title: Safety rules outline: [2, 3]

Safety rules

This document details the rules available in the Safety category.

no-error-control-operator

Detects the use of the error control operator @.

The error control operator suppresses errors and makes debugging more difficult.

Configuration

Examples

Correct code

<?php

try {
    $result = file_get_contents('example.txt');
} catch (Throwable $e) {
    // Handle error
}

Incorrect code

<?php

$result = [@file_get_contents](https://github.com/file_get_contents)('example.txt');

no-eval

Detects unsafe uses of the eval construct. The eval construct executes arbitrary code, which can be a major security risk if not used carefully.

Configuration

Examples

Correct code

<?php

// Safe alternative to eval
$result = json_decode($jsonString);

Incorrect code

<?php

eval('echo "Hello, world!";');

no-ffi

Detects unsafe use of the PHP FFI (Foreign Function Interface) extension.

The FFI extension allows interaction with code written in other languages, such as C, C++, and Rust. This can introduce potential security risks and stability issues if not handled carefully.

If you are confident in your use of FFI and understand the risks, you can disable this rule in your Mago configuration.

Configuration

Examples

Correct code

<?php

// Using a safe alternative to FFI
$data = 'some data';
$hash = hash('sha256', $data);

Incorrect code

<?php

use FFI;

$ffi = FFI::cdef("void* malloc(size_t size);");
$ffi->malloc(1024); // Allocate memory but never free it

no-global

Detects the use of the global keyword and the $GLOBALS variable.

The global keyword introduces global state into your function, making it harder to reason about and test.

Configuration

Examples

Correct code

<?php

function foo(string $bar): void {
    // ...
}

Incorrect code

<?php

function foo(): void {
    global $bar;
    // ...
}

no-request-all

Detects the use of $request->all() or Request::all() in Laravel applications.

Such calls retrieve all input values, including ones you might not expect or intend to handle. It is recommended to use $request->only([...]) to specify the inputs you need explicitly, ensuring better security and validation.

Requirements

• Integration: Laravel

Configuration

Examples

Correct code

<?php

namespace App\Http\Controllers;

use Illuminate\Http\RedirectResponse;
use Illuminate\Http\Request;

class UserController extends Controller
{
    /**
     * Store a new user.
     */
    public function store(Request $request): RedirectResponse
    {
        $data = $request->only(['name', 'email', 'password']);

        // ...
    }
}

Incorrect code

<?php

namespace App\Http\Controllers;

use Illuminate\Http\RedirectResponse;
use Illuminate\Http\Request;

class UserController extends Controller
{
    /**
     * Store a new user.
     */
    public function store(Request $request): RedirectResponse
    {
        $data = $request->all();

        // ...
    }
}

no-request-variable

Detects the use of the $_REQUEST variable, which is considered unsafe.

Use $_GET, $_POST, or $_COOKIE instead for better clarity.

Configuration

Examples

Correct code

<?php

$identifier = $_GET['id'];

Incorrect code

<?php

$identifier = $_REQUEST['id'];

no-service-state-mutation

Detects mutations to $this->property inside service methods.

In worker-mode PHP runtimes (FrankenPHP, RoadRunner, Swoole), services persist across requests. Mutating $this->property in a service method introduces shared mutable state that leaks between requests, leading to subtle and hard-to-reproduce bugs.

Mutations include direct assignment ($this->count = 0), compound assignment ($this->count += 1), increment/decrement ($this->count++, ++$this->count), array append ($this->items[] = $item), and unset($this->cache).

The __construct and reset methods are allowed by default.

Requirements

• Integration: Symfony

Configuration

Examples

Correct code

<?php

namespace App\Service;

final class InvoiceService
{
    public function __construct(
        private readonly InvoiceRepository $repository,
    ) {}

    public function process(Invoice $invoice): void
    {
        $total = $invoice->getTotal();
        $this->repository->save($invoice);
    }
}

Incorrect code

<?php

namespace App\Service;

final class InvoiceService
{
    private int $processedCount = 0;

    public function process(Invoice $invoice): void
    {
        $this->processedCount++;
    }
}

no-shell-execute-string

Detects the use of shell execute strings (...) in PHP code.

Configuration

Examples

Correct code

<?php

$output = shell_exec('ls -l');

Incorrect code

<?php

$output = `ls -l`;

no-unsafe-finally

Detects control flow statements in finally blocks.

Control flow statements in finally blocks override control flows from try and catch blocks, leading to unexpected behavior.

Configuration

Examples

Correct code

<?php

function example(): int {
    try {
        return get_value();
    } finally {
        // no control flow statements
    }
}

Incorrect code

<?php

function example(): int {
    try {
        return get_value();
    } finally {
        return 42; // Unsafe control flow statement in finally block
    }
}