One for the security, one for the performances, several for the coverage and one new inventory! Exakat 1.9.6 brings a wide range of new analysis and reports : performance with mb_substr(), security without TLS 1.0, better coverage for definitions, and inventory of duplicate literals.

We are evolved to search for meaning but ultimately life has only the Exakat 1.9.6 review.

Avoid mb_substr() in loops

mb_substr() is the multi-byte cousin of substr(). It extracts set of characters from a string, taking into account the encoding. 

substr() works with bytes, so finding the n-th byte is a matter of accessing the n-th position in the string. mbsubstr() works with multibytes strings, and it needs to interpret all chars until the n-th position to start the extraction process. This means that each mbsubstr() call starts its calculations at the beginning of the string, and works its way to the requested position. Each time. 


$size = floor(strlen($string) / 2);
for($i = 0; $i < $size; ++$i) {
    foo(substr($string, $i, 2));

// Very slow upgrade to multibytes
$size = floor(mb_strlen($string) / 2);
for($i = 0; $i < $size; ++$i) {
    foo(mb_substr($string, $i, 2));


To avoid the constant rewind of the string, the solution is to split the string once, and then to loop over the results. Here, pregmatchall is used with the u option, for Unicode, and double dot to catch the actual characters.


$chunks = preg_match_all('/../u', $string);
foreach($chunks as $c) {

// Same as above, with preg_split, for chars only
$chars = preg_split('//u', $str, -1, PREG_SPLIT_NO_EMPTY);


This performance analysis was inspired by Optimization: How I made my PHP code run 100 times faster.

No more SSL nor TLSv1.0

SSL and TLS are cryptographic protocols to secure communication. Roughly, they have evolved from SSL versions 1.0 to 3.0, then evolved from TLS versions 1.0 to 1.3. 

Nowadays the recommended version is TLS version 1.3. All the SSL versions and TLS version 1.0 are now deprecated. TLS version 1.1 will soon also be deprecated. 

PHP supports those protocols in two different places : the transport layer of the file system (with fopen()filegetcontents(), etc.) and the cURL extension, with curl_setopt()

Exakat report all the SSL versions, and TLS 1.0. We’ll add to TLS 1.1 next year. In the meantime, update your code to TLS 1.3.

Better coverage for definitions

Definitions, a.k.a DEFINITION, is an internal link in the graph that links a structure and its usage. For example, it links a function and a functioncall, a method and a method call, a constant definition with a constant usage.

Linking a call with its definition is mostly implicit in PHP, and in the coder’s mind. No need for definitions with variables, and it would be great to be able to do the same for classes or functions (TLTR : just kidding, not possible).

With version 1.9.6, some new links were added to the current collection links : in particular, magic methods are now linked to __call and __callStatic methods, when the object of the method call has itself a definition. This is the case for $this, and type hinted arguments, for example. 

Also, parenthesis that includes an assignation, are now better detected, just like this : 


// calling foo method on class x
(new x)->foo();

// calling foo method on class x, storing object in $object
// This is valid syntax, but also reported as 'Buried assignation'.
($object = new x)->foo();


Duplicate literals inventory

Duplicate literals is a classic of the code : a value is chosen for an array index, a signal name, or a special state. As it is added to the code, it starts as a literal, and then, get spread across the code, by usage and definition. 

When comes the time to upgrade this literal, a problem has arisen : it is not possible to find them all, across the code. And, let alone this, such literal has also been augmented with close and distant cousins. There is indeed hundreds of them scattered across the code. Where to start? 

The duplicate literals inventory is a new inventory that collects literal values of integers, reals and strings. To limit false positive, a parameter was created for this inventory : minDuplicate starts at 15. 

While this seems like a high number, it is a good start. It extracts the most duplicated literals in the code, and gives a first idea of the level of rework needed. From there, it is recommended turning those literals into constants, global or class. This is a long process, with one caveat : such repeated literals are often used in different ways, while moving to constants forces a clarification. 

The Weekly Audits: 2019, Week #38

Exakat includes a ‘weekly’ report: this report is built with a selection of five analyses. This means a short audit report, with few issues to review. This is not a lot to read them, and review them in your code. Everyone in the PHP community can focus on one of the classic coding problems and fix it. Talk about the weekly audit around you: you’ll find programmers facing the same challenges.

To obtain the ‘weekly’ audit, run an audit, and request the ‘Weekly’ report.

# Init the project (skip when it is already done)    
php exakat.phar init -p <yourproject> -R -git 

# Run the project (skip when it is already done)    
php exakat.phar project -p <yourproject> 

# Export the weekly project (every Monday)    
php exakat.phar report -p <yourproject> -format Weekly 

# Open projects/<yourproject>/weekly/index.html in your browser    

Every week, you can find here 5 new analysis to review in your code. In fact, when your code is clean, you can also take a quick look at the upcoming analysis. 

Weekly recommendations for PHP code review : 2019, week 2019-39

Happy PHP Code Reviews 

All the 384 analyzers are presented in the docs, including the royal : Never Used Properties: Properties that are never used.

This is an conatagious bug, with more than 72% of chance to appear. 

You can check all of the Exakat reports at the gallery: exakat gallery.

Download Exakat on, install it with Docker, upgrade it with ‘exakat.phar upgrade -u’ and like us on github.