I've studied some "sniffs" from the "Generic" and "Squiz" coding standards that come with CodeSniffer version 1.3, and learned enough to write a few "custom" sniffs to catch some coding anti-patterns which are specific to a PHP project that I'm working on.
But now my boss wants me to use the tool to identify all the places where the code calls exec(), popen(), passthru(), or uses the backtick operator to run an "external" command, and I've hit a snag dealing with the backticks.
The Generic_Sniffs_PHP_ForbiddenFunctionsSniff class which comes with the CodeSniffer 1.3 distribution makes it essentially trivial to identify any calls to a "dangerous function" like exec(), popen(), and passthru(), so that part is easy.
But I cannot see any references to backtick operators in the "stock" sniffs, nor do I see any mention of the backtick operator in any of the CodeSniffer logic itself - although I may be looking in the wrong place (it took me a while to figure out that "->" is really T_OBJECT_OPERATOR, for example).
So my question is this:
Can I use PHP_CodeSniffer to detect backtick operator usage in PHP code, and if so, how?
This example (with most comments stripped out) works with a few simple test cases - no CodeSniffer changes required!
class test_Sniffs_Dangerous_BackTickSniff implements PHP_CodeSniffer_Sniff {
public $supportedTokenizers = array('PHP');
public function register() {
return array(T_NONE);
}
public function process(PHP_CodeSniffer_File $phpcsFile, $stackPtr) {
// generate one error for every pair of backticks:
static $reported = array();
$all_tokens = $phpcsFile->getTokens();
if ($all_tokens[$stackPtr]['content'] == '`') {
$lno = $all_tokens[$stackPtr]['line'];
if (!isset($reported[$lno])) {
$reported[$lno] = true;
$phpcsFile->addError('Avoid backticks', $stackPtr);
}
}
}
}
As this is what I was after, I'm going to answer my own question. Thanks Corbin, and ircmaxell, for your comments.