Let Kody automatically check quality, security and performance in every pull request—cloud or self-hosted, in under 2 minutes.
PHP Code Quality
A practical checklist to review PHP code for quality, security and speed, helping you keep every pull request production ready.
What We Cover in the PHP Analysis
Here’s what this checklist helps you review before approving a pull request.
✅ Code & Design Quality – correctness, clarity, and maintainable PHP/OOP structure
PHP Code Review Checklist
Export this Checklist as Markdown
Use these points as a starting guide to automate code reviews with your agent.
Style & Readability
Files declare strict typing (declare(strict_types=1);) and use <?php only (no short tags).
Names follow conventions: classes PascalCase, methods/variables camelCase, constants UPPER_SNAKE_CASE.
One class per file; single responsibility; functions/methods are short and intention-revealing.
No commented-out/dead code; TODOs tracked in issues (not left in source).
PSR compliance: PSR-1/PSR-12 coding style; PSR-4 autoloading configured.
Consistent formatting enforced via PHP-CS-Fixer or PHP_CodeSniffer (ruleset committed).
Clear namespaces and directory structure; no cyclic dependencies between modules.
Comments explain why, not what; public APIs have PHPDoc for non-obvious behavior/generic types.
No wildcard imports; imports (use) sorted and minimal; fully qualified names avoided in code body.
Avoid magic numbers/strings; extract constants or enums (PHP 8.1+).
Control flow is straightforward: early returns > deep nesting; match used where clearer than chained ifs.
Strings use interpolation carefully; prefer sprintf for complex formatting.
OOP & Language Best Practices
Favor immutability: readonly properties/readonly classes where possible (PHP 8.2+).
Visibility is minimal (private > protected > public); no public mutable state.
Use interfaces to program to contracts; prefer composition over inheritance.
Constructors contain no heavy logic or I/O; use factories/builders for complex setup.
Type safety: scalar/union/intersection types present; return/param types and property types declared.
Nullable types used intentionally; avoid returning null for collections—use [].
enum for closed sets; value objects instead of primitive obsession (e.g., Email, Money).
Exceptions are domain-specific; no using return codes for error conditions.
Collections use SPL or dedicated classes; avoid leaking arrays where richer types help.
Avoid static state/singletons; use DI container (Laravel/Symfony container) for wiring.
Magic methods (__get, __set, __call) avoided unless implementing a clear proxy pattern.
Security
Input validation at trust boundaries; centralize validation (Form Requests in Laravel, Validators in Symfony).
SQL Injection: only parameterized queries/QueryBuilder/ORM; never string-concatenate SQL.
XSS: templates auto-escape by default (Blade/Twig); safely escape when outputting raw HTML; sanitize rich text on input.
CSRF: tokens enabled/validated for state-changing requests; excluded routes justified and documented.
AuthN/Z: password hashing via password_hash() (Argon2id preferred) or framework hashing; role/permission checks on every sensitive action (not just UI).
Session security: secure, HttpOnly, SameSite cookies; session fixation prevention; short TTL for sensitive sessions.
IDOR: server-side ownership checks for resource access; do not trust client-supplied IDs alone.
File upload: strict MIME/extension allow-list; size limits; store outside webroot; randomize filenames; image processing sandboxed.
SSRF: restrict outbound HTTP destinations; disable local/metadata IPs; validate URLs; set allow_url_fopen=0 when possible.
Deserialization: avoid unserialize() on untrusted data; prefer JSON; if unavoidable, allowed classes list enforced.
Command injection: use Symfony\Process with argument arrays; never pass unsanitized shell strings.
CORS & Headers: least-permissive CORS; set HSTS, X-Content-Type-Options, X-Frame-Options/CSP as appropriate.
Secrets: loaded from env/secret store; never committed; rotate regularly; audit use.
Dependencies: composer.lock committed; run security audits (e.g., composer audit, tools like Symfony Security Checker); address CVEs.
Rate limiting & abuse: throttling on auth and expensive endpoints; captcha/challenge where appropriate.
Auditability: sensitive operations logged (non-PII), traceable to user/request.
Performance & Scalability
Composer autoload optimized in prod (composer dump-autoload -o); dev dependencies excluded in production.
Opcache enabled and tuned; preloading considered for hot classes (PHP-FPM).
Avoid N+1 DB queries; eager load relations; use projections/select specific columns.
Pagination/streaming used for large result sets; never load unbounded collections into memory.
Caching strategy defined (Redis/APCu): keys, TTLs, invalidation rules; avoid unbounded cache growth.
Expensive computations/background tasks offloaded to queues; idempotent workers; concurrency tuned.
HTTP clients have connection pools, timeouts, and retries with backoff (idempotent only).
String concatenation in loops avoided; use buffers/implode; minimize temporary allocations.
JSON encode/decode hotspots profiled; avoid double encoding; consider Ext-JSON options judiciously.
Algorithmic complexity reviewed; avoid quadratic behavior on user-supplied list sizes.
PHP-FPM process manager tuned (pm, children, memory); no blocking I/O in request threads when avoidable.
Static asset and HTTP caching (ETag/Last-Modified/Cache-Control) configured at the edge.
