Download the PHP package nish/phpstan-safestring-rule without Composer
On this page you can find all versions of the php package nish/phpstan-safestring-rule. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.
Download nish/phpstan-safestring-rule
More information about nish/phpstan-safestring-rule
Files in nish/phpstan-safestring-rule
Package phpstan-safestring-rule
Short Description Extension of PHPStan: Warn about unsafe strings
License MIT
Informations about the package phpstan-safestring-rule
PHPStan SafeString Rule Extension
This package is a PHPStan extension for checking unsafe string, e.g. Check calling echo without calling htmlspecialchars, check calling database query without using prepared statement.
Notice
This package does not meet the "backward compatibility promise". Because it extends the basic processing of the core, it is not guaranteed to work with version differences.
https://phpstan.org/developing-extensions/backward-compatibility-promise
Install
How to use
Add to phpstan.neon
composer.json
is:
Value Object class src/ProductDto.php
:
Html Template src/ProductHtml.php
:
The execution result of phpstan in this case is as followings:
Then, can not call echo the string type directly.
safehtml-string
is a virtual type, it can be fixed by adding a helper function.
src/functions.php
:
phpstan.neon
src/ProductHtml.php
:
run phpstan
OK, no errors and it's secure!
Tips
Constant String Type is not needs convert to safehtml-string.
This is no error.
When used for methods instead of functions:
Cannot specify more than one at a time.
Use safe-string Custom Type
If you have the following database access program
pdo->query()
is not secure.
If the class is the following program,
I want an error to be displayed.
Achieve that by writing the following settings to phpstan.neon.
0
is the index of the argument.
Run phpstan.
More control, it can use the safe-string
type.
What happens if I write a hint?
Changed to caller error.
If the string is clearly known to be "constant string (and its derivatives)", no error is raised.
Tips
Add return type rules:
factory: Nish\PHPStan\Rules\SafeStringReturnTypeRule([
App\Db\Utils::getSafeConditionString,
])
tags: [phpstan.rules.rule]