pathinfo	6.31 %	-0.27 %
280	274	Next Month Trap	6.11 %	0.52 %
281	293	Wrong Range Check	6.01 %	3.24 %
282	282	Instantiating Abstract Class	5.96 %	1.26 %
283	279	$this Is Not For Static Methods	5.90 %	0.78 %
284	N/A	Continue Is For Loop	5.85 %	5.85 %
285	278	Static Methods Can’t Contain $this	5.80 %	0.68 %
286	281	Ambiguous Array Index	5.75 %	1.05 %
287	254	Access Protected Structures	5.55 %	-4.01 %
288	286	Lost References	5.39 %	1.06 %
289	276	Failed Substr Comparison	5.29 %	-0.19 %
290	285	Too Many Finds	5.24 %	0.69 %
291	283	No Magic With Array	5.14 %	0.44 %
292	284	Old Style __autoload()	4.99 %	0.34 %
293	290	Empty Traits	4.89 %	1.18 %
294	296	Strtr Arguments	4.73 %	2.33 %
295	289	Multiple Class Declarations	3.87 %	0.01 %
296	291	Throw Functioncall	3.76 %	0.58 %
297	292	Unused Traits	3.56 %	0.59 %
298	295	Crc32() Might Be Negative	3.05 %	0.39 %
299	298	Implement Is For Interface	2.95 %	0.81 %
300	294	Multiple Alias Definitions Per File	2.95 %	0.29 %
301	271	Mismatched Typehint	2.85 %	-3.05 %
302	N/A	Bad Constants Names	2.80 %	2.80 %
303	297	Only Variable Returned By Reference	2.49 %	0.30 %
304	N/A	Abstract Or Implements	2.49 %	2.49 %
305	268	Too Many Injections	2.44 %	-3.73 %
306	299	Missing Cases In Switch	2.19 %	0.05 %
307	300	Ternary In Concat	2.03 %	0.10 %
308	303	Use System Tmp	1.98 %	0.21 %
309	309	Empty Namespace	1.93 %	0.63 %
310	301	Accessing Private	1.83 %	0.01 %
311	302	error_reporting() With Integers	1.78 %	0.01 %
312	322	Unused Label	1.78 %	1.16 %
313	304	Silently Cast Integer	1.78 %	0.16 %
314	305	Parent, Static Or Self Outside Class	1.68 %	0.17 %
315	307	Foreach Needs Reference Array	1.42 %	0.01 %
316	316	Inclusion Wrong Case	1.42 %	0.54 %
317	306	Classes Mutually Extending Each Other	1.17 %	-0.24 %
318	311	Useless Final	1.17 %	0.02 %
319	313	Should Use SetCookie()	1.17 %	0.18 %
320	312	Constants With Strange Names	1.12 %	0.13 %
321	314	Invalid Constant Name	1.06 %	0.18 %
322	315	No Empty Regex	1.01 %	0.13 %
323	320	__toString() Throws Exception	0.86 %	0.19 %
324	318	Always Positive Comparison	0.81 %	0.08 %
325	317	Throw In Destruct	0.81 %	0.03 %
326	319	Class Function Confusion	0.81 %	0.08 %
327	310	Break Outside Loop	0.71 %	-0.54 %
328	267	Unkown Regex Options	0.71 %	-5.51 %
329	321	Multiple Identical Trait Or Interface	0.66 %	-0.01 %
330	N/A	Can’t Throw Throwable	0.56 %	0.56 %
331	326	Compared Comparison	0.50 %	0.19 %
332	325	No Reference For Ternary	0.45 %	0.09 %
333	324	Throws An Assignement	0.40 %	0.04 %
334	327	No Reference On Left Side	0.40 %	0.09 %
335	N/A	Undefined Variable	0.40 %	0.40 %
336	323	Abstract Static Methods	0.30 %	-0.27 %
337	329	Constants Created Outside Its Namespace	0.20 %	0.05 %
338	331	Can’t Extend Final	0.20 %	0.05 %
339	328	Not A Scalar Type	0.20 %	0.00 %
340	330	Hash Algorithms	0.15 %	0.00 %
341	332	Fully Qualified Constants	0.10 %	0.00 %
342	338	Negative Power	0.10 %	0.05 %
343	339	Strange Name For Constants	0.10 %	0.05 %
344	333	Pathinfo() Returns May Vary	0.10 %	0.00 %
345	344	Possible Infinite Loop	0.10 %	0.10 %
346	335	Concrete Visibility	0.05 %	0.00 %
347	272	No Self Referencing Constant	0.05 %	-5.70 %
348	337	func_get_arg() Modified	0.05 %	0.00 %
349	341	No get_class() With Null	0.05 %	0.00 %
350	334	Foreach On Object	0.05 %	-0.05 %
351	342	Short Open Tags	0.00 %	0.00 %
352	336	Empty List	0.00 %	-0.05 %
353	343	Using $this Outside A Class	0.00 %	0.00 %
354	N/A	Assert Function Is Reserved	0.00 %	0.00 %
355	N/A	Must Call Parent Constructor	0.00 %	0.00 %
356	N/A	Undefined Insteadof	0.00 %	0.00 %

EPIC Methodology

The “Exakat PHP Index of Coding”, aka EPIC, represents how often an static analysis rule reports results when auditing PHP code. The higher the rating, the higher is the probability to report issues. The lower the rating, the rarer are the issues.

This popularity is built by analyzing 1730 Open Source project, with PHP 7.1. Any issue reported by Exakat makes the project count as affected. Only when a project reports no issues, is it counted as error free.

EPIC FAQ

Can I reuse those results in an article or in my code?
Yes. Simply mention ‘https://178.62.231.40’ as the source, and may be the month of publication (Current is 08/2018
Is there a computer-readable version ?
The Exakat PHP Index of Coding is available as JSON .
How does the index handle the false-positives ?
False positives are only human-detectable. Help us reduce the false positive by reporting bugs and informations to remove them.
Why are some rules down to 0 ? Aren’t they useless?
Some analysis require an old version of PHP, while the Index works with more recent versions of PHP (7.1 at the moment). As such, those analysis will dwindle to the bottom of the ranking and disappear.

Want to Keep in touch with us, subscribe to our newsletter !

Code auditing

EPIC : Exakat PHP Index of Coding (August 2018)

Exakat PHP Index of coding

EPIC Methodology

EPIC FAQ

Login