How to find undefined variables in PHP script

Question

Suppose we have following function in PHP:

public function testSomething()
{
    $name = perform_sql_query("SELECT name FROM table WHERE id = $entity_id;");
    assert($name == "some_name");
}

Query is syntactically correct, but since $entity_id is undefined - query will always search for 'id = 0', which is semantically incorrect.

I would like such functions to fail automatically, when they try to use undefined variable. Is there such mechanism in PHP? Or maybe there is some tool, that can be used to analyze PHP source code to find such cases?

UPDATE Those undefined variables can occur anywhere in project, so correct decision will be to check function arguments in every function.

UPDATE2 Setting error handler helped. Now anytime uninitialized variable is used - exception is thrown.

Answer 1

PHP has several severity levels in script errors. You can set what you want it to consider an error with the function error_reporting() or the php.ini-directive with the same name. This is how you set PHP to report anything which might lead to errors (this can lead to quite a lot of messages, if you are setting it for the first time, but fixing these errors will give you a much more stable application):

# In your php script:
error_reporting(E_ALL | E_STRICT);

# Or in your php.ini:
error_reporting = E_ALL | E_STRICT

Answer 2

If you turn on all warning and notices, evaluating that string should throw you an error message.

Also, it will evaluate to invalid SQL (it will be id= not id=0), so your perform_sql_query should be reporting that also.

Answer 3

Use the isset() function before accesing variables.

Answer 4

I normally check if my values are null within my function. You can use isset() and also if its a empty string using something like below:

public function testSomething()
{    
    if(!empty($entity_id)){
            $name = perform_sql_query("SELECT name FROM table WHERE id = $entity_id;");    
            assert($name == "some_name");
            return true;
    }
    return false;
}

I would also set the error reporting using the below line:

error_reporting(E_ALL | E_STRICT);

Answer 5

• Set error reporting to E_ALL in your php apps by using:

  error_reporting( E_ALL );

Or by setting appropriate values for error_reporting variable in php.ini or .htaccess. This allows you to catch all errors including those related to undefined variables.

• Set up the php error_log in your development environment and inspect it carefully during development stages.

Lastly, for the above mentioned code, include all common sense error handling in the "perform_sql_query" function. Your perform_sql_query function is probably a wrapper over mysql_query function so check for errors generated by mysql_query (and similar) functions.

Answer 6

One issue to consider is that for a live site, you may not want users to see errors and warnings. Some web-host provides an error.log which logs php error. Here's a custom error handler for live sites:

function log_error($no,$msg,$file,$line)
{

    $errorMessage = "Error no $no: $msg in $file at line number $line";

    file_put_contents("errors_paypal.txt",$errorMessage."\n\n",FILE_APPEND); 
}

set_error_handler('log_error');

The great thing about this is that you can format it and dump various info you want.