Exakat 1.3.1 review

Exakat 1.3.1 embarks on a new version of the underlying graph database : gremlin server 3.3.3. We’ve started using those new features, and that includes 4 new analysis and many false positive eliminations. Let’s cover the Exakat 1.3.1 review, like no one is watching.

Always check JSON results

Since null is a valid JSON result, it is difficult to validate the result of a call to json_decode. The only solution is actually to systematically call json_last_error(), as soon as json_encode and json_decode is called.

Many situations are checked with a simple !empty() call (and its variations) : it is rare to submit valid data, but end up with a null.

In PHP 7.3, a new JSON_THROW_ON_ERROR is available : it will raise an exception, when an error is found.

Until then, rely on json_last_error or json_last_error_msg.


$data = json_decode($incoming);


Exakat now reports any call to json that is not followed by a check. The check is omitted if the encoded data is obviously not-null, like when the literal array is build before encoding.


Use the Blind Var

The blind variables of a loop are variables that are updated each loop. Here, they are $k and $v.


$data = json_decode($incoming); 
// may be $incoming === 'null'l and returns a valid 


Just as illustrated, it happens that the index is used on the original array to access a value, while the same value is actually available in the $v variable. This is slower, more cumbersome and harder to read.

This optimization falls in the realm of micro-optimization, though since it happens in a loop, it may quickly be charged multiple times, and finally bring a noticeable speed bump.

Single Use Variable

Exakat now reports single use variables. Those variables are initially read, but then used once and discarded, or never used again.


$a = foo(); 
echo $a;


This is already a much better usage of variables, than the infamous variable only read, which yields an Undefined variable Error, and the variable only written, which yields no error but is a waste of memory.

This first example may be simple enough to illustrate the needed cleaning, but some extra aspects have to be taken into consideration. One is the readability of the code. If the hosting expression doesn’t grow so much as to become unreadable when the variable is removed, it is a valid move.


$a = foo($c[$id + 3], PHP_VERSION > 700000 ? 'a' : 'b'); 
echo $object->{$a}(3 + $d, $w[rand(0, 10) + 3]);


It is also valid to keep the variable when it has to be used inside a string. Although, depending on the coding convention, the whole string may be converted to a concatenation.


$a = foo(); $b = 3; 
echo "$a $b";


PHP version recommendation

In the ambassador report, you’ll find a section that suggest a PHP version, based on the used features found in the code. New and discontinued features are collected in the code, and displayed with their versions of validity. By crossing all the version of each, it is possible to determine the most valid PHP version of a piece of code.


While you are at it, you may check the other compatibility report, that allows to find the incompatible features, and upgrade your code to newer PHP versions.

Happy PHP code reviews

All the 351 analyzers are presented in the docs, including the scary preg_match_all() Flag, preg_match_all() has an option to configure the structure of the results : it is either by capturing parenthesis (by default), or by result sets.

You can check all of the exakat reports at the gallery: exakat gallery.

Download Exakat on exakat.io, install it with Docker, upgrade it with ‘exakat.phar upgrade -u’ and like us on github.