如何通过 PHP_CodeSniffer 捕获 PHP 反引号运算符的使用?
我研究了 CodeSniffer 版本 1.3 附带的“Generic”和“Squiz”编码标准中的一些“嗅探” ,并且学到了足够的知识来编写一些“自定义”嗅探来捕获一些特定于我正在开发的 PHP 项目的编码反模式。
但现在我的老板希望我使用该工具来识别代码调用 exec()、popen()、passthru() 或使用反引号运算符运行“外部”命令的所有位置,我已经点击了处理反引号的障碍。
CodeSniffer 1.3 发行版附带的 Generic_Sniffs_PHP_ForbiddenFunctionsSniff 类使得识别对 exec()、popen() 和 passthru() 等“危险函数”的任何调用基本上变得微不足道,因此这部分很容易。
但是我在“stock”嗅探中看不到任何对反引号运算符的引用,也没有在任何 CodeSniffer 逻辑本身中看到任何对反引号运算符的提及 - 尽管我可能找错了地方(我花了一段时间才找到)例如,弄清楚“->”实际上是 T_OBJECT_OPERATOR)。
所以我的问题是:
我可以使用 PHP_CodeSniffer 来检测 PHP 代码中反引号运算符的使用情况吗?如果可以,如何检测?
I've studied some "sniffs" from the "Generic" and "Squiz" coding standards that come with CodeSniffer version 1.3, and learned enough to write a few "custom" sniffs to catch some coding anti-patterns which are specific to a PHP project that I'm working on.
But now my boss wants me to use the tool to identify all the places where the code calls exec(), popen(), passthru(), or uses the backtick operator to run an "external" command, and I've hit a snag dealing with the backticks.
The Generic_Sniffs_PHP_ForbiddenFunctionsSniff class which comes with the CodeSniffer 1.3 distribution makes it essentially trivial to identify any calls to a "dangerous function" like exec(), popen(), and passthru(), so that part is easy.
But I cannot see any references to backtick operators in the "stock" sniffs, nor do I see any mention of the backtick operator in any of the CodeSniffer logic itself - although I may be looking in the wrong place (it took me a while to figure out that "->" is really T_OBJECT_OPERATOR, for example).
So my question is this:
Can I use PHP_CodeSniffer to detect backtick operator usage in PHP code, and if so, how?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
http://php.net/manual/en/tokens.php
看起来没有反引号的标记。然而,您应该能够遵循足够低的类层次结构,以便您可以找到一个连接点,您可以在其中执行 strpos 或 preg_match 来查找 `.它应该在 CodeSniffer 文档中提到如何做到这一点,或者,就像我说的,您可以遵循 Generic_Sniffs_PHP_ForbiddenFunctionsSniff 类直至其父级(如果需要,直至其父级),直到找到实际搜索发生的位置。
编辑:刚刚查看了 CodeSniffer 代码,看起来它可能只支持令牌搜索......所以看起来您将不得不创建一个新令牌。
http://php.net/manual/en/tokens.php
Looks like there's no token for backticks. You should, however, be able to follow the class hierarchy low enough down that you can find a connection point where you can just do strpos or preg_match looking for `. It should mention in the CodeSniffer documentation how to do that, or, like I said, you could follow the Generic_Sniffs_PHP_ForbiddenFunctionsSniff class up to its parent (and up to its parent if necessary) until you find where the actual searching is happening.
Edit: Just looked into the CodeSniffer code, and it appears that it might only support token searching... So it looks like you will have to make a new token.
此示例(删除了大部分注释)适用于一些简单的测试用例 - 无需对 CodeSniffer 进行任何更改!
class test_Sniffs_Dangerous_BackTickSniff implements PHP_CodeSniffer_Sniff {}
因为这就是我所追求的,所以我要回答我自己的问题。感谢 Corbin 和 ircmaxell 的评论。
This example (with most comments stripped out) works with a few simple test cases - no CodeSniffer changes required!
As this is what I was after, I'm going to answer my own question. Thanks Corbin, and ircmaxell, for your comments.