Error Handling & Observability
Exceptions used for exceptional cases; no swallow/empty catch; add context when rethrowing.
Consistent domain/application/HTTP exception mapping; error responses don’t leak stack traces.
Try-with-resource equivalents (finally blocks/defer patterns) used to close external resources.
Monolog (or equivalent) for structured logs; include correlation/request ID; log levels appropriate (no info-level spam).
Metrics emitted for key flows (latency, error rate, throughput); health/readiness endpoints present.
Distributed tracing (OpenTelemetry/Jaeger/Zipkin) integrated for external calls and DB.
Timeouts on all I/O; circuit breakers/bulkheads where appropriate; retries bounded with jitter.
Testing & Quality Gates
Unit tests (PHPUnit/Pest) deterministic and fast; meaningful assertions; no mocks of code you don’t own.
Integration tests cover DB, cache, queue, and external HTTP (use Symfony HttpClient test or MockServer).
API/contract tests (OpenAPI validation; Pact for consumer/provider where applicable).
Property-based tests where pure logic benefits; boundary conditions covered.
Regression tests added for fixed prod bugs; fail without the fix.
Static analysis: PHPStan/Psalm at strict level (baseline reviewed, shrinking over time).
Linting: PHP_CodeSniffer/PHPCSFixer enforced in CI; failing gate.
Mutation testing (Infection) on critical modules or security-sensitive code.
Coverage monitored, but quality > %; critical paths and error handling included.
Test data via factories/builders; no shared mutable global state; tests parallelizable.
Maintainability & Architecture
Modules have clear boundaries; domain code not coupled to framework I/O (ports/adapters).
SRP/SoC respected; no God classes/controllers; fat models avoided (or justified).
DTOs vs Entities separated; mapping centralized (e.g., Symfony Serializer, custom mappers).
Configuration via env/parameters; sensible defaults; no env-specific branches in code.
Feature flags for risky changes; dark launches/canaries supported.
ADRs or lightweight design notes accompany non-trivial changes.
Backward compatibility considered for public APIs; deprecation path documented.
Time handled with DateTimeImmutable and UTC in storage; timezone conversion at edges.
Frameworks (Laravel / Symfony)
Laravel
Route model binding and policies/guards enforce authorization consistently.
Eloquent: eager load relations; guard against mass assignment; use casts/value objects; avoid logic in models—use services.
Queues (Horizon): jobs idempotent; visibility timeouts and retries configured; failed job handling in place.
Validation via Form Requests; resources/transformers control API shape; Resource Collections for pagination.
Config cached in prod; APP_DEBUG=false; APP_KEY set and rotated; rate limiting middleware configured.
Symfony
Controllers thin; business logic in services; autowiring explicit for complex graphs.
Validation constraints (Assert*) on DTOs/entities; normalizers/serializers configured explicitly.
Security component: voters/attributes for fine-grained authz; firewalls/access control defined.
Messenger for async/queue with retries/DLQ; transport configuration reviewed.
Config split by env; APP_ENV=prod with cache:warmup; HTTP cache set via Cache component/Reverse proxy.
APIs & Integrations
API contract versioned (path/header); breaking changes gated; OpenAPI/JSON Schema up to date.
Consistent error model (problem+json or equivalent); validation errors structured.
Idempotency keys for POST on non-safe operations; replay protection for webhooks (HMAC + timestamp tolerance).
Pagination, filtering, and sorting standardized; maximum page sizes enforced.
Security: OAuth2/JWT/session strategy documented; scopes/claims validated on every request.
Timeouts, retries (idempotent only), and circuit breakers on all outbound calls; request/response logging with redaction.
Webhooks: signature verification, retry with backoff, deduplication, and DLQ.
GraphQL (if used): N+1 prevented (dataloaders), complexity limits, depth limits.
CI/CD & Runtime
Reproducible builds; composer install --no-dev --prefer-dist --no-interaction --no-progress; lockfile committed.
Static analysis, tests, linters, and security scans run in CI; failing gates block merges.
Container images minimal (distroless/alpine if compatible), non-root user, read-only FS, health checks.
PHP-FPM/Nginx configured with sane limits; realpath_cache, Opcache, and memory tuned.
Env/secrets injected via platform secret store; no secrets in images or repo.
Migrations (Doctrine Migrations/Laravel Migrations) apply automatically with safe rollout/rollback plan.
Blue/green or canary deploys available; rollbacks are fast and documented.
Observability plumbed in prod (logs/metrics/traces); alerts are actionable and tied to SLOs.
Data & Compliance
Schema indexes match query patterns; no full table scans on hot paths; migrations include down/rollback or compensations.
Charset/collation set (utf8mb4); timezone stored in UTC; DECIMAL for money; lengths/constraints enforced.
PII classified; encryption at rest/in transit; field-level encryption where required (e.g., libsodium/defuse/php-encryption).
Data retention and deletion implemented (GDPR/LGPD); right-to-erasure supported; audit trails for access to sensitive data.
Backups automated, encrypted, and tested; RPO/RTO documented; restore drills performed.
Multi-tenancy isolation enforced in every data path (scopes/filters/tenant IDs).
Exports/imports validated and rate-limited; CSV/Excel parsers hardened.
