Useful PHP tools you might not know about yet

PHP short array syntax converter

Is your project still using array() all over the place instead of the new [] short array syntax? Then the php-short-array-syntax-converter command-line script might be for you. The project page makes it clear the script is pretty robust.

The script was successfully tested against code bases with more than 5.000 PHP files.

Here’s an example from within a target directory.

$ find . -name "*.php" -exec php "/path/to/convert.php" -w "{}" \;
6 replacements.
4 replacements.
8 replacements.
No replacements.
90 replacements.
166 replacements.

There’s also a script to revert changes, but you could also use Git for that. Here’s an example if you want to really wipe everything in your repo (changes, new files…) since the last git pull. Beware, this is a destructive operation.

$ git clean -fdx && git reset --hard


While still a work in progress, versionscan is a promising initiative to report back potential known CVE issues with your PHP version.

Here’s an example when everything’s fine.

$ versionscan scan
Executing against version: 7.0.11-1~dotdeb+8.1
| Status | CVE ID | Risk | Summary |

Scan complete
Total checks: 423
Failures: 0

And when you’re indeed checking against a PHP version known to have vulnerabilities, failures are showing up in red (not represented here, though).

$ versionscan scan --sort=risk --php-version=7.0
Executing against version: 7.0
| Status | CVE ID        | Risk | Summary                                                                                              |
| FAIL   | CVE-2015-8617 | 10.0 | Format string vulnerability in the zend_throw_or_error function in Zend/zend_execute_API.c in PHP... |
| FAIL   | CVE-2016-1904 | 7.5  | Multiple integer overflows in ext/standard/exec.c in PHP 7.x before 7.0.2 allow remote attackers ... |
| FAIL   | CVE-2015-8616 | 7.5  | Use-after-free vulnerability in the Collator::sortWithSortKeys function in ext/intl/collator/coll... |
| FAIL   | CVE-2015-6527 | 7.5  | The php_str_replace_in_subject function in ext/standard/string.c in PHP 7.x before 7.0.0 allows r... |
| FAIL   | CVE-2016-1903 | 6.4  | The gdImageRotateInterpolated function in ext/gd/libgd/gd_interpolation.c in PHP before 5.5.31, 5... |

Scan complete
Total checks: 423
Failures: 5

We’ve passed the --php-version flag, which can be handy if you want to report on CVEs for PHP versions that are not installed on your system. We’ve also used the --sort=risk flag to order CVEs by most to less critical.

versionscan only depends on the Symfony Console and can export to json, xml and html.


PHPLOC is one of my favs for auditing a codebase. It simply measures the size and analyzes the structure of a PHP project.

Example for a Drupal 8.3.x codebase:

$ phploc .
phploc 3.0.1 by Sebastian Bergmann.

Directories                                       2186
Files                                             8903

  Lines of Code (LOC)                          1231394
  Comment Lines of Code (CLOC)                  415248 (33.72%)
  Non-Comment Lines of Code (NCLOC)             816146 (66.28%)
  Logical Lines of Code (LLOC)                  257504 (20.91%)
    Classes                                     224923 (87.35%)
      Average Class Length                          25
        Minimum Class Length                         0
        Maximum Class Length                       619
      Average Method Length                          5
        Minimum Method Length                        0
        Maximum Method Length                      211
    Functions                                     1785 (0.69%)
      Average Function Length                        1
    Not in classes or functions                  30796 (11.96%)

Cyclomatic Complexity
  Average Complexity per LLOC                     0.19
  Average Complexity per Class                    6.48
    Minimum Class Complexity                      1.00
    Maximum Class Complexity                    358.00
  Average Complexity per Method                   2.24
    Minimum Method Complexity                     1.00
    Maximum Method Complexity                   155.00

  Global Accesses                                  787
    Global Constants                               336 (42.69%)
    Global Variables                               294 (37.36%)
    Super-Global Variables                         157 (19.95%)
  Attribute Accesses                             71458
    Non-Static                                   70113 (98.12%)
    Static                                        1345 (1.88%)
  Method Calls                                  202002
    Non-Static                                  182743 (90.47%)
    Static                                       19259 (9.53%)

  Namespaces                                      1944
  Interfaces                                       847
  Traits                                           130
  Classes                                         7955
    Abstract Classes                               446 (5.61%)
    Concrete Classes                              7509 (94.39%)
  Methods                                        42255
      Non-Static Methods                         39434 (93.32%)
      Static Methods                              2821 (6.68%)
      Public Methods                             34176 (80.88%)
      Non-Public Methods                          8079 (19.12%)
  Functions                                       1611
    Named Functions                                671 (41.65%)
    Anonymous Functions                            940 (58.35%)
  Constants                                       1302
    Global Constants                                67 (5.15%)
    Class Constants                               1235 (94.85%)

While this massive output can be turning you off, think about how it can help when you want to, say, port a module/bundle to a new version. PHPLOC will quickly help you evaluate the estimated amount of work needed and even drill down to advanced software engineering data (number of classes, interfaces, --count-tests to count PHPUnit test case classes, etc.). Of course this is only really an estimation as plenty of other factors are to be taken into account (e.g. new APIs, core application code removed/added, etc.)

Here’s an example where we’re quickly auditing Drupal 7 modules - via the prism of non-comment lines of code- to understand the amount of potential work needed to port them to Drupal 8.

$ for i in pathauto metatag panels features; do printf "Size for $i:\t" ; phploc $i/* | grep "Non-Comment Lines of Code (NCLOC)" ; done
Size for pathauto:   Non-Comment Lines of Code (NCLOC)    3066 (70.91%)
Size for metatag:   Non-Comment Lines of Code (NCLOC)    8603 (77.47%)
Size for panels:     Non-Comment Lines of Code (NCLOC)    5567 (73.80%)
Size for features:   Non-Comment Lines of Code (NCLOC)    6079 (80.46%)


You’ve probably seen a good fraction of popular PHP applications are now distributed via PHAR files, e.g. Composer, CodeSniffer, etc.

Box is a tool that can help you create a PHAR file out of a PHP application, and it’s very easy.

On installing the program, it’ll perform a few checks to confirm PHAR files can be created successfully with your PHP setup.

$ curl -LSs | php
Box Installer

Environment Check

"-" indicates success.
"*" indicates error.

 - You have a supported version of PHP (>= 5.3.3).
 - You have the "phar" extension installed.
 - You have a supported version of the "phar" extension.
 - You have the "openssl" extension installed.
 - The "phar.readonly" setting is off.
 - The "detect_unicode" setting is off.
 - The "allow_url_fopen" setting is on.

Everything seems good!


 - Downloading manifest...
 - Reading manifest...
 - Downloading Box v2.7.4...
 - Checking file checksum...
 - Checking if valid Phar...
 - Making Box executable...

Box installed!

The most common scenario is your phar.readonly PHP setting is probably going to be commented out or turned On. To create PHAR files, you need to have it explicitly set to Off.

$ grep "phar.readonly =" /etc/php/7.0/cli/php.ini
phar.readonly = Off

If all is well, then you can create your first PHAR file. There’s a Box Example application to get you started.

$ box build && ls -l box.phar
-rwxr-xr-x. 1 {USER} {GROUP} 1020781 Sep 25 18:24 box.phar

Here you go. You can now easily distribute PHAR files to your users.


September 26, 2